Commit Graph

7519 Commits

Author SHA1 Message Date
Steve Holme
e9b4a96975 sasl_sspi: Fixed memory leak with not releasing Package Info struct
Curl_sasl_create_digest_md5_message() wouldn't free the Package Info
structure after QuerySecurityPackageInfo() had allocated it.
2014-08-09 12:34:22 +01:00
Steve Holme
b91e97eabd sspi: Minor code tidy up to standardise coding style
Following the recent changes and in attempt to align the SSPI based
authentication code performed the following:

* Use NULL and SECBUFFVERSION rather than hard coded constants.
* Avoid comparison of zero in if statements.
* Standardised the buf and desc setup code.
2014-08-08 22:43:18 +01:00
Steve Holme
cda4aaba4d schannel: Fixed compilation warning in vtls.c
vtls.c:688:43: warning: unused parameter 'data'
2014-08-08 21:34:05 +01:00
Daniel Stenberg
159c3aafd8 curl_ntlm_msgs: make < 80 columns wide 2014-08-08 08:34:51 +02:00
Steve Holme
df739784e5 ntlm: Fixed hard coded buffer for SSPI based auth packet generation
Given the SSPI package info query indicates a token size of 2888 bytes,
and as with the Winbind code and commit 9008f3d56, use a dynamic buffer
for the Type-1 and Type-3 message generation rather than a fixed buffer
of 1024 bytes.
2014-08-08 07:31:03 +01:00
Steve Holme
03d34b683d ntlm: Added support for SSPI package info query
Just as with the SSPI implementations of Digest and Negotiate added a
package info query so that libcurl can a) return a more appropriate
error code when the NTLM package is not supported and b) it can be of
use later to allocate a dynamic buffer for the Type-1 and Type-3
output tokens rather than use a fixed buffer of 1024 bytes.
2014-08-07 20:15:17 +01:00
Daniel Stenberg
dc61480c54 http2: added some more logging for debugging stream problems 2014-08-07 17:41:14 +02:00
Tatsuhiro Tsujikawa
f05e1a991a HTTP/2: Reset promised stream, not its associated stream. 2014-08-07 16:54:45 +02:00
Tatsuhiro Tsujikawa
7ceada43af HTTP/2: Move :authority before non-pseudo header fields 2014-08-07 16:54:17 +02:00
Daniel Stenberg
26393a97b2 http2: show the received header for better debugging 2014-08-07 13:26:15 +02:00
Daniel Stenberg
7d2f61f66a openssl: replace call to OPENSSL_config
OPENSSL_config() is "strongly recommended" to use but unfortunately that
function makes an exit() call on wrongly formatted config files which
makes it hard to use in some situations. OPENSSL_config() itself calls
CONF_modules_load_file() and we use that instead and we ignore its
return code!

Reported-by: Jan Ehrhardt
Bug: http://curl.haxx.se/bug/view.cgi?id=1401
2014-08-07 12:40:31 +02:00
Steve Holme
f8a8ed73fe http_negotiate_sspi: Fixed specific username and password not working
Bug: http://curl.haxx.se/mail/lib-2014-06/0224.html
Reported-by: Leonardo Rosati
2014-08-06 20:31:19 +01:00
Steve Holme
f8af8606a5 http_negotiate_sspi: Fixed endless unauthorized loop in commit 6bc76194e8
If the server rejects our authentication attempt and curl hasn't
called CompleteAuthToken() then the status variable will be
SEC_I_CONTINUE_NEEDED and not SEC_E_OK.

As such the existing detection mechanism for determining whether or not
the authentication process has finished is not sufficient.

However, the WWW-Authenticate: Negotiate header line will not contain
any data when the server has exhausted the negotiation, so we can use
that coupled with the already allocated context pointer.
2014-08-06 07:17:13 +01:00
Dan Fandrich
5b37db44a3 parsedate.c: fix the return code for an overflow edge condition 2014-08-05 09:25:47 +02:00
Toby Peterson
0e452a02f1 darwinssl: don't use strtok()
The GetDarwinVersionNumber() function uses strtok, which is not
thread-safe.
2014-08-05 08:58:49 +02:00
Daniel Stenberg
ea6d371e7c Curl_ossl_version: adapted to detect BoringSSL
This seems to be the way it should work. Right now we can't build with
BoringSSL and try this out properly due to a minor API breakage.
2014-08-05 00:29:37 +02:00
Daniel Stenberg
7efff86639 Curl_ossl_version: detect and show libressl
LibreSSL is otherwise OpenSSL API compliant (so far)
2014-08-04 23:54:44 +02:00
Tatsuhiro Tsujikawa
67920e1516 HTTP/2: Fix infinite loop in readwrite_data()
To prevent infinite loop in readwrite_data() function when stream is
reset before any response body comes, reset closed flag to false once
it is evaluated to true.
2014-08-03 22:49:56 +02:00
Dan Fandrich
4d4dd7aea0 gtls: only define Curl_gtls_seed if Nettle is not being used 2014-08-03 11:18:08 +02:00
Dan Fandrich
cac1dd58a8 ssl: provide Curl_ssl_backend even if no SSL library is available 2014-08-03 10:43:31 +02:00
Tatsuhiro Tsujikawa
595f5f0e43 HTTP2: Support expect: 100-continue
"Expect: 100-continue", which was once deprecated in HTTP/2, is now
resurrected in HTTP/2 draft 14.  This change adds its support to
HTTP/2 code.  This change also includes stricter header field
checking.
2014-08-02 23:15:46 +02:00
Daniel Stenberg
b9f6ca1d32 openssl: make ossl_send return CURLE_OK better
Previously it only returned a CURLcode for errors, which is when it
returns a different size than what was passed in to it.

The http2 code only checked the curlcode and thus failed.
2014-08-01 00:01:02 +02:00
Marcel Raad
f8f2188888 schannel: use CryptGenRandom for random numbers
This function is available for every Windows version since Windows 95/NT.

reference:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942.aspx
2014-07-31 13:10:54 +02:00
Daniel Stenberg
a439e438f3 ssl: generalize how the ssl backend identifier is set
Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS
one which was missing previously.
2014-07-31 12:19:51 +02:00
Dan Fandrich
028a408d57 axtls: define curlssl_random using axTLS's PRNG 2014-07-31 01:12:38 +02:00
Dan Fandrich
3d5be801b9 cyassl: fix the test for ASN_NO_SIGNER_E
It's an enum so a macro test won't work. The CyaSSL changelog doesn't
say exactly when this error code was introduced, but it's likely
to be 2.7.0.
2014-07-31 00:31:36 +02:00
Dan Fandrich
1aa6418af9 cyassl: use RNG_GenerateBlock to generate a good random number 2014-07-31 00:09:13 +02:00
Dan Fandrich
2c1db913f7 smtp: fixed a segfault during test 1320 torture test
Under these circumstances, the connection hasn't been fully established
and smtp_connect hasn't been called, yet smtp_done still calls the state
machine which dereferences the NULL conn pointer in struct pingpong.
2014-07-30 23:37:24 +02:00
Daniel Stenberg
01a0168806 vtls: repair build without TLS support
... by defining Curl_ssl_random() properly
2014-07-30 23:17:41 +02:00
Daniel Stenberg
0e811d8c59 polarssl: provide a (weak) random function
This now provides a weak random function since PolarSSL doesn't have a
quick and easy way to provide a good one. It does however provide the
framework to make one so it _can_ and _should_ be done...
2014-07-30 20:59:16 +02:00
Daniel Stenberg
f0369223cd cyassl: use the default (weeker) random
I couldn't find any dedicated function in its API to get a "good" random
with.
2014-07-30 10:08:27 +02:00
Daniel Stenberg
16cb818a74 cyassl: made it compile with version 2.0.6 again
ASN_NO_SIGNER_E didn't exist back then!
2014-07-30 10:07:42 +02:00
Daniel Stenberg
8dfd22089c vtls: make the random function mandatory in the TLS backend
To force each backend implementation to really attempt to provide proper
random. If a proper random function is missing, then we can explicitly
make use of the default one we use when TLS support is missing.

This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-07-30 00:05:47 +02:00
Kamil Dudka
30b093f6fc nss: do not check the version of NSS at run time
The minimal required version of NSS is 3.14.x so it does not make sense
to check for NSS 3.12.0+ at run time.
2014-07-28 16:27:04 +02:00
Daniel Stenberg
c56aa6f121 c-ares: fix build without IPv6 support
Bug: http://curl.haxx.se/mail/lib-2014-07/0337.html
Reported-by: Spork Schivago
2014-07-25 09:26:13 +02:00
Daniel Stenberg
e1b13eba75 Curl_base64url_encode: unit-tested in 1302 2014-07-25 08:38:16 +02:00
Daniel Stenberg
aae4e4bf70 base64: added Curl_base64url_encode()
This is now used by the http2 code. It has two different symbols at the
end of the base64 table to make the output "url safe".

Bug: https://github.com/tatsuhiro-t/nghttp2/issues/62
2014-07-25 08:24:03 +02:00
Marcel Raad
9c1cf96664 SSPI Negotiate: Fix 3 memory leaks
Curl_base64_decode allocates the output string by itself and two other
strings were not freed either.
2014-07-24 23:50:53 +02:00
Patrick Monnerat
c31dec7f98 GSSAPI: remove useless *_MECHANISM defines. 2014-07-23 18:56:19 +02:00
Daniel Stenberg
5b22c47ca9 findprotocol: show unsupported protocol within quotes
... to aid when for example prefixed with a space or other weird
character.
2014-07-23 18:17:16 +02:00
Patrick Monnerat
8efc11a0c1 GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date. 2014-07-23 16:15:01 +02:00
Marcel Raad
2cd0c2d244 conncache: fix compiler warning
warning C4267: '=' : conversion from 'size_t' to 'long', possible loss
of data

The member connection_id of struct connectdata is a long (always a
32-bit signed integer on Visual C++) and the member next_connection_id
of struct conncache is a size_t, so one of them should be changed to
match the other.

This patch the size_t in struct conncache to long (the less invasive
change as that variable is only ever used in a single code line).

Bug: http://curl.haxx.se/bug/view.cgi?id=1399
2014-07-23 12:06:57 +02:00
Daniel Stenberg
81cd24adb8 http2: more and better error checking
1 - fixes the warnings when built without http2 support

2 - adds CURLE_HTTP2, a new error code for errors detected by nghttp2
basically when they are about http2 specific things.
2014-07-23 09:23:56 +02:00
Dan Fandrich
713f96ee0c cyassl.c: return the correct error code on no CA cert
CyaSSL 3.0.0 returns a unique error code if no CA cert is available,
so translate that into CURLE_SSL_CACERT_BADFILE when peer verification
is requested.
2014-07-23 00:52:56 +02:00
Daniel Stenberg
3cad5ab77a http_negotiate: remove unused variable 2014-07-23 00:01:39 +02:00
Michael Osipov
eed1c63c70 docs: Improve inline GSS-API naming in code documentation 2014-07-23 00:01:39 +02:00
Michael Osipov
e38ba43014 curl.h/features: Deprecate GSS-Negotiate macros due to bad naming
- Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE
- CURL_VERSION_GSSNEGOTIATE is deprecated which
  is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and
  CURUL_VERSION_SPNEGO now.
- Remove display of feature 'GSS-Negotiate'
2014-07-23 00:01:39 +02:00
Michael Osipov
46750c39bd configure/features: Add feature and version info for GSS-API and SPNEGO 2014-07-23 00:01:39 +02:00
Michael Osipov
5128672731 HTTP: Remove checkprefix("GSS-Negotiate")
That auth mech has never existed neither on MS nor on Unix side.
There is only Negotiate over SPNEGO.
2014-07-23 00:01:39 +02:00
Michael Osipov
eda12bcff8 curl_gssapi: Add macros for common mechs and pass them appropriately
Macros defined: KRB5_MECHANISM and SPNEGO_MECHANISM called from
HTTP, FTP and SOCKS on Unix
2014-07-23 00:01:39 +02:00