Daniel Stenberg [Wed, 15 Dec 2010 10:11:20 +0000 (11:11 +0100)]
axtls_connect: allow connect without peer verification
The SSL_SERVER_VERIFY_LATER bit in the ssl_ctx_new() call allows the
code to verify the peer certificate explicitly after the handshake and
then the "data->set.ssl.verifypeer" option works.
Daniel Stenberg [Fri, 10 Dec 2010 23:53:37 +0000 (00:53 +0100)]
urldate: undef hideous memory defines
The public axTLS header (at least as of 1.2.7) redefines the memory
functions. We #undef those again immediately after the public header to
limit the damage. This should be fixed in axTLS.
Eric Hu [Tue, 7 Dec 2010 00:18:35 +0000 (16:18 -0800)]
Initial axTLS integration. Connections can be made and some tests pass.
Failed HTTPS tests: 301, 306, 311, 312, 313, 560
311, 312 need more detailed error reporting from axTLS.
313 relates to CRL, which hasn't been implemented yet.
Eric Hu [Fri, 3 Dec 2010 18:23:45 +0000 (10:23 -0800)]
Preparing for axTLS. Actual SSL API functions are only stubbed.
Added axTLS to autotool files and glue code to misc other files.
axtls.h maps SSL API functions, but may change.
axtls.c is just a stub file and will definitely change.
Daniel Stenberg [Mon, 13 Dec 2010 12:44:50 +0000 (13:44 +0100)]
IsPipeliningPossible: only for HTTP
The function that checks if pipelining is possible now requires the HTTP
bit to be set so that it doesn't mistakenly tries to do it for other
protocols.
Bug: http://curl.haxx.se/mail/lib-2010-12/0152.html
Reported by: Dmitri Shubin
Daniel Stenberg [Mon, 13 Dec 2010 11:51:48 +0000 (12:51 +0100)]
multi_runsingle: don't timeout completed handles
The generic timeout code must not check easy handles that are already
completed. Going to completed (again) within there risked decreasing the
number of alive handles again and thus it could go negative.
This regression bug was added in 7.21.2 in commit ca10e28f06f1
Heinrich Ko [Thu, 18 Nov 2010 22:07:57 +0000 (14:07 -0800)]
ossl_connect_common: detect connection re-use
ossl_connect_common() now checks whether or not 'struct
connectdata->state' is equal 'ssl_connection_complete' and if so, will
return CURLE_OK with 'done' set to 'TRUE'. This check prevents
ossl_connect_common() from creating a new ssl connection on an existing
ssl session which causes openssl to fail when it tries to parse an
encrypted TLS packet since the cipher data was effectively thrown away
when the new ssl connection was created.
Kamil Dudka [Fri, 19 Nov 2010 12:43:20 +0000 (13:43 +0100)]
url: provide dead_connection flag in Curl_handler::disconnect
It helps to prevent a hangup with some FTP servers in case idle session
timeout has exceeded. But it may be useful also for other protocols
that send any quit message on disconnect. Currently used by FTP, POP3,
IMAP and SMTP.
Daniel Stenberg [Sun, 5 Dec 2010 22:39:41 +0000 (23:39 +0100)]
Curl_wait_for_resolv: correct timeout
When looping in this function and checking for the timeout being
expired, it was not updating the reference time when calculating the
timediff since previous round which made it think each subsequent loop
to have taken longer than it actually did.
I also modified the function to use the generic Curl_timeleft() function
instead of the custom logic.
Yang Tse [Tue, 23 Nov 2010 20:38:20 +0000 (21:38 +0100)]
Curl_getaddrinfo_ex: sanitize function results.
Ensure that spurious results from system's getaddrinfo() ares not propagated
by Curl_getaddrinfo_ex() into the library.
Also ensure that the ai_addrlen member of Curl_getaddrinfo_ex()'s output linked
list of Curl_addrinfo structures has appropriate family-specific address size.
Matthias Bolte [Fri, 19 Nov 2010 21:31:34 +0000 (13:31 -0800)]
Detect socket errors in GnuTLS on Windows
On Windows, translate WSAGetLastError() to errno values as GNU
TLS does it internally, too. This is necessary because send() and
recv() on Windows don't set errno when they fail but GNU TLS
expects a proper errno value.
Yang Tse [Thu, 18 Nov 2010 16:12:15 +0000 (17:12 +0100)]
configure: use autobuilds to temporarily verify strict aliasing warnings.
Temporarily, When cross-compiling with gcc 3.0 or later, enable strict aliasing
rules and warnings. Given that cross-compiled targets autobuilds do not run the
Daniel Stenberg [Sun, 14 Nov 2010 11:42:29 +0000 (12:42 +0100)]
gnutls->handshake: improved timeout handling
When no timeout is set, we call the socket_ready function with a timeout
value of 0 during handshake, which makes it loop too much/fast in this
function. It also made this function return CURLE_OPERATION_TIMEDOUT
wrongly on a slow handshake.
However, the particular bug report that highlighted this problem is not
solved by this fix, as this fix only makes the more proper error get
reported instead.
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594150
Reported by: Johannes Ernst
Julien Chaffraix [Sat, 13 Nov 2010 20:01:33 +0000 (12:01 -0800)]
security: tighten enum protection_level usage.
While changing Curl_sec_read_msg to accept an enum protection_level
instead of an int, I went ahead and fixed the usage of the associated
fields.
Some code was assuming that prot_clear == 0. Fixed those to use the
proper value. Added assertions prior to any code that would set the
protection level.
Daniel Stenberg [Fri, 12 Nov 2010 22:26:57 +0000 (23:26 +0100)]
version-check.pl: display version number for symbols
This script is the start of a helper tool that scans a source code and
outputs the most recent libcurl version it finds symbols for. Meaning
that if there's no conditions in the code, that's the earliest libcurl
version the scanned code requires.
It is not added to the Makefile.am yet as it is still a bit crude, but
I'm committing it to keep it and allow us to work on it.
Julien Chaffraix [Fri, 12 Nov 2010 16:20:50 +0000 (08:20 -0800)]
krb5: Use GSS_ERROR to check for error.
This is the advised way of checking for errors in the GSS-API RFC.
Also added some '\n' to the error message so that they are not mixed
with other outputs.
Daniel Stenberg [Thu, 11 Nov 2010 15:41:59 +0000 (16:41 +0100)]
HTTP Auth: Add CURLAUTH_ONLY
This is a meta symbol. OR this value together with a single specific
auth value to force libcurl to probe for un-restricted auth and if not,
only that single auth algorithm is acceptable.
For example you can use CURLAUTH_DIGEST|CURLAUTH_ONLY to make libcurl
first probe for what method to use, but yet only consider Digest to be
acceptable.
Using _only_ CURLAUTH_DIGEST without the CURLAUTH_ONLY field, will make
libcurl explicitly use Digest right away and not do any probing.
Daniel Stenberg [Thu, 11 Nov 2010 13:51:39 +0000 (14:51 +0100)]
ip_version: moved to connection struct
The IP version choice was previously only in the UserDefined struct
within the SessionHandle, but since we sometimes alter that option
during a request we need to have it on a per-connection basis.
I also moved more "init conn" code into the allocate_conn() function
which is designed for that purpose more or less.
Stefan Tomanek [Sun, 7 Nov 2010 15:54:49 +0000 (16:54 +0100)]
write extended attributes by using fsetxattr
Instead of reopening the downloaded file, fsetxattr uses the (already
open) file descriptor to attach extended attributes. This makes the
procedure more robust against errors caused by moved or deleted files.
projects / curl / log