| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
prior to this change some uses mistakenly called free.
I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
curlx_convert_tchar_to_UTF8.
Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
Reported-by: sergio-nsk@users.noreply.github.com
Closes https://github.com/curl/curl/pull/6938
|
| |
|
|
|
|
|
|
|
|
| |
... which otherwise caused an integer overflow and circumvented the if()
conditional size check.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
Assisted-by: Max Dymond
Closes #6975
|
| |
|
|
|
|
| |
... remove '== NULL' and '!= 0'
Closes #6912
|
| |
|
|
|
|
|
|
| |
Input challenges and returned messages are now in binary.
Conversions from/to base64 are performed by callers (currently curl_sasl.c
and http_ntlm.c).
Closes #6654
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to Microsoft document MS-NLMP, current flags usage is not
accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
extended security in an NTLM authentication message and NTLM version 2
cannot be negotiated within the protocol.
The solution implemented here is: if the extended security flag is set,
prefer using NTLM version 2 (as a server featuring extended security
should also support version 2). If version 2 has been disabled at
compile time, use extended security.
Tests involving NTLM are adjusted to this new behavior.
Fixes #6813
Closes #6849
|
| |
|
|
| |
Closes #6849
|
| |
|
|
|
| |
Reviewed-by: Emil Engler
Closes #6802
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- also fix an indentation
- make Curl_auth_gsasl_token() use CURLcode (by Daniel Stenberg)
Ref: https://github.com/curl/curl/pull/6372#issuecomment-776118711
Ref: https://github.com/curl/curl/pull/6588
Reviewed-by: Jay Satiro
Assisted-by: Daniel Stenberg
Reviewed-by: Simon Josefsson
Closes #6587
|
| |
|
|
| |
Closes #6372
|
| |
|
|
|
|
|
|
|
|
| |
Turned several macros into do-while(0) style to allow their use to work
find with semicolon.
Bug: https://github.com/curl/curl/commit/08e8455dddc5e48e58a12ade3815c01ae3da3b64#commitcomment-45433279
Follow-up to 08e8455dddc5e4
Reported-by: Gisle Vanem
Closes #6376
|
| |
|
|
|
|
|
|
|
| |
... as failf adds one itself.
Also: add an assert() to failf() that triggers on a newline in the
format string!
Closes #6365
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The error is shown with infof rather than failf so that the user will
see the extended error message information only in verbose mode, and
will still see the standard CURLE_AUTH_ERROR message. For example:
---
* schannel: InitializeSecurityContext failed: SEC_E_QOP_NOT_SUPPORTED
(0x8009030A) - The per-message Quality of Protection is not supported by
the security package
* multi_done
* Connection #1 to host 127.0.0.1 left intact
curl: (94) An authentication function returned an error
---
Ref: https://github.com/curl/curl/issues/6302
Closes https://github.com/curl/curl/pull/6315
|
| |
|
|
| |
Follow-up from 4d2f8006777
|
| |
|
|
| |
Closes #6172
|
| |
|
|
|
|
| |
... and fix a few occurances
Closes #6088
|
| |
|
|
|
|
|
|
|
| |
OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379
Closes #5724
|
| |
|
|
|
|
|
|
|
| |
When wolfSSL is built with its OpenSSL API layer, it fetures the same DES*
functions that OpenSSL has. This change take advantage of that.
Co-authored-by: Daniel Stenberg
Closes #5556
Fixes #5548
|
| |
|
|
| |
... and whitelisted a few more files in the the copyright.pl script.
|
| |
|
|
|
|
|
|
|
|
|
| |
- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public headers and examples
- Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
typedef different types/structs depending on build conditions.
Closes #5338
|
| |
|
|
|
|
|
| |
This will also be needed in the tool and tests.
Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512
Closes https://github.com/curl/curl/pull/3784
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix theoretical integer overflow in Curl_auth_create_plain_message.
The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.
Closes #5391
|
| |
|
|
|
|
|
|
| |
Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other
instances of QuerySecurityPackageInfo failing, as in
commit 2a81439553286f12cd04a4bdcdf66d8e026d8201.
Closes #5355
|
| |
|
|
|
|
|
|
|
| |
That return code is reserved for build-time conditional code not being
present while this was a regular run-time error from a Windows API.
Reported-by: wangp on github
Fixes #5349
Closes #5350
|
| |
|
|
|
|
|
| |
As we have our own MD5 implementation use the MD5 wrapper to remove the
TLS dependency.
Closes #4967
|
| | |
|
| |
|
|
|
| |
Follow up to 2b5b37cb. Local static functions do not require the Curl
prefix.
|
| |
|
|
|
|
|
|
|
|
| |
RFC 7616 section 3.4 (The Authorization Header Field) states that "For
historical reasons, a sender MUST NOT generate the quoted string syntax
for the following parameters: algorithm, qop, and nc". This removes the
quoting for the algorithm parameter.
Reviewed-by: Steve Holme
Closes #4890
|
| |
|
|
|
|
|
|
| |
.. because checksrc's copyright year check stopped working.
Ref: https://github.com/curl/curl/pull/4547
Closes https://github.com/curl/curl/pull/4549
|
| |
|
|
|
| |
PVS-Studio warning
Fixes #4402
|
| |
|
|
| |
Closes #4299
|
| |
|
|
|
|
| |
This is a follow-up to https://github.com/curl/curl/pull/3864 .
Closes #4224
|
| |
|
|
|
|
|
| |
Reported in build "Win32 target on Debian Stretch (64-bit) -
i686-w64-mingw32 - gcc-20170516"
Closes #4245
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add new error code CURLE_AUTH_ERROR.
Prior to this change auth function errors were signaled by
CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was
technically correct.
Ref: https://github.com/curl/curl/pull/3848
Co-authored-by: Dominik Hölzl
Closes https://github.com/curl/curl/pull/3864
|
| |
|
|
|
|
| |
Reduce variable scopes and remove redundant variable stores.
Closes https://github.com/curl/curl/pull/3975
|
| |
|
|
|
|
|
|
|
| |
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.
Ref: #3876
Closes #3883
|
| |
|
|
|
|
|
| |
Given that this member variable is not used by the SASL based protocols
there is no need to have it here.
Closes #3882
|
| | |
|
| |
|
|
|
|
| |
For consistency and to a avoid confusion.
Closes #3869
|
| |
|
|
|
|
| |
...and misalignment of these comments. From a78c61a4.
Closes #3860
|
| |
|
|
|
|
| |
From 6012fa5a.
Closes #3858
|
| |
|
|
|
| |
Fixes #3726
Closes #3849
|
| |
|
|
| |
Follow up to 762a292f.
|
| |
|
|
|
|
|
| |
Functionally this doesn't change anything as we still use the username
for both the authorisation identity and the authentication identity.
Closes #3757
|
| |
|
|
|
|
|
|
|
|
|
| |
OAUTHBEARER tokens were incorrectly generated in a format similar to
XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the
RFC7628.
Fixes: #2487
Reported-by: Paolo Mossino
Closes https://github.com/curl/curl/pull/3377
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adjusted unit tests 2056, 2057
* do not generally close connections with CURLAUTH_NEGOTIATE after every request
* moved negotiatedata from UrlState to connectdata
* Added stream rewind logic for CURLAUTH_NEGOTIATE
* introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC
* Consider authproblem state for CURLAUTH_NEGOTIATE
* Consider reuse_forbid for CURLAUTH_NEGOTIATE
* moved and adjusted negotiate authentication state handling from
output_auth_headers into Curl_output_negotiate
* Curl_output_negotiate: ensure auth done is always set
* Curl_output_negotiate: Set auth done also if result code is
GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may
also indicate the last challenge request (only works with disabled
Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1)
* Consider "Persistent-Auth" header, detect if not present;
Reset/Cleanup negotiate after authentication if no persistent
authentication
* apply changes introduced with #2546 for negotiate rewind logic
Fixes #1261
Closes #1975
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of using a fixed 256 byte buffer in the connectdata struct.
In my build, this reduces the size of the connectdata struct by 11.8%,
from 2160 to 1904 bytes with no functionality or performance loss.
This also fixes a bug in schannel's Curl_verify_certificate where it
called Curl_sspi_strerror when it should have called Curl_strerror for
string from GetLastError. the only effect would have been no text or the
wrong text being shown for the error.
Co-authored-by: Jay Satiro
Closes #3612
|
| |
|
|
|
|
| |
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822
|
| |
|
|
|
|
| |
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
Reported-by: Wenxiang Qian
CVE-2018-16890
|
| |
|
|
|
|
|
|
|
|
| |
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.
Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
|
| |
|
|
|
|
|
|
|
| |
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.
Fixes #3280
Closes #3321
|
