Commit Graph

9531 Commits

Author SHA1 Message Date
Michael Kaufmann
284d06df9e reuse_conn: don't copy flags that are known to be equal
A connection can only be reused if the flags "conn_to_host" and
"conn_to_port" match. Therefore it is not necessary to copy these flags
in reuse_conn().

Closes #1918
2017-09-28 21:18:02 +02:00
Jay Satiro
953b5c4e26 ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
.. and include the core NTLM header in all NTLM-related source files.

Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
but did not include vtls.h where it was defined.

Closes https://github.com/curl/curl/pull/1911
2017-09-23 13:58:14 -04:00
Daniel Stenberg
afbdc96638
file_range: avoid integer overflow when figuring out byte range
When trying to bump the value with one and the value is already at max,
it causes an integer overflow.

Closes #1908
Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465

Assisted-by: Max Dymond
2017-09-23 18:21:15 +02:00
Viktor Szakats
6f86022df2 ntlm: use strict order for SSL backend #if branches
With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL

One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when
eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.

So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.

Ref: https://github.com/curl/curl/pull/1848
2017-09-22 19:01:28 +00:00
Daniel Stenberg
3b05f79ef8
imap: quote atoms properly when escaping characters
Updates test 800 to verify

Fixes #1902
Closes #1903
2017-09-22 14:43:37 +02:00
Daniel Stenberg
b8e0fe19ec
vtls: provide curl_global_sslset() even in non-SSL builds
... it just returns error:

Bug: 1328f69d53 (commitcomment-24470367)
Reported-by: Marcel Raad

Closes #1906
2017-09-22 12:09:13 +02:00
Patrick Monnerat
ee56fdb691 form/mime: field names are not allowed to contain zero-valued bytes.
Also suppress length argument of curl_mime_name() (names are always
zero-terminated).
2017-09-22 01:08:29 +01:00
Dirk Feytons
fa9482ab09
openssl: only verify RSA private key if supported
In some cases the RSA key does not support verifying it because it's
located on a smart card, an engine wants to hide it, ...
Check the flags on the key before trying to verify it.
OpenSSL does the same thing internally; see ssl/ssl_rsa.c

Closes #1904
2017-09-21 20:17:06 +02:00
Patrick Monnerat
a7bcf274cc mime: rephrase the multipart output state machine (#1898) ...
... in hope coverity will like it much.
2017-09-20 14:06:47 +01:00
Patrick Monnerat
f304201868 mime: fix an explicit null dereference (#1899) 2017-09-20 12:01:11 +01:00
Daniel Stenberg
1e548f7784
smtp: fix memory leak in OOM
Regression since ce0881edee

Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
torture testing.
2017-09-20 11:33:46 +02:00
Pavel P
5fe85587cc
cookies: use lock when using CURLINFO_COOKIELIST
Closes #1896
2017-09-19 23:48:48 +02:00
Daniel Stenberg
bec50cc285
mime:escape_string minor clarification change
... as it also removes a warning with old gcc versions.

Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
Reported-by: Ben Greear
2017-09-18 23:15:41 +02:00
Daniel Stenberg
2bc230de63
cookies: reject oversized cookies
... instead of truncating them.

There's no fixed limit for acceptable cookie names in RFC 6265, but the
entire cookie is said to be less than 4096 bytes (section 6.1). This is
also what browsers seem to implement.

We now allow max 5000 bytes cookie header. Max 4095 bytes length per
cookie name and value. Name + value together may not exceed 4096 bytes.

Added test 1151 to verify

Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
Reported-by: Kevin Smith

Closes #1894
2017-09-18 22:55:50 +02:00
Jay Satiro
6d436642dd socks: fix incorrect port number in SOCKS4 error message
Prior to this change it appears the SOCKS5 port parsing was erroneously
used for the SOCKS4 error message, and as a result an incorrect port
would be shown in the error message.

Bug: https://github.com/curl/curl/issues/1892
Reported-by: Jackarain@users.noreply.github.com
2017-09-18 03:07:57 -04:00
Marc Aldorasi
c8666089c8 schannel: Support partial send for when data is too large
Schannel can only encrypt a certain amount of data at once.  Instead of
failing when too much data is to be sent at once, send as much data as
we can and let the caller send the remaining data by calling send again.

Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html

Closes https://github.com/curl/curl/pull/1890
2017-09-16 03:19:35 -04:00
David Benjamin
843200c5b9 openssl: add missing includes
lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
their headers directly rather than relying on other OpenSSL headers
including things.

Closes https://github.com/curl/curl/pull/1891
2017-09-16 03:11:18 -04:00
Daniel Stenberg
93843c372f
conversions: fix several compiler warnings 2017-09-15 16:58:35 +02:00
Daniel Stenberg
46e14b6942
non-ascii: use iconv() with 'char **' argument
Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
2017-09-15 16:56:23 +02:00
Daniel Stenberg
2fc1db56cd
escape.c: error: pointer targets differ in signedness 2017-09-15 16:56:23 +02:00
Max Dymond
08dbed31d5
rtsp: Segfault in rtsp.c when using WRITEDATA
If the INTERLEAVEFUNCTION is defined, then use that plus the
INTERLEAVEDATA information when writing RTP. Otherwise, use
WRITEFUNCTION and WRITEDATA.

Fixes #1880
Closes #1884
2017-09-15 15:43:48 +02:00
Daniel Stenberg
22708eae40
URL: on connection re-use, still pick the new remote port
... as when a proxy connection is being re-used, it can still get a
different remote port.

Fixes #1887
Reported-by: Oli Kingshott
2017-09-14 16:49:40 +02:00
Daniel Stenberg
87501e57f1
code style: remove wrong uses of multiple spaces
Closes #1878
2017-09-12 13:54:54 +02:00
Daniel Stenberg
59813726d1
checksrc: detect and warn for multiple spaces 2017-09-12 09:50:24 +02:00
Daniel Stenberg
20acb58a38
code style: use space after semicolon 2017-09-12 09:50:24 +02:00
Daniel Stenberg
67ade28571
checksrc: verify space after semicolons 2017-09-12 09:50:24 +02:00
Daniel Stenberg
e5743f08e7
code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
Daniel Stenberg
ca86006deb
checksrc: detect and warn for lack of spaces next to plus signs 2017-09-11 09:29:50 +02:00
Daniel Stenberg
6b84438d9a
code style: use spaces around equals signs 2017-09-11 09:29:50 +02:00
Daniel Stenberg
e155f38d1e
checksrc: verify spaces around equals signs
... as the code style mandates.
2017-09-11 09:27:28 +02:00
Daniel Stenberg
02eb6184ad
Curl_checkheaders: make it available for IMAP and SMTP too
... not only HTTP uses this now.

Closes #1875
2017-09-11 00:26:17 +02:00
Jay Satiro
64bb7ae6ae mbedtls: enable CA path processing
CA path processing was implemented when mbedtls.c was added to libcurl
in fe7590f, but it was never enabled.

Bug: https://github.com/curl/curl/issues/1877
Reported-by: SBKarr@users.noreply.github.com
2017-09-10 03:22:05 -04:00
Daniel Stenberg
a14f7152ce
rtsp: do not call fwrite() with NULL pointer FILE *
If the default write callback is used and no destination has been set, a
NULL pointer would be passed to fwrite()'s 4th argument.

OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
(not publicly open yet)

Detected by OSS-fuzz
Closes #1874
2017-09-08 23:56:02 +02:00
Daniel Stenberg
9ef50ee0a4
http-proxy: when not doing CONNECT, that phase is done immediately
`conn->connect_state` is NULL when doing a regular non-CONNECT request
over the proxy and should therefor be considered complete at once.

Fixes #1853
Closes #1862
Reported-by: Lawrence Wagerfield
2017-09-07 16:11:38 +02:00
Johannes Schindelin
f4a623825b
OpenSSL: fix yet another mistake while encapsulating SSL backend data
Another mistake in my manual fixups of the largely mechanical
search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
commit concerning HTTPS proxies (and hence not caught during my
earlier testing).

Fixes #1855
Closes #1871

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:08:24 +02:00
Johannes Schindelin
dde4f5c81a
OpenSSL: fix erroneous SSL backend encapsulation
In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
data, 2017-06-21), this developer prepared for a separation of the
private data of the SSL backends from the general connection data.

This conversion was partially automated (search-and-replace) and
partially manual (e.g. proxy_ssl's backend data).

Sadly, there was a crucial error in the manual part, where the wrong
handle was used: rather than connecting ssl[sockindex]' BIO to the
proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
was an incorrect location to paste "BACKEND->"... d'oh.

Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:06:50 +02:00
Jay Satiro
955c21939e
vtls: fix memory corruption
Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
2017-07-28), the code handling HTTPS proxies was broken because the
pointer to the SSL backend data was not swapped between
conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
instead set to NULL (causing segmentation faults).

[jes: provided the commit message, tested and verified the patch]

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:06:50 +02:00
Daniel Stenberg
4bb80d532e
vtls: switch to CURL_SHA256_DIGEST_LENGTH define
... instead of the prefix-less version since WolfSSL 3.12 now uses an
enum with that name that causes build failures for us.

Fixes #1865
Closes #1867
Reported-by: Gisle Vanem
2017-09-07 15:59:42 +02:00
Jay Satiro
70a69f3718 SSL: fix unused parameter warnings 2017-09-06 15:11:55 -04:00
Patrick Monnerat
c96d96bc5f mime: drop internal FILE * support.
- The part kind MIMEKIND_FILE and associated code are suppressed.
- Seek data origin offset not used anymore: suppressed.
- MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
  renamed accordingly.
- Curl_getformdata() processes stdin via a callback.
2017-09-06 13:42:03 +01:00
Daniel Stenberg
d1da545a68
configure: remove --enable-soname-bump and SONAME_BUMP
Back in 2008, (and commit 3f3d6ebe66) we changed the logic in how we
determine the native type for `curl_off_t`. To really make sure we
didn't break ABI without bumping SONAME, we introduced logic that
attempted to detect that it would use a different size and thus not be
compatible. We also provided a manual switch that allowed users to tell
configure to bump SONAME by force.

Today, we know of no one who ever got a SONAME bump auto-detected and we
don't know of anyone who's using the manual bump feature. The auto-
detection is also no longer working since we introduced defining
curl_off_t in system.h (7.55.0).

Finally, this bumping logic is not present in the cmake build.

Closes #1861
2017-09-06 08:43:36 +02:00
Gisle Vanem
61825be02b vtls: select ssl backend case-insensitive (follow-up)
- Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.

- Change Curl_strcasecompare calls to strcasecompare
  (maps to the former but shorter).

Follow-up to c290b8f.

Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313

Co-authored-by: Jay Satiro
2017-09-06 02:27:33 -04:00
Jay Satiro
6cdba64e13 openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.

The first one, written for old OpenSSL versions:
https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c

The second one, written for BoringSSL and new OpenSSL versions:
https://github.com/curl/curl/pull/1346

Note the first one is GPL licensed but the author gave permission to
waive that license for libcurl.

As of right now this feature is disabled by default, and does not have
a configure option to enable it. To enable this feature define
ENABLE_SSLKEYLOGFILE when building libcurl and set environment
variable SSLKEYLOGFILE to a pathname that will receive the keys.

And in Wireshark change your preferences to point to that key file:
Edit > Preferences > Protocols > SSL > Master-Secret

Co-authored-by: Peter Wu

Ref: https://github.com/curl/curl/pull/1030
Ref: https://github.com/curl/curl/pull/1346

Closes https://github.com/curl/curl/pull/1866
2017-09-05 23:56:54 -04:00
Patrick Monnerat
ee5725fb5e mime: fix a trivial warning. 2017-09-05 18:38:31 +01:00
Patrick Monnerat
c1d0b6f98e mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
mime_state is now a typedef.
2017-09-05 18:20:06 +01:00
Patrick Monnerat
63ef436ea1 mime: implement encoders.
curl_mime_encoder() is operational and documented.
curl tool -F option is extended with ";encoder=".
curl tool --libcurl option generates calls to curl_mime_encoder().
New encoder tests 648 & 649.
Test 1404 extended with an encoder specification.
2017-09-05 17:55:51 +01:00
Daniel Stenberg
9926357b42 mime: unified to use the typedef'd mime structs everywhere
... and slightly edited to follow our code style better.
2017-09-05 17:33:16 +01:00
Kamil Dudka
ea142a837e openssl: use OpenSSL's default ciphers by default
Up2date versions of OpenSSL maintain the default reasonably secure
without breaking compatibility, so it is better not to override the
default by curl.  Suggested at https://bugzilla.redhat.com/1483972

Closes #1846
2017-09-05 12:13:38 +02:00
Daniel Stenberg
3130414ce7
http-proxy: treat all 2xx as CONNECT success
Added test 1904 to verify.

Reported-by: Lawrence Wagerfield
Fixes #1859
Closes #1860
2017-09-05 09:47:46 +02:00
Viktor Szakats
841a09ea19 mime: use CURL_ZERO_TERMINATED in examples
and some minor whitespace fixes
2017-09-04 13:58:10 +00:00