Commit Graph

7324 Commits

Author SHA1 Message Date
nickzman
e9665e9658 Merge pull request #93 from d235j/darwinssl_ip_address_fix
darwinssl: don't omit CN verification when an IP address is used
2014-02-25 17:36:44 -06:00
Marc Hoersken
e904b15f21 curl_schannel.c: Updated copyright years 2014-02-24 22:12:55 +01:00
David Ryskalczyk
63fc8ee7be winssl: Enable hostname verification of IP address using SAN or CN
Original commit message was:
 Don't omit CN verification in SChannel when an IP address is used.

Side-effect of this change:
 SChannel and CryptoAPI do not support the iPAddress subjectAltName
 according to RFC 2818. If present, SChannel will first compare the
 IP address to the dNSName subjectAltNames and then fallback to the
 most specific Common Name in the Subject field of the certificate.

 This means that after this change curl will not connect to SSL/TLS
 hosts as long as the IP address is not specified in the SAN or CN
 of the server certificate or the verifyhost option is disabled.
2014-02-24 22:12:55 +01:00
David Ryskalczyk
afc6e5004f Don't omit CN verification in DarwinSSL when an IP address is used. 2014-02-23 12:37:27 -05:00
Dan Fandrich
a660c0dbe6 easy: Fixed a memory leak on OOM condition 2014-02-22 15:41:59 +01:00
Daniel Stenberg
0d6225ad0d SFTP: skip reading the dir when NOBODY=1
When asking for an SFTP directory with NOBODY set, no directory contents
should be retrieved.

Bug: http://curl.haxx.se/mail/lib-2014-02/0155.html
2014-02-19 10:40:28 +01:00
Dan Fandrich
8749bbe7fd axtls: comment the call ssl_read repeatedly loop 2014-02-18 21:14:09 +01:00
Tatsuhiro Tsujikawa
035b91a26c http2: Support HTTP POST/PUT
This patch enables HTTP POST/PUT in HTTP2.
We disabled Expect header field and  chunked transfer encoding
since HTTP2 forbids them.
In HTTP1, Curl sends small upload data with request headers, but
HTTP2 requires upload data must be in DATA frame separately.
So we added some conditionals to achieve this.
2014-02-17 23:45:58 +01:00
Daniel Stenberg
854aca5420 multi: ignore sigpipe internally
When the multi API is used we must also ignore SIGPIPE signals when
caused by things we do, like they can easily be generated by OpenSSL.
2014-02-17 10:35:21 +01:00
Dan Fandrich
184c3e2d37 configure: Fix the --disable-crypto-auth option
It now disables NTLM and GSS authentication methods, and produces
compilable code when SSL is enabled.
2014-02-17 09:50:46 +01:00
Shao Shuchao
2111c2ed07 ConnectionDone: default maxconnects to 4 x number of easy handles
... as documented!
2014-02-17 09:29:25 +01:00
Daniel Stenberg
575a2b684b axtls: bump copyright year 2014-02-16 23:31:47 +01:00
Fabian Frank
86f266b004 axtls: call ssl_read repeatedly
Perform more work in between sleeps. This is work around the
fact that axtls does not expose any knowledge about when work needs
to be performed. Depending on connection and how often perform is
being called this can save ~25% of time on SSL handshakes (measured
on 20ms latency connection calling perform roughly every 10ms).
2014-02-16 23:30:21 +01:00
Daniel Stenberg
d765099813 ConnectionExists: re-use connections better
When allowing NTLM, the re-use connection logic was too focused on
finding an existing NTLM connection to use and didn't properly allow
re-use of other ones. This made the logic not re-use perfectly re-usable
connections.

Added test case 1418 and 1419 to verify.

Regression brought in 8ae35102c (curl 7.35.0)

Reported-by: Jeff King
Bug: http://thread.gmane.org/gmane.comp.version-control.git/242213
2014-02-16 14:30:02 +01:00
Steve Holme
77a51364a4 warnless: Updated copyright year for recent changes 2014-02-16 10:39:46 +00:00
Marc Hoersken
6239146e93 warnless: add wrapper function for read and write on Windows 2014-02-16 11:03:22 +01:00
Arvid Norberg
1813a77b02 dict: fix memory leak in OOM exit path
Bug: https://github.com/bagder/curl/pull/90
2014-02-14 08:21:41 +01:00
Daniel Stenberg
d3d871cb4f Curl_urldecode: don't allow NULL as receiver
For a function that returns a decoded version of a string, it seems
really strange to allow a NULL pointer to get passed in which then
prevents the decoded data from being returned!

This functionality was not documented anywhere either.

If anyone would use it that way, that memory would've been leaked.

Bug: https://github.com/bagder/curl/pull/90
Reported-by: Arvid Norberg
2014-02-13 23:57:40 +01:00
Daniel Stenberg
378af08c99 ConnectionExists: reusing possible HTTP+NTLM connections better
Make sure that the special NTLM magic we do is for HTTP+NTLM only since
that's where the authenticated connection is a weird non-standard
paradigm.

Regression brought in 8ae35102c (curl 7.35.0)

Bug: http://curl.haxx.se/mail/lib-2014-02/0100.html
Reported-by: Dan Fandrich
2014-02-13 23:25:38 +01:00
Tiit Pikma
c021a60bcc transfer: make Expect: 100-continue timeout configurable.
Replaced the #define CURL_TIMEOUT_EXPECT_100 in transfer.c with the
CURLOPT_EXPECT_100_TIMEOUT_MS option to make the timeout configurable.
2014-02-13 16:05:17 +01:00
Thomas Braun
bcb32e915e Fix compilation with make mingw32
The source files from lib/vtls where generated in lib instead of lib/vtls.

Verified-by: Thomas Braun <thomas.braun@virtuell-zuhause.de>
2014-02-12 14:39:08 +01:00
Daniel Stenberg
0ab97ba009 chunked decoder: track overflows correctly
The code didn't properly check the return codes to detect overflows so
it could trigger incorrectly. Like on mingw32.

Regression introduced in 345891edba (curl 7.35.0)

Bug: http://curl.haxx.se/mail/lib-2014-02/0097.html
Reported-by: LM
2014-02-12 14:35:46 +01:00
Fabian Frank
ec9476052d openssl: honor --[no-]alpn|npn command line switch
Disable ALPN or NPN if requested by the user.
2014-02-11 22:55:23 +01:00
Fabian Frank
8f5a9147be gtls: honor --[no-]alpn command line switch
Disable ALPN if requested by the user.
2014-02-11 22:54:37 +01:00
Fabian Frank
909a68c121 NPN/ALPN: allow disabling via command line
when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.

TODO: honor this option with GnuTLS and OpenSSL
2014-02-10 13:06:17 +01:00
Fabian Frank
70bd9784de nss: use correct preprocessor macro
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection,
but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a
preprocessor macro.
2014-02-10 08:09:02 +01:00
Dan Fandrich
6374ab2a36 formdata: Must use Curl_safefree instead of free 2014-02-09 10:10:22 +01:00
Dan Fandrich
85a4df8b79 formdata: Fixed memory leak on OOM condition 2014-02-08 11:33:43 +01:00
Daniel Stenberg
fa8d7ce4fe http2: updated README after NSS addition
Changed the support to a little matrix and added brief explanation of
what ALPN and NPN are for.
2014-02-07 15:50:31 +01:00
Daniel Stenberg
09d907ee68 nss: support pre-ALPN versions 2014-02-07 15:38:45 +01:00
Fabian Frank
f3a12460ad nss: ALPN and NPN support
Add ALPN and NPN support for NSS. This allows cURL to negotiate
HTTP/2.0 connections when built with NSS.
2014-02-07 15:35:23 +01:00
Daniel Stenberg
9597f7dfbc formpost: use semicolon in multipart/mixed
Not comma, which is an inconsistency and a mistake probably inherited
from the examples section of RFC1867.

This bug has been present since the day curl started to support
multipart formposts, back in the 90s.

Reported-by: Rob Davies
Bug: http://curl.haxx.se/bug/view.cgi?id=1333
2014-02-07 09:43:36 +01:00
Dan Fandrich
4a8c877273 ssh: Fixed a NULL pointer dereference on OOM condition 2014-02-06 23:56:47 +01:00
Steve Holme
265f2e9ed7 nss: Updated copyright year for recent edits 2014-02-06 22:32:56 +00:00
Remi Gacogne
1ebf22cc0e 100-continue: fix timeout condition
When using the multi socket interface, libcurl calls the
curl_multi_timer_callback asking to be woken up after
CURL_TIMEOUT_EXPECT_100 milliseconds.

After the timeout has expired, calling curl_multi_socket_action with
CURL_SOCKET_TIMEOUT as sockfd leads libcurl to check expired
timeouts. When handling the 100-continue one, the following check in
Curl_readwrite() fails if exactly CURL_TIMEOUT_EXPECT_100 milliseconds
passed since the timeout has been set!

It seems logical to consider that having waited for exactly
CURL_TIMEOUT_EXPECT_100 ms is enough.

Bug: http://curl.haxx.se/bug/view.cgi?id=1334
2014-02-06 23:21:42 +01:00
Fabian Frank
ff92fcfb90 nss: prefer highest available TLS version
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3
if --tlsv1[.N] was not specified on the command line.
2014-02-06 23:09:56 +01:00
Daniel Stenberg
b93755df37 http2: spell fixed README and added version requirement 2014-02-06 22:27:04 +01:00
Daniel Stenberg
06b4275c0d http2: minor update of the README 2014-02-05 15:31:29 +01:00
Fabian Frank
133cdd29ea http2: rely on content-encoding header
A server might respond with a content-encoding header and a response
that was encoded accordingly in HTTP-draft-09/2.0 mode, even if the
client did not send an accept-encoding header earlier. The server might
not send a content-encoding header if the identity encoding was used to
encode the response.

See:
http://tools.ietf.org/html/draft-ietf-httpbis-http2-09#section-9.3
2014-02-05 10:26:12 +01:00
Daniel Stenberg
e5524b7b25 http2: enforce gzip auto-decompress
As this is mandated by the http2 spec draft-09
2014-02-04 15:07:08 +01:00
Tatsuhiro Tsujikawa
0ea9f70049 http2: handle incoming data larger than remaining buffer 2014-02-04 14:57:29 +01:00
Tatsuhiro Tsujikawa
4082dc9de6 http2: Check stream ID we are interested in 2014-02-04 14:55:29 +01:00
Tatsuhiro Tsujikawa
dbccf497da http2: store response header in temporary buffer 2014-02-04 14:54:42 +01:00
Tatsuhiro Tsujikawa
63b26d889f HTTP2: add layer between existing http and socket(TLS) layer
This patch chooses different approach to integrate HTTP2 into HTTP curl
stack. The idea is that we insert HTTP2 layer between HTTP code and
socket(TLS) layer. When HTTP2 is initialized (either in NPN or Upgrade),
we replace the Curl_recv/Curl_send callbacks with HTTP2's, but keep the
original callbacks in http_conn struct. When sending serialized data by
nghttp2, we use original Curl_send callback. Likewise, when reading data
from network, we use original Curl_recv callback. In this way we can
treat both TLS and non-TLS connections.

With this patch, one can transfer contents from https://twitter.com and
from nghttp2 test server in plain HTTP as well.

The code still has rough edges. The notable one is I could not figure
out how to call nghttp2_session_send() when underlying socket is
writable.
2014-02-04 14:49:49 +01:00
Fabian Frank
4d8db595ca gtls: add ALPN support
Add ALPN support when using GnuTLS >= 3.2.0. This allows
libcurl to negotiate HTTP/2.0 for https connections when
built with GnuTLS.

See:
http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-02-04 09:48:27 +01:00
Fabian Frank
8b6654224b openssl: add ALPN support
Add ALPN support when using OpenSSL. This will offer ALPN and NPN to the
server, who can respond with either one or none of the two. OpenSSL >=
1.0.2 is required, which means as of today obtaining a snapshot from
ftp://ftp.openssl.org/snapshot/.

See:
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
ba168244a1/ssl/ssl_lib.c (L1787)
2014-02-03 23:46:06 +01:00
Marc Hoersken
82f558366f winssl: improved default SSL/TLS protocol selection
For some reason Windows 7 SP1 chooses TLS 1.0 instead of TLS 1.2
if it is not explicitly enabled within grbitEnabledProtocols.

More information can be found on MSDN:
http://msdn.microsoft.com/library/windows/desktop/aa379810.aspx
2014-01-31 20:01:25 +01:00
Dan Fandrich
0f213fdca1 pipeline: Fixed a NULL pointer dereference on OOM 2014-01-31 00:05:36 +01:00
Dan Fandrich
c631a54bb6 ftp: fixed a memory leak on wildcard error path 2014-01-30 22:15:03 +01:00
Dan Fandrich
768151449b netrc: Fixed a memory leak in an OOM condition 2014-01-30 22:15:03 +01:00
Steve Holme
97857de80e ntlm: Fixed a memory leak when using NTLM with a proxy server 2014-01-30 20:59:26 +00:00
Daniel Stenberg
b58b87e76e http2: fix size check in on_data_chunk_recv 2014-01-30 20:24:15 +01:00
Daniel Stenberg
48c3bed43b http2: add CRLF when first data arrives 2014-01-30 20:24:15 +01:00
Tatsuhiro Tsujikawa
c5165b8458 http2_recv: Return written length on CURLE_AGAIN 2014-01-30 17:49:35 +01:00
Tatsuhiro Tsujikawa
88705ef80e http2: Use nghttp2_session_mem_recv and nghttp2_session_upgrade 2014-01-30 17:45:53 +01:00
Daniel Stenberg
83f52a455f http2: basic version of receiving DATA 2014-01-30 16:09:36 +01:00
Daniel Stenberg
a7affd637f http2: convert HEADER frames to HTTP1-like headers
... and then go through the "normal" HTTP engine.
2014-01-30 15:58:07 +01:00
Daniel Stenberg
93f473c78a http2: fix EWOULDBLOCK in recv_callback() 2014-01-30 14:31:05 +01:00
Daniel Stenberg
a878cb3056 http2: do the POST Upgrade dance properly 2014-01-30 14:26:00 +01:00
Steve Holme
0e11307057 ntlm: Use static client nonce for the test suite 2014-01-30 11:39:08 +00:00
Daniel Stenberg
0f23662af7 http2.h: provide empty macros for non-http2 builds 2014-01-30 11:46:59 +01:00
Fabian Frank
dd011df9e1 http2: switch into http2 mode if NPN indicates
Check the NPN result before preparing an HTTP request and switch into
HTTP/2.0 mode if necessary. This is a work in progress, the actual code
to prepare and send the request using nghttp2 is still missing from
Curl_http2_send_request().
2014-01-30 11:34:37 +01:00
Daniel Stenberg
8e778887b5 http2: s/Curl_http2_request/Curl_http2_request_upgrade
To better reflect its purpose
2014-01-30 11:33:37 +01:00
Daniel Stenberg
99b4ff8b6f http2-openssl: verify that NPN functionality is present 2014-01-30 11:24:15 +01:00
Fabian Frank
22c198fa89 openssl: set up hooks with to perform NPN
NPN is what is available in the wild today to negotiate SPDY or HTTP/2.0
connections. It is expected to be replaced by ALPN in the future. If
HTTP/2.0 is negotiated, this is indicated for the entire connection and
http.c is expected to initialize itself for HTTP/2.0 instead of
HTTP/1.1.

see:
http://technotes.googlecode.com/git/nextprotoneg.html
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-01-30 11:13:28 +01:00
Daniel Stenberg
c3fe3d9926 http2: added stubs for all nghttp2 callbacks
This makes it easier to trace what's happening.
2014-01-30 00:11:56 +01:00
Daniel Stenberg
62e3d66cc6 http2: use FIRSTSOCKET instead of 0 to index the sockets array 2014-01-29 23:47:24 +01:00
Daniel Stenberg
b451c10d1e http2: receive and log the received header frames 2014-01-29 23:46:20 +01:00
Daniel Stenberg
be84524cc2 http2_recv: log nghttp2 return codes for debugging purposes 2014-01-29 23:20:46 +01:00
Daniel Stenberg
803581d3e0 HTTP2: reject nghttp2 versions before 0.3.0 2014-01-29 22:53:08 +01:00
Gisle Vanem
341d09bc2b http2: adjusted to newer nghttp2_session_callbacks struct
the number of elements in the 'nghttp2_session_callbacks' structure is
now reduced by 2 in version 0.3.0 (I'm not sure when the change
happened, but checking for ver 0.3.0 work for me).
2014-01-29 22:52:22 +01:00
Gisle Vanem
0070f7a09d HTTP2: Wrong NgHTTP2 user-data
Something is wrong in 'userp' for the HTTP2 recv_callback().  The
session is created using bogus user-data; '&conn' and not 'conn'.

I noticed this since the socket-value in Curl_read_plain() was set to a
impossible high value.
2014-01-29 22:50:25 +01:00
Daniel Stenberg
220bcba93d NTLM: error: conversion to 'int' from 'long int' may alter its value
Fixed two compiler nits
2014-01-29 22:42:34 +01:00
Steve Holme
eb91e1a58f ntlm: Coding style policing dating back to 2011 2014-01-29 20:51:04 +00:00
Steve Holme
2319221c83 ntlm: Use a timestamp of 01/01/1970 for the test suite 2014-01-29 20:24:32 +00:00
Steve Holme
914b60c827 ntlm: Updated Curl_ntlm_core_mk_ntlmv2_resp() to use local variables
...until the function is successful when it returns them in the out
parameters.
2014-01-29 20:24:16 +00:00
Steve Holme
07b66cbfa4 ntlm: Added cross platform support for writing NTLMv2 timestamp in buffer
Added conversion functions write32_le() and write64_le() to ensure the
NTLMv2 timestamp is always written in little-endian.
2014-01-29 20:22:10 +00:00
Prash Dush
86724581b6 ntlm: Added support for NTLMv2 2014-01-29 20:17:11 +00:00
Kamil Dudka
665c160f0a nss: do not use the NSS_ENABLE_ECC define
It is not provided by NSS public headers.

Bug: https://bugzilla.redhat.com/1058776
2014-01-29 13:57:21 +01:00
Kamil Dudka
e15e73b741 nss: do not fail if NSS does not implement a cipher
... that the user does not ask for
2014-01-29 13:46:17 +01:00
Daniel Stenberg
53940f8834 http2: switch recv/send functions to http2 ones after 101 2014-01-29 10:24:05 +01:00
Daniel Stenberg
8d3608f2ad http2: handle 101 responses and switch to HTTP2 2014-01-29 10:24:05 +01:00
Dan Fandrich
1a20f59237 oauth2: Fixed a memory leak in an OOM condition 2014-01-28 23:55:04 +01:00
Romulo A. Ceccon
31860ab8c8 hostip: don't remove DNS entries that are in use
hostcache_timestamp_remove() should remove old *unused* entries from the
host cache, but it never checked whether the entry was actually in
use. This complements commit 030a2b8cb.

Bug: http://curl.haxx.se/bug/view.cgi?id=1327
2014-01-28 22:25:48 +01:00
Daniel Stenberg
bcb19883a8 TFTP: fix crash on time-out
tftp_done() can get called with its TFTP state pointer still being NULL
on an early time-out, which caused a segfault when dereferenced.

Reported-by: Glenn Sheridan
Bug: http://curl.haxx.se/mail/lib-2014-01/0246.html
2014-01-28 22:17:16 +01:00
Dan Fandrich
b4b28c7001 netrc: Fixed a memory and file descriptor leak on OOM 2014-01-24 21:52:48 +01:00
Dan Fandrich
da9864fb72 multi: Fixed a memory leak on OOM condition 2014-01-24 00:22:08 +01:00
Fabian Frank
251305cd7f axtls: fix compiler warning on conversion ssize_t => int 2014-01-21 08:21:55 +01:00
Fabian Frank
852a018e78 SFTP: stat remote file also when CURLOPT_NOBODY is 1
Make it possible to call
curl_easy_getinfo(curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &filesize)
and related functions on remote sftp:// files, without downloading them.

Reported-by: Yingwei Liu
Bug: http://curl.haxx.se/mail/lib-2014-01/0139.html
2014-01-20 22:57:55 +01:00
Cédric Deltheil
afd288b28f HTTP POST: omit Content-Length if data size is unknown
This prevents sending a `Content-Length: -1` header, e.g this ocurred
with the following combination:

* standard HTTP POST (no chunked encoding),
* user-defined read function set,
* `CURLOPT_POSTFIELDSIZE(_LARGE)` NOT set.

With this fix it now behaves like HTTP PUT.
2014-01-20 12:50:51 +01:00
Fabian Frank
39f7e80a52 disable GnuTLS insecure ciphers
Make GnuTLS old and new consistent, specify the desired protocol, cipher
and certificate type in always in both modes. Disable insecure ciphers
as reported by howsmyssl.com. Honor not only --sslv3, but also the
--tlsv1[.N] switches.

Related Bug: http://curl.haxx.se/bug/view.cgi?id=1323
2014-01-20 11:32:55 +01:00
Daniel Stenberg
4f334ba017 gtls: fix compiler warnings on conversions size_t => unsigned int 2014-01-19 23:26:01 +01:00
Steve Holme
2cac75c4e4 http_chunks.c: Fixed compilation warnings under some 32-bit systems
conversion from 'curl_off_t' to 'size_t', possible loss of data

Where curl_off_t is a 64-bit word and size_t is 32-bit - for example
with 32-bit Windows builds.
2014-01-19 13:10:45 +00:00
Steve Holme
e35ffda0b3 win32: Added additional preprocessor check for Version Helper API
A follow up patch to commit d2671340a6 as _WIN32_WINNT_WIN2K and
_WIN32_WINNT_WIN2K may not be defined on all systems.
2014-01-18 11:42:48 +00:00
Steve Holme
d2671340a6 win32: Corrected the preprocessor check for Version Helper API
Following some auto build failures after commit c7a76bb056 changed
the preprocessor check to use _WIN32_WINNT.
2014-01-17 22:36:41 +00:00
Daniel Stenberg
ecaf2f02f1 cookie: max-age fixes
1 - allow >31 bit max-age values

2 - don't overflow on extremely large max-age values when we add the
value to the current time

3 - make sure max-age takes precedence over expires as dictated by
RFC6265

Bug: http://curl.haxx.se/mail/lib-2014-01/0130.html
Reported-by: Chen Prog
2014-01-17 08:57:27 +01:00
Daniel Stenberg
eb02a99c61 chunked parsing: relax the CR strictness
Allow for chunked-encoding data to get parsed with only LF line endings.
This is allowed by browsers.
2014-01-17 08:37:44 +01:00
Daniel Stenberg
345891edba chunked-parser: abort on overflows, allow 64 bit chunks 2014-01-17 08:37:44 +01:00
Daniel Stenberg
7b774482e7 Curl_cookie_add: remove 'now' from curl_getdate() call
The now argument is unused by curl_getdate()
2014-01-16 09:02:24 +01:00
Daniel Stenberg
7f807f394f connect.c:942:84: warning: Longer than 79 columns 2014-01-16 00:27:16 +01:00