Steve Holme [Sun, 26 Oct 2014 14:26:39 +0000 (14:26 +0000)]
sspi: Only call CompleteAuthToken() when complete is needed
Don't call CompleteAuthToken() after InitializeSecurityContext() has
returned SEC_I_CONTINUE_NEEDED as this return code only indicates the
function should be called again after receiving a response back from
the server.
This only affected the Digest and NTLM authentication code.
Steve Holme [Sun, 26 Oct 2014 10:32:34 +0000 (10:32 +0000)]
ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
For consistency with other areas of the NTLM code propagate all errors
from Curl_ntlm_core_mk_nt_hash() up the call stack rather than just
CURLE_OUT_OF_MEMORY.
Jay Satiro [Fri, 24 Oct 2014 11:41:56 +0000 (13:41 +0200)]
SSL: Remove SSLv3 from SSL default due to POODLE attack
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
openssl effectively making the default TLS 1.x. axTLS is not affected
since it supports only TLS, and gnutls is not affected since it already
defaults to TLS 1.x.
Guenter Knauf [Thu, 23 Oct 2014 13:18:05 +0000 (15:18 +0200)]
Remove dependency on openssl and cut.
Prefer usage of Perl modules for sha1 calculation since there
might be systems where openssl is not installed or not in path.
If openssl is used for sha1 calculation then dont rely on cut
since it is usually not available on other systems than Linux.
Peter Wu [Tue, 14 Oct 2014 09:38:17 +0000 (11:38 +0200)]
cmake: generate pkg-config and curl-config
Initial work to generate a pkg-config and curl-config script. Static
linking (`curl-config --static-libs` and `pkg-config --shared --libs
libcurl`) is broken and therefore disabled.
CONFIGURE_OPTIONS does not make sense for CMake, use an empty string
for now.
At least `curl-config --features` and `curl-config --protocols` work
which is needed by runtests.pl.
Peter Wu [Tue, 14 Oct 2014 09:38:15 +0000 (11:38 +0200)]
cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
For compatibility with autoconf, it will be used later for curl-config
and pkg-config. Not all features and or protocols can be enabled as
these are missing additional checks (see new TODOs).
SUPPORT_PROTOCOLS is partially scripted (grep for SUPPORT_PROTOCOLS=)
and manually verified/modified. SUPPORT_FEATURES is manually added.
Daniel Stenberg [Thu, 16 Oct 2014 21:39:28 +0000 (23:39 +0200)]
test545: make it not use a trailing zero
CURLOPT_COPYPOSTFIELDS with a given CURLOPT_POSTFIELDSIZE does not
require a trailing zero of the data and by making sure this test doesn't
use one we know it works (combined with valgrind).
Bruno Thomsen [Wed, 15 Oct 2014 10:48:27 +0000 (12:48 +0200)]
mk-ca-bundle: added SHA-384 signature algorithm
Certificates based on SHA-1 are being phased out[1].
So we should expect a rise in certificates based on SHA-2.
Adding SHA-384 as a valid signature algorithm.
Peter Wu [Mon, 13 Oct 2014 09:19:36 +0000 (11:19 +0200)]
cmake: enable IPv6 by default if available
ENABLE_IPV6 depends on HAVE_GETADDRINFO or you will get a
Curl_getaddrinfo_ex error. Enable IPv6 by default, disabling it if
struct sockaddr_in6 is not found in netinet/in.h.
Note that HAVE_GETADDRINFO_THREADSAFE is still not set as it needs more
platform checks even though POSIX requires a thread-safe getaddrinfo.
Verified on Arch Linux x86_64 with glibc 2.20-2 and Linux 3.16-rc7.
Peter Wu [Sun, 12 Oct 2014 09:27:07 +0000 (11:27 +0200)]
cmake: build tool_hugehelp (ENABLE_MANUAL)
Rather than always outputting an empty manual page for the '-M' option,
generate a full manual page as done by autotools. For simplicity in
CMake, always generate the gzipped page as it will not be used anyway
when zlib is not available.
Peter Wu [Fri, 10 Oct 2014 14:15:42 +0000 (16:15 +0200)]
tests/http_pipe.py: Python 3 support
The 2to3 tool converted socketserver (which I manually fixed up with an
import fallback) and the print(e) line. The xrange option was converted
to range, but it seems better to use the '*' operator here for
simplicity.
Daniel Stenberg [Thu, 9 Oct 2014 20:34:34 +0000 (22:34 +0200)]
vtls: have vtls.h include the backend header files
It turned out some features were not enabled in the build since for
example url.c #ifdefs on features that are defined on a per-backend
basis but vtls.h didn't include the backend headers.
CURLOPT_CERTINFO was one such feature that was accidentally disabled.
Jakub Zakrzewski [Thu, 25 Sep 2014 13:03:00 +0000 (15:03 +0200)]
Cmake: Build with GSSAPI (MIT or Heimdal)
It tries hard to recognise SDK's on different platforms. On windows MIT
Kerberos installs SDK with other things and puts path into registry.
Heimdal have separate zip archive. On linux pkg-config is tried, then
krb5-config script and finally old-style libs and headers detection.
Command line args:
* CMAKE_USE_GSSAPI - enables GSSAPI detection
* GSS_ROOT_DIR - if set, should point to the root of GSSAPI installation
(the one with include and lib directories)
Jakub Zakrzewski [Fri, 22 Aug 2014 15:02:59 +0000 (17:02 +0200)]
Cmake: Got rid of setup_curl_dependencies
There is no need for such function. Include_directories propagate by
themselves and having a function with one simple link statement makes
little sense.
Jakub Zakrzewski [Fri, 22 Aug 2014 14:59:30 +0000 (16:59 +0200)]
Cmake: Avoid cycle directory dependencies.
Because we prepended libraries to list, CMake had troubles resolving
link directory order as it detected some cycles. Appending to list ensures
that dependencies will preceed dependees.
Jakub Zakrzewski [Thu, 21 Aug 2014 11:15:59 +0000 (13:15 +0200)]
Cmake: Check for OpenSSL before OpenLDAP.
OpenLDAP might have been build with OpenSSL. Checking for OpenLDAP first
may result in undefined symbols. Of course, the found OpenSSL libraries
must also be linked whenever OpenLDAP is.
Daniel Stenberg [Wed, 8 Oct 2014 11:53:41 +0000 (13:53 +0200)]
FormAdd: precaution against memdup() of NULL pointer
Coverity CID 252518. This function is in general far too complicated for
its own good and really should be broken down into several smaller
funcitons instead - but I'm adding this protection here now since it
seems there's a risk the code flow can end up here and dereference a
NULL pointer.
Daniel Stenberg [Wed, 8 Oct 2014 10:25:07 +0000 (12:25 +0200)]
krb5_encode: remove unused argument
Coverity CID 1241957. Removed the unused argument. As this struct and
pointer now are used only for krb5, there's no need to keep unused
function arguments around.
Daniel Stenberg [Wed, 8 Oct 2014 10:21:39 +0000 (12:21 +0200)]
operate_do: skip superfluous check for NULL pointer
Coverity CID 1243583. get_url_file_name() cannot fail and return a NULL
file name pointer so skip the check for that - it tricks coverity into
believing it can happen and it then warns later on when we use 'outfile'
without checking for NULL.
moparisthebest [Wed, 1 Oct 2014 02:31:17 +0000 (22:31 -0400)]
SSL: implement public key pinning
Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).
Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().
Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der
Daniel Stenberg [Tue, 7 Oct 2014 08:29:06 +0000 (10:29 +0200)]
parseconfig: skip a NULL check
Coverity CID 1154198. This NULL check implies that the pointer _can_ be
NULL at this point, which it can't. Thus it is dead code. It tricks
static analyzers to warn about dereferencing the pointer since the code
seems to imply it can be NULL.