Commit Graph

171 Commits

Author SHA1 Message Date
Chris Talbot
7703ca7f86 digest: Use hostname to generate spn instead of realm
In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2

digest-uri-value should be serv-type "/" host , where host is:

      The DNS host name or IP address for the service requested.  The
      DNS host name must be the fully-qualified canonical name of the
      host. The DNS host name is the preferred form; see notes on server
      processing of the digest-uri.

Realm may not be the host, so we must specify the host explicitly.

Note this change only affects the non-SSPI digest code. The digest code
used by SSPI builds already uses the hostname to generate the spn.

Ref: https://github.com/curl/curl/issues/11369

Closes https://github.com/curl/curl/pull/11395
2023-09-08 03:23:44 -04:00
Wyatt O'Day
e92edfbef6
lib: add ability to disable auths individually
Both with configure and cmake

Closes #11490
2023-09-07 17:45:06 +02:00
Daniel Stenberg
7c8bae0d9c
nss: remove support for this TLS library
Closes #11459
2023-07-29 23:44:28 +02:00
Daniel Stenberg
127eb0d83a
misc: fix spelling mistakes
Reported-by: musvaage on github
Fixes #11171
Closes #11172
2023-05-23 10:42:09 +02:00
Andreas Falkenhahn
15a361892d
nbtlm: use semicolons instead of commas for (void) args
Closes #10978
2023-04-16 17:05:15 +02:00
Daniel Stenberg
0c2fcb0f60
ntlm: clear lm and nt response buffers before use
To avoid the risk of MemorySanitizer: use-of-uninitialized-value

Closes #10814
2023-03-23 09:25:05 +01:00
Daniel Stenberg
955e2769f7
digest: clear target buffer
Closes #10814
2023-03-23 09:24:59 +01:00
Federico Pellegrin
cace68e299
openldap: fix missing sasl symbols at build in specific configs
If curl is built with openldap support (USE_OPENLDAP=1) but does not
have also some other protocol (IMAP/SMTP/POP3) enabled that brings
in Curl_sasl_* functions, then the build will fail with undefined
references to various symbols:

ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_decode_mech'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_parse_url_auth_option'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_cleanup'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_can_authenticate'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_continue'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_start'
ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_init'

This was tracked down to these functions bein used in openldap.c but
defined in curl_sasl.c and then forward in two vauth/ files to have
a guard against a set of #define configurations that was now extended
to cover also this case.

Example configuration targeted that could reproduce the problem:

curl 7.87.1-DEV () libcurl/7.87.1-DEV .... OpenLDAP/2.6.3
Protocols: file ftp ftps http https ldap ldaps

Closes #10445
2023-02-09 08:17:20 +01:00
Daniel Stenberg
2bc1d775f5
copyright: update all copyright lines and remove year ranges
- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205
2023-01-03 09:19:21 +01:00
Daniel Gustafsson
2d9fee4504 netware: remove leftover traces
Commit 3b16575ae9 removed support for
building on Novell Netware, but a few leftover traces remained. This
removes the last bits.

Closes: #9966
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-11-23 11:56:52 +01:00
Rose
f151ec6c10 lib: fix some type mismatches and remove unneeded typecasts
Many of these castings are unneeded if we change the variables to work
better with each other.

Ref: https://github.com/curl/curl/pull/9823

Closes https://github.com/curl/curl/pull/9835
2022-11-08 03:11:01 -05:00
Daniel Stenberg
52cc4a85fd
style: use space after comment start and before comment end
/* like this */

/*not this*/

checksrc is updated accordingly

Closes #9828
2022-10-30 22:31:29 +01:00
Ayesh Karunaratne
4484270afc
misc: typo and grammar fixes
- Replace `Github` with `GitHub`.
- Replace `windows` with `Windows`
- Replace `advice` with `advise` where a verb is used.
- A few fixes on removing repeated words.
- Replace `a HTTP` with `an HTTP`

Closes #9802
2022-10-27 10:01:30 +02:00
Daniel Stenberg
ed5095ed94
strcase: add and use Curl_timestrcmp
This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match info to observers based on how fast it is.

The time this function takes is only a function of the shortest input
string.

Reported-by: Trail of Bits

Closes #9658
2022-10-08 11:50:47 +02:00
Daniel Stenberg
37b3fb1c6a
vauth/ntlm.h: make line shorter than 80 columns
Follow-up from 265fbd937
2022-10-02 00:21:18 +02:00
Viktor Szakats
265fbd937e
docs: update sourceforge project links [ci skip]
SourceForge projects can now choose between two hostnames, with .io and
.net ending. Both support HTTPS by default now. Opening the other variant
will perm-redirected to the one chosen by the project.

The .io -> .net redirection is done insecurely.

Let's update the URLs to point to the current canonical endpoints to
avoid any redirects.

Closes #9630
2022-10-01 18:40:47 +00:00
Daniel Stenberg
eb33ccd533
functypes: provide the recv and send arg and return types
This header is for providing the argument types for recv() and send()
when built to not use a dedicated config-[platfor].h file.

Remove the slow brute-force checks from configure and cmake.

This change also removes the use of the types for select, as they were
not used in code.

Closes #9592
2022-09-28 09:06:11 +02:00
Patrick Monnerat
72652c0613
http, vauth: always provide Curl_allow_auth_to_host() functionality
This function is currently located in the lib/http.c module and is
therefore disabled by the CURL_DISABLE_HTTP conditional token.

As it may be called by TLS backends, disabling HTTP results in an
undefined reference error at link time.

Move this function to vauth/vauth.c to always provide it and rename it
as Curl_auth_allowed_to_host() to respect the vauth module naming
convention.

Closes #9600
2022-09-27 14:05:37 +02:00
Daniel Stenberg
307b7543ea
misc: null-terminate
Make use of this term consistently.

Closes #9527
2022-09-17 23:19:29 +02:00
Daniel Stenberg
6f9fb7ec2d
misc: ISSPACE() => ISBLANK()
Instances of ISSPACE() use that should rather use ISBLANK(). I think
somewhat carelessly used because it sounds as if it checks for space or
whitespace, but also includes %0a to %0d.

For parsing purposes, we should only accept what we must and not be
overly liberal. It leads to surprises and surprises lead to bad things.

Closes #9432
2022-09-06 08:34:30 +02:00
Viktor Szakats
c9061f242b
misc: spelling fixes
Found using codespell 2.2.1.

Also delete the redundant protocol designator from an archive.org URL.

Reviewed-by: Daniel Stenberg
Closes #9403
2022-08-31 14:31:01 +00:00
Daniel Stenberg
0ad7c8d7d5
digest: pass over leading spaces in qop values
When parsing the "qop=" parameter of the digest authentication, and the
value is provided within quotes, the list of values can have leading
white space which the parser previously did not handle correctly.

Add test case 388 to verify.

Reported-by: vlubart on github
Fixes #9264
Closes #9270
2022-08-08 08:28:04 +02:00
Evgeny Grin (Karlson2k)
3fe24ea322
digest: reject broken header with session protocol but without qop
Closes #9077
2022-08-07 14:39:57 +02:00
Evgeny Grin (Karlson2k)
6e241bbf1d digest: fix memory leak, fix not quoted 'opaque'
Fix leak regression introduced by 3a6fe0c.

Closes https://github.com/curl/curl/pull/9199
2022-07-25 15:06:30 -04:00
Evgeny Grin (Karlson2k)
647ed7c78b digest: fix missing increment of 'nc' value for auth-int
- Increment nc regardless of qop type.

Prior to this change nc was only incremented for qop type auth even
though libcurl sends nc with any qop.

Closes https://github.com/curl/curl/pull/9090
2022-07-06 04:14:37 -04:00
Daniel Stenberg
193215db3c
digest: simplify a switch() to a simple if 2022-07-04 08:27:21 +02:00
Daniel Stenberg
a44c9ba799
digest: provide a special bit for "sess" algos
Also shortened the names and moved them to the .c file since they are
private for this source file only. Also made them #defines instead of
enum.

Closes #9079
2022-07-04 08:27:15 +02:00
max.mehl
ad9bc5976d
copyright: make repository REUSE compliant
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869
2022-06-13 09:13:00 +02:00
Evgeny Grin
f59508e6cd
digest: tolerate missing "realm"
Server headers may not define "realm", avoid NULL pointer dereference
in such cases.

Closes #8912
2022-06-02 08:18:54 +02:00
Evgeny Grin
807f440301
digest: added detection of more syntax error in server headers
Invalid headers should not be processed otherwise they may create
a security risk.

Closes #8912
2022-06-02 08:18:48 +02:00
Evgeny Grin
3a6fe0c767
digest: unquote realm and nonce before processing
RFC 7616 (and 2617) requires values to be "unquoted" before used for
digest calculations. The only place where unquoting can be done
correctly is header parsing function (realm="DOMAIN\\host" and
realm=DOMAN\\host are different realms).

This commit adds unquoting (de-escaping) of all values during header
parsing and quoting of the values during header forming. This approach
should be most straightforward and easy to read/maintain as all values
are processed in the same way as required by RFC.

Closes #8912
2022-06-02 08:18:34 +02:00
Daniel Stenberg
216636a4ce
ntlm: (void) typecast msnprintf() where we ignore return code
Follow-up to 5a41abef6, to please Coverity
2022-05-23 08:13:48 +02:00
Daniel Gustafsson
5a41abef6d ntlm: copy NTLM_HOSTNAME to host buffer
Commit 709ae2454f added a fake hostname to avoid leaking the local
hostname, but omitted copying it to the host buffer.  Fix by copying
and adjust the test fallout.

Closes: #8895
Fixes: #8893
Reported-by: Patrick Monnerat <patrick@monnerat.net>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-22 23:26:24 +02:00
Daniel Stenberg
709ae2454f
ntlm: provide a fixed fake host name
The NTLM protocol includes providing the local host name, but apparently
other implementations already provide a fixed fake name instead to avoid
leaking the real local name.

The exact name used is 'WORKSTATION', because Firefox uses that.

The change is written to allow someone to "back-pedal" fairly easy in
case of need.

Reported-by: Carlo Alberto
Fixes #8859
Closes #8889
2022-05-20 16:24:13 +02:00
Daniel Stenberg
6968fb9d54
lib: remove exclamation marks
... from infof() and failf() calls. Make them less attention seeking.

Closes #8713
2022-04-16 11:55:05 +02:00
Marcel Raad
897e8baa54
ntlm: remove unused feature defines
They're not used anymore and always supported.

Closes https://github.com/curl/curl/pull/8453
2022-02-15 14:12:41 +01:00
Daniel Stenberg
2610142139
lib: remove support for CURL_DOES_CONVERSIONS
TPF was the only user and support for that was dropped.

Closes #8378
2022-02-04 08:05:35 +01:00
Daniel Stenberg
21248e052d
checksrc: detect more kinds of NULL comparisons we avoid
Co-authored-by: Jay Satiro
Closes #8180
2021-12-27 23:39:26 +01:00
x2018
d6ff35b5a5
sha256/md5: return errors when init fails
Closes #8133
2021-12-13 15:54:16 +01:00
Glenn Strauss
aae235b6ba
digest: compute user:realm:pass digest w/o userhash
https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4
  ... the client MUST calculate a hash of the username after
      any other hash calculation ...

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Closes #8066
2021-11-30 13:57:46 +01:00
Patrick Monnerat
7da2990b19
auth: do not append zero-terminator to authorisation id in kerberos
RFC4752 Section 3.1 states "The authorization identity is not terminated
with a zero-valued (%x00) octet". Although a comment in code said it may
be needed anyway, nothing confirms it. In addition, servers may consider
it as part of the identity, causing a failure.

Closes #7008
2021-08-16 08:36:10 +02:00
Patrick Monnerat
396a2d7fe3
auth: use sasl authzid option in kerberos
... instead of deriving it from active ticket.
Closes #7008
2021-08-16 08:36:06 +02:00
Patrick Monnerat
0a1c85e39b
auth: we do not support a security layer after kerberos authentication
Closes #7008
2021-08-16 08:36:03 +02:00
Patrick Monnerat
3f9b1d0c9d
auth: properly handle byte order in kerberos security message
Closes #7008
2021-08-16 08:35:55 +02:00
Sergey Markelov
e919848ead build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
fix compiler warnings about unused variables and parameters when
built with --disable-verbose.

Closes https://github.com/curl/curl/pull/7377
2021-07-16 13:55:52 -04:00
Daniel Stenberg
e7416cfd2b
infof: remove newline from format strings, always append it
- the data needs to be "line-based" anyway since it's also passed to the
  debug callback/application

- it makes infof() work like failf() and consistency is good

- there's an assert that triggers on newlines in the format string

- Also removes a few instances of "..."

- Removes the code that would append "..." to the end of the data *iff*
  it was truncated in infof()

Closes #7357
2021-07-07 22:54:01 +02:00
Daniel Stenberg
82d334001f
copyright: update copyright year ranges to 2021 2021-05-26 08:18:11 +02:00
Jay Satiro
1d5d0ae9e5 lib: fix some misuse of curlx_convert_UTF8_to_tchar
curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
prior to this change some uses mistakenly called free.

I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
curlx_convert_tchar_to_UTF8.

Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
Reported-by: sergio-nsk@users.noreply.github.com

Closes https://github.com/curl/curl/pull/6938
2021-04-27 15:09:23 -04:00
Daniel Stenberg
3e820fbf25
ntlm: precaution against super huge type2 offsets
... which otherwise caused an integer overflow and circumvented the if()
conditional size check.

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
Assisted-by: Max Dymond
Closes #6975
2021-04-27 16:02:02 +02:00
Daniel Stenberg
063d3f3b96
tidy-up: make conditional checks more consistent
... remove '== NULL' and '!= 0'

Closes #6912
2021-04-22 09:10:17 +02:00