| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4
... the client MUST calculate a hash of the username after
any other hash calculation ...
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Closes #8066
|
|
|
|
|
|
|
|
|
| |
RFC4752 Section 3.1 states "The authorization identity is not terminated
with a zero-valued (%x00) octet". Although a comment in code said it may
be needed anyway, nothing confirms it. In addition, servers may consider
it as part of the identity, causing a failure.
Closes #7008
|
|
|
|
|
| |
... instead of deriving it from active ticket.
Closes #7008
|
|
|
|
| |
Closes #7008
|
|
|
|
| |
Closes #7008
|
|
|
|
|
|
|
| |
fix compiler warnings about unused variables and parameters when
built with --disable-verbose.
Closes https://github.com/curl/curl/pull/7377
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application
- it makes infof() work like failf() and consistency is good
- there's an assert that triggers on newlines in the format string
- Also removes a few instances of "..."
- Removes the code that would append "..." to the end of the data *iff*
it was truncated in infof()
Closes #7357
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
prior to this change some uses mistakenly called free.
I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
curlx_convert_tchar_to_UTF8.
Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
Reported-by: sergio-nsk@users.noreply.github.com
Closes https://github.com/curl/curl/pull/6938
|
|
|
|
|
|
|
|
|
|
| |
... which otherwise caused an integer overflow and circumvented the if()
conditional size check.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
Assisted-by: Max Dymond
Closes #6975
|
|
|
|
|
|
| |
... remove '== NULL' and '!= 0'
Closes #6912
|
|
|
|
|
|
|
|
| |
Input challenges and returned messages are now in binary.
Conversions from/to base64 are performed by callers (currently curl_sasl.c
and http_ntlm.c).
Closes #6654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to Microsoft document MS-NLMP, current flags usage is not
accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
extended security in an NTLM authentication message and NTLM version 2
cannot be negotiated within the protocol.
The solution implemented here is: if the extended security flag is set,
prefer using NTLM version 2 (as a server featuring extended security
should also support version 2). If version 2 has been disabled at
compile time, use extended security.
Tests involving NTLM are adjusted to this new behavior.
Fixes #6813
Closes #6849
|
|
|
|
| |
Closes #6849
|
|
|
|
|
| |
Reviewed-by: Emil Engler
Closes #6802
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- also fix an indentation
- make Curl_auth_gsasl_token() use CURLcode (by Daniel Stenberg)
Ref: https://github.com/curl/curl/pull/6372#issuecomment-776118711
Ref: https://github.com/curl/curl/pull/6588
Reviewed-by: Jay Satiro
Assisted-by: Daniel Stenberg
Reviewed-by: Simon Josefsson
Closes #6587
|
|
|
|
| |
Closes #6372
|
|
|
|
|
|
|
|
|
|
| |
Turned several macros into do-while(0) style to allow their use to work
find with semicolon.
Bug: https://github.com/curl/curl/commit/08e8455dddc5e48e58a12ade3815c01ae3da3b64#commitcomment-45433279
Follow-up to 08e8455dddc5e4
Reported-by: Gisle Vanem
Closes #6376
|
|
|
|
|
|
|
|
|
| |
... as failf adds one itself.
Also: add an assert() to failf() that triggers on a newline in the
format string!
Closes #6365
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The error is shown with infof rather than failf so that the user will
see the extended error message information only in verbose mode, and
will still see the standard CURLE_AUTH_ERROR message. For example:
---
* schannel: InitializeSecurityContext failed: SEC_E_QOP_NOT_SUPPORTED
(0x8009030A) - The per-message Quality of Protection is not supported by
the security package
* multi_done
* Connection #1 to host 127.0.0.1 left intact
curl: (94) An authentication function returned an error
---
Ref: https://github.com/curl/curl/issues/6302
Closes https://github.com/curl/curl/pull/6315
|
|
|
|
| |
Follow-up from 4d2f8006777
|
|
|
|
| |
Closes #6172
|
|
|
|
|
|
| |
... and fix a few occurances
Closes #6088
|
|
|
|
|
|
|
|
|
| |
OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379
Closes #5724
|
|
|
|
|
|
|
|
|
| |
When wolfSSL is built with its OpenSSL API layer, it fetures the same DES*
functions that OpenSSL has. This change take advantage of that.
Co-authored-by: Daniel Stenberg
Closes #5556
Fixes #5548
|
|
|
|
| |
... and whitelisted a few more files in the the copyright.pl script.
|
|
|
|
|
|
|
|
|
|
|
| |
- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public headers and examples
- Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
typedef different types/structs depending on build conditions.
Closes #5338
|
|
|
|
|
|
|
| |
This will also be needed in the tool and tests.
Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512
Closes https://github.com/curl/curl/pull/3784
|
|
|
|
|
|
|
|
|
|
|
| |
Fix theoretical integer overflow in Curl_auth_create_plain_message.
The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.
Closes #5391
|
|
|
|
|
|
|
|
| |
Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other
instances of QuerySecurityPackageInfo failing, as in
commit 2a81439553286f12cd04a4bdcdf66d8e026d8201.
Closes #5355
|
|
|
|
|
|
|
|
|
| |
That return code is reserved for build-time conditional code not being
present while this was a regular run-time error from a Windows API.
Reported-by: wangp on github
Fixes #5349
Closes #5350
|
|
|
|
|
|
|
| |
As we have our own MD5 implementation use the MD5 wrapper to remove the
TLS dependency.
Closes #4967
|
| |
|
|
|
|
|
| |
Follow up to 2b5b37cb. Local static functions do not require the Curl
prefix.
|
|
|
|
|
|
|
|
|
|
| |
RFC 7616 section 3.4 (The Authorization Header Field) states that "For
historical reasons, a sender MUST NOT generate the quoted string syntax
for the following parameters: algorithm, qop, and nc". This removes the
quoting for the algorithm parameter.
Reviewed-by: Steve Holme
Closes #4890
|
|
|
|
|
|
|
|
| |
.. because checksrc's copyright year check stopped working.
Ref: https://github.com/curl/curl/pull/4547
Closes https://github.com/curl/curl/pull/4549
|
|
|
|
|
| |
PVS-Studio warning
Fixes #4402
|
|
|
|
| |
Closes #4299
|
|
|
|
|
|
| |
This is a follow-up to https://github.com/curl/curl/pull/3864 .
Closes #4224
|
|
|
|
|
|
|
| |
Reported in build "Win32 target on Debian Stretch (64-bit) -
i686-w64-mingw32 - gcc-20170516"
Closes #4245
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add new error code CURLE_AUTH_ERROR.
Prior to this change auth function errors were signaled by
CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was
technically correct.
Ref: https://github.com/curl/curl/pull/3848
Co-authored-by: Dominik Hölzl
Closes https://github.com/curl/curl/pull/3864
|
|
|
|
|
|
| |
Reduce variable scopes and remove redundant variable stores.
Closes https://github.com/curl/curl/pull/3975
|
|
|
|
|
|
|
|
|
| |
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.
Ref: #3876
Closes #3883
|
|
|
|
|
|
|
| |
Given that this member variable is not used by the SASL based protocols
there is no need to have it here.
Closes #3882
|
| |
|
|
|
|
|
|
| |
For consistency and to a avoid confusion.
Closes #3869
|
|
|
|
|
|
| |
...and misalignment of these comments. From a78c61a4.
Closes #3860
|
|
|
|
|
|
| |
From 6012fa5a.
Closes #3858
|
|
|
|
|
| |
Fixes #3726
Closes #3849
|
|
|
|
| |
Follow up to 762a292f.
|