Commit Graph

140 Commits

Author SHA1 Message Date
Marian Klymov
c45360d463
cppcheck: fix warnings
- Get rid of variable that was generating false positive warning
(unitialized)

- Fix issues in tests

- Reduce scope of several variables all over

etc

Closes #2631
2018-06-11 11:14:48 +02:00
toughengineer
bc4b8c9717
ntlm_sspi: fix authentication using Credential Manager
If you pass empty user/pass asking curl to use Windows Credential
Storage (as stated in the docs) and it has valid credentials for the
domain, e.g.
curl -v -u : --ntlm example.com
currently authentication fails.
This change fixes it by providing proper SPN string to the SSPI API
calls.

Fixes https://github.com/curl/curl/issues/1622
Closes https://github.com/curl/curl/pull/1660
2018-04-16 20:43:21 +02:00
Patrick Monnerat
de97b5fcef sasl: prefer PLAIN mechanism over LOGIN
SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
PLAIN should be used instead if available.
2018-02-21 17:42:25 +01:00
Patrick Monnerat
6869d65f54 Curl_base64_encode: always call with a real data handle.
Some calls in different modules were setting the data handle to NULL, causing
segmentation faults when using builds that enable character code conversions.
2017-09-02 12:49:59 +01:00
Marcel Raad
f8518059ce
curl_sasl: fix unused-variable warning
This fixes the following warning with CURL_DISABLE_CRYPTO_AUTH,
as seen in the autobuilds:

curl_sasl.c:417:9: warning: unused variable 'serverdata'
[-Wunused-variable]
2017-06-03 11:59:38 +02:00
Daniel Stenberg
32c27f9e98 curl_sasl: fix build error with CURL_DISABLE_CRYPTO_AUTH + USE_NTLM
Reported-by: wyattoday at github
Fixes #1487
2017-05-16 16:13:03 +02:00
Martin Kepplinger
2d4413fefd curl_sasl: declare mechtable static
struct mechtable is only used locally here. It can be declared static.
2017-04-04 22:59:34 +02:00
Daniel Stenberg
dbadaebfc4 checksrc: code style: use 'char *name' style 2016-11-24 23:58:22 +01:00
Okhin Vasilij
c6da05a5ec HTTPS-proxy: fixed mbedtls and polishing 2016-11-24 23:41:45 +01:00
Daniel Stenberg
811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af strcasecompare: is the new name for strequal()
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Steve Holme
a78c61a4bf sasl: Don't use GSSAPI authentication when domain name not specified
Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
2016-08-21 11:56:23 +01:00
Steve Holme
00417fd66c sasl: Added calls to Curl_auth_is_<mechansism>_supported()
Hooked up the SASL authentication layer to query the new 'is mechanism
supported' functions when deciding what mechanism to use.

For now existing functionality is maintained.
2016-08-20 14:02:44 +01:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Daniel Stenberg
4f45240bc8 lib: include curl_printf.h as one of the last headers
curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((format(printf, ...))) markers etc.

To avoid that they cause problems with system includes, we include
curl_printf.h after any system headers. That makes the three last
headers to always be, and we keep them in this order:

 curl_printf.h
 curl_memory.h
 memdebug.h

None of them include system headers, they all do funny #defines.

Reported-by: David Benjamin

Fixes #743
2016-04-29 22:32:49 +02:00
Steve Holme
f044cbe6fc sasl: Fixed compilation errors from commit 9d89a0387
...when GSS-API or Windows SSPI are not used.
2016-04-09 05:57:10 +01:00
Steve Holme
9d89a03872 ftp/imap/pop3/smtp: Allow the service name to be overridden
Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
authentication in FTP, IMAP, POP3 and SMTP.
2016-04-08 18:59:33 +01:00
Steve Holme
e655ae0c80 curl_sasl: Fixed potential null pointer utilisation
Although this should never happen due to the relationship between the
'mech' and 'resp' variables, and the way they are allocated together,
it does cause problems for code analysis tools:

V595 The 'mech' pointer was utilized before it was verified against
     nullptr. Check lines: 376, 381. curl_sasl.c 376

Bug: https://github.com/curl/curl/issues/745
Reported-by: Alexis La Goutte
2016-04-03 17:55:17 +01:00
Steve Holme
ced0cbb5b7 krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argument
For consistency with the spnego and oauth2 code moved the setting of
the host name outside of the Curl_auth_create_gssapi_user_messag()
function.

This will allow us to more easily override it in the future.
2016-04-02 06:15:29 +01:00
Steve Holme
58a7bc96ec vauth: Refactored function names after move to new vauth directory
Renamed all the SASL functions that moved to the new vauth directory to
include the correct module name.
2016-03-25 17:40:12 +00:00
Steve Holme
70e56939aa vauth: Moved the OAuth 2.0 authentication code to the new vauth directory 2016-03-25 15:11:10 +00:00
Steve Holme
6012fa5aee vauth: Moved the NTLM authentication code to the new vauth directory 2016-03-25 15:11:09 +00:00
Steve Holme
51358a3f40 vauth: Moved the DIGEST authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
ec5b8dc647 vauth: Moved the CRAM-MD5 authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
6101e35819 vauth: Moved the ClearText authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
685fee3828 vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files 2016-03-25 09:12:01 +00:00
Steve Holme
c142e73142 ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
warning C4706: assignment within conditional expression
2016-03-19 17:15:53 +00:00
Daniel Stenberg
3c6238b3eb curl_sasl.c: minor code indent fixes 2016-03-14 09:55:38 +01:00
Steve Holme
e4a0a9ef18 digest: Use boolean based success code for Curl_sasl_digest_get_pair()
Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
based success code.
2016-03-12 17:25:15 +00:00
Steve Holme
a7a653fd58 digest: Corrected some typos in comments 2016-03-12 13:20:03 +00:00
Steve Holme
dbb90e7e9f ntlm: Corrected some typos in function descriptions 2016-03-12 11:56:10 +00:00
Emil Lerner
3fa220a6a5 curl_sasl: Fix memory leak in digest parser
If any parameter in a HTTP DIGEST challenge message is present multiple
times, memory allocated for all but the last entry should be freed.

Bug: https://github.com/curl/curl/pull/667
2016-02-19 21:52:05 -05:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Daniel Stenberg
88f585c3a1 sasl; fix checksrc warnings 2015-11-15 23:15:00 +01:00
Steve Holme
ee04bee82b oauth2: Support OAUTHBEARER failures sent as continuation responses
According to RFC7628 a failure message may be sent by the server in a
base64 encoded JSON string as a continuation response.

Currently only implemented for OAUTHBEARER and not XAUTH2.
2015-11-15 20:11:53 +00:00
Steve Holme
febda2f305 oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
OAUTHBEARER is now the official "registered" SASL mechanism name for
OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
servers won't support the new mechanism yet.
2015-11-14 10:28:05 +00:00
Steve Holme
1f82df9146 sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
Following the fix in commit d6d58dd558 it is necessary to re-introduce
XOAUTH2 in the default enabled authentication mechanism, which was
removed in commit 7b2012f262, otherwise users will have to specify
AUTH=XOAUTH2 in the URL.

Note: OAuth 2.0 will only be used when the bearer is specified.
2015-11-12 19:45:24 +00:00
Steve Holme
88702ebb31 oauth2: Re-factored OAuth 2.0 state variable 2015-11-12 18:25:33 +00:00
Steve Holme
d6d58dd558 sasl: Don't choose OAuth 2.0 if mechanism not advertised
Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
specified but the SASL mechanism wasn't supported by the server then
the mechanism would be chosen.
2015-11-12 18:25:33 +00:00
Steve Holme
dcf5b614ca oauth2: Introduced support for host and port details
Added support to the OAuth 2.0 message function for host and port, in
order to accommodate the official OAUTHBEARER SASL mechanism which is
to be added shortly.
2015-11-11 22:26:21 +00:00
Steve Holme
7023d8aa37 oauth2: Don't use XAUTH2 in OAuth 2.0 function name 2015-11-09 22:25:09 +00:00
Steve Holme
eaa98cef8d oauth2: Don't use XOAUTH2 in OAuth 2.0 variables 2015-11-09 22:25:08 +00:00
Steve Holme
b850437991 sasl: Updated SPN variables and comments for consistency
In places the "host name" and "realm" variable was referred to as
"instance" whilst in others it was referred to as "host".
2015-08-31 12:43:58 +01:00
Grant Pannell
59f3f92ba6 sasl_sspi: Populate domain from the realm in the challenge
Without this, SSPI based digest auth was broken.

Bug: https://github.com/bagder/curl/pull/141.patch
2015-04-26 16:12:23 +02:00
Dan Fandrich
35648f2e79 curl_memory: make curl_memory.h the second-last header file loaded
This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.
2015-03-24 23:47:01 +01:00
Daniel Stenberg
0f4a03cbb6 free: instead of Curl_safefree()
Since we just started make use of free(NULL) in order to simplify code,
this change takes it a step further and:

- converts lots of Curl_safefree() calls to good old free()
- makes Curl_safefree() not check the pointer before free()

The (new) rule of thumb is: if you really want a function call that
frees a pointer and then assigns it to NULL, then use Curl_safefree().
But we will prefer just using free() from now on.
2015-03-16 15:01:15 +01:00
Daniel Stenberg
df5578a7a3 mprintf.h: remove #ifdef CURLDEBUG
... and as a consequence, introduce curl_printf.h with that re-define
magic instead and make all libcurl code use that instead.
2015-03-03 12:36:18 +01:00
Steve Holme
0a7182f6ad curl_sasl.c: More code policing
Better use of 80 character line limit, comment corrections and line
spacing preferences.
2015-02-02 16:50:39 +00:00
Steve Holme
8ca3b05624 curl_sasl.c: Fixed compilation warning when cryptography is disabled
curl_sasl.c:1506: warning: unused variable 'chlg'
2015-01-29 11:48:11 +00:00
Steve Holme
6fdc8651bd curl_sasl.c: Fixed compilation warning when verbose debug output disabled
curl_sasl.c:1317: warning: unused parameter 'conn'
2015-01-28 22:48:01 +00:00