summaryrefslogtreecommitdiff
path: root/lib/vauth
Commit message (Collapse)AuthorAgeFilesLines
* digest_sspi: Don't reuse context if the user/passwd has changedJay Satiro2017-08-101-0/+41
| | | | | | | | | Bug: https://github.com/curl/curl/issues/1685 Reported-by: paulharris@users.noreply.github.com Assisted-by: Isaac Boukris Closes https://github.com/curl/curl/pull/1742
* gssapi: fix memory leak of output token in multi round contextIsaac Boukris2017-08-051-0/+4
| | | | | | | | | | When multiple rounds are needed to establish a security context (usually ntlm), we overwrite old token with a new one without free. Found by proposed gss tests using stub a gss implementation (by valgrind error), though I have confirmed the leak with a real gssapi implementation as well. Closes https://github.com/curl/curl/pull/1733
* rand: treat fake entropy the same regardless of endiannessJay Satiro2017-05-082-19/+10
| | | | | | | | | | | | | | | | | When the random seed is purposely made predictable for testing purposes by using the CURL_ENTROPY environment variable, process that data in an endian agnostic way so the the initial random seed is the same regardless of endianness. - Change Curl_rand to write to a char array instead of int array. - Add Curl_rand_hex to write random hex characters to a buffer. Fixes #1315 Closes #1468 Co-authored-by: Daniel Stenberg Reported-by: Michael Kaufmann
* lib: fix maybe-uninitialized warningsMarcel Raad2017-04-221-2/+2
| | | | | | | | | | | | | | With -Og, GCC complains: easy.c:628:7: error: ‘mcode’ may be used uninitialized in this function [-Werror=maybe-uninitialized] ../lib/strcase.h:35:29: error: ‘tok_buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized] vauth/digest.c:208:9: note: ‘tok_buf’ was declared here ../lib/strcase.h:35:29: error: ‘tok_buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized] vauth/digest.c:566:15: note: ‘tok_buf’ was declared here Fix this by initializing the variables.
* sspi: print out InitializeSecurityContext() error messageIsaac Boukris2017-04-071-0/+3
| | | | | | | Reported-by: Carsten (talksinmath) Fixes #1384 Closes #1395
* NTLM: check for features with #ifdef instead of #ifMarcel Raad2017-03-291-9/+9
| | | | | | | | | Feature defines are normally checked with #ifdef instead of #if in the rest of the codebase. Additionally, some compilers warn when a macro is implicitly evaluated to 0 because it is not defined, which was the case here. Ref: https://github.com/curl/curl/pull/1362#discussion_r108605101 Closes https://github.com/curl/curl/pull/1367
* spelling fixesklemens2017-03-264-12/+12
| | | | Closes #1356
* digest_sspi: fix compilation warningMarcel Raad2017-02-271-1/+1
| | | | | MSVC complains: warning C4701: potentially uninitialized local variable 'output_token_len' used
* digest_sspi: Handle 'stale=TRUE' directive in HTTP digestJay Satiro2017-02-211-7/+36
| | | | | | | | | | | | | | - If the server has provided another challenge use it as the replacement input token if stale=TRUE. Otherwise previous credentials have failed so return CURLE_LOGIN_DENIED. Prior to this change the stale directive was ignored and if another challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING. Ref: https://tools.ietf.org/html/rfc2617#page-10 Bug: https://github.com/curl/curl/issues/928 Reported-by: tarek112@users.noreply.github.com
* digest_sspi: Fix nonce-count generation in HTTP digestMax Khon2017-02-201-99/+144
| | | | | | | | | | | | | - on the first invocation: keep security context returned by InitializeSecurityContext() - on subsequent invocations: use MakeSignature() instead of InitializeSecurityContext() to generate HTTP digest response Bug: https://github.com/curl/curl/issues/870 Reported-by: Andreas Roth Closes https://github.com/curl/curl/pull/1251
* use *.sourceforge.io and misc URL updatesViktor Szakats2017-02-062-3/+3
| | | | | Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/ Closes: https://github.com/curl/curl/pull/1247
* digest_sspi: copy terminating NUL as wellMax Khon2016-12-291-1/+1
| | | | | | | Curl_auth_decode_digest_http_message(): copy terminating NUL as later Curl_override_sspi_http_realm() expects a NUL-terminated string. Fixes #1180
* checksrc: white space edits to comply to stricter checksrcDaniel Stenberg2016-11-243-3/+3
|
* Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.Patrick Monnerat2016-11-241-7/+17
| | | | See CRL-01-006.
* Curl_rand: fixed and moved to rand.cDaniel Stenberg2016-11-142-11/+16
| | | | | | | | | | | | | Now Curl_rand() is made to fail if it cannot get the necessary random level. Changed the proto of Curl_rand() slightly to provide a number of ints at once. Moved out from vtls, since it isn't a TLS function and vtls provides Curl_ssl_random() for this to use. Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
* digest_sspi: fix includeMarcel Raad2016-10-311-1/+1
| | | | Fix compile break from 811a693b80
* strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg2016-10-313-19/+18
| | | | | We had some confusions on when each function was used. We should not act differently on different locales anyway.
* strcasecompare: is the new name for strequal()Daniel Stenberg2016-10-311-1/+0
| | | | | | | ... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
* sasl: Don't use GSSAPI authentication when domain name not specifiedSteve Holme2016-08-212-0/+44
| | | | | | | Only choose the GSSAPI authentication mechanism when the user name contains a Windows domain name or the user is a valid UPN. Fixes #718
* vauth: Added check for supported SSPI based authentication mechanismsSteve Holme2016-08-214-12/+34
| | | | Completing commit 00417fd66c and 2708d4259b.
* spnego_sspi: fix memory leak in case *outlen is zero (#970)Miroslav Franc2016-08-191-1/+3
|
* vauth: Introduced Curl_auth_is_<mechansism>_supported() functionsSteve Holme2016-08-189-0/+132
| | | | | | | | | | As Windows SSPI authentication calls fail when a particular mechanism isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5 and Negotiate to allow both HTTP and SASL authentication the opportunity to query support for a supported mechanism before selecting it. For now each function returns TRUE to maintain compatability with the existing code when called.
* vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGOSteve Holme2016-07-231-2/+2
| | | | | As SPNEGO is only defined when these pre-processor variables are defined there is no need to query them explicitly.
* spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declarationSteve Holme2016-07-233-3/+3
| | | | Typo introduced in commit ad5e9bfd5d.
* vauth: Fix memleak by freeing credentials if out of memoryJay Satiro2016-07-201-0/+5
| | | | | | | This is a follow up to the parent commit dcdd4be which fixes one leak but creates another by failing to free the credentials handle if out of memory. Also there's a second location a few lines down where we fail to do same. This commit fixes both of those issues.
* vauth: Fixed memory leak due to function returning without freeSaurav Babu2016-07-201-7/+8
| | | | | This patch allocates memory to "output_token" only when it is required so that memory is not leaked if function returns.
* internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg2016-06-2212-36/+36
|
* URLs: change http to https in many placesViktor Szakats2016-04-0612-12/+12
| | | | Closes #754
* vauth: Corrected a number of typos in commentsSteve Holme2016-04-067-9/+9
| | | | Reported-by: Michael Osipov
* code: style updatesDaniel Stenberg2016-04-031-2/+2
|
* vauth: Removed the need for a separate GSS-API based SPN functionSteve Holme2016-04-038-39/+37
|
* spnego: Small code tidy upSteve Holme2016-04-032-9/+10
| | | | | | * Prefer dereference of string pointer rather than strlen() * Free challenge pointer in one place * Additional comments
* krb5: Small code tidy upSteve Holme2016-04-032-7/+7
| | | | | | * Prefer dereference of string pointer rather than strlen() * Free challenge pointer in one place * Additional comments
* krb5_gssapi: Only process challenge when presentSteve Holme2016-04-031-2/+2
| | | | | | | | | | This wouldn't cause a problem because of the way the function is called, but prior to this change, we were processing the challenge message when the credentials were NULL rather than when the challenge message was populated. This also brings this part of the Kerberos 5 code in line with the Negotiate code.
* krb5: Fixed missing client response when mutual authentication enabledSteve Holme2016-04-032-0/+10
| | | | | | Although mutual authentication is currently turned off and can only be enabled by changing libcurl source code, authentication using Kerberos 5 has been broken since commit 79543caf90 in this use case.
* krb5_sspi: Only process challenge when presentSteve Holme2016-04-031-2/+3
| | | | | | | | | | This wouldn't cause a problem because of the way the function is called, but prior to this change, we were processing the challenge message when the credentials were NULL rather than when the challenge message was populated. This also brings this part of the Kerberos 5 code in line with the Negotiate code.
* krb5_sspi: Only generate the output token when its not allocatedSteve Holme2016-04-031-1/+3
| | | | | | | | Prior to this change, we were generating the output token when the credentials were NULL rather than when the output token was NULL. This also brings this part of the Kerberos 5 code in line with the Negotiate code.
* krb5: Only generate a SPN when its not knownSteve Holme2016-04-032-7/+10
| | | | | | | | | | Prior to this change, we were generating the SPN in the SSPI code when the credentials were NULL and in the GSS-API code when the context was empty. It is better to decouple the SPN generation from these checks and only generate it when the SPN itself is NULL. This also brings this part of the Kerberos 5 code in line with the Negotiate code.
* spnego: Renamed the context's SPN variableSteve Holme2016-04-022-11/+11
| | | | | To be consistent with the Kerberos 5 context and other authentication code.
* krb5_gssapi: Renamed the status variablesSteve Holme2016-04-021-49/+49
| | | | For consistency with the spnego code.
* krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argumentSteve Holme2016-04-023-3/+7
| | | | | | | | For consistency with the spnego and oauth2 code moved the setting of the host name outside of the Curl_auth_create_gssapi_user_messag() function. This will allow us to more easily override it in the future.
* spnego: Corrected some typos in commentsSteve Holme2016-04-012-2/+2
| | | | Corrected typos from commit ad5e9bfd5d and 6d6f9ca1d9.
* GSS: make Curl_gss_log_error more verboseIsaac Boukris2016-03-292-11/+16
| | | | | | | | | | | | | | Also display the GSS_C_GSS_CODE (major code) when specified instead of only GSS_C_MECH_CODE (minor code). In addition, the old code was printing a colon twice after the prefix and also miscalculated the length of the buffer in between calls to gss_display_status (the length of ": " was missing). Also, gss_buffer is not guaranteed to be NULL terminated and thus need to restrict reading by its length. Closes #738
* vauth: Moved the Negotiate authentication code to the new vauth directorySteve Holme2016-03-263-3/+261
| | | | Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
* vauth: Moved the Negotiate authentication code to the new vauth directorySteve Holme2016-03-262-0/+327
| | | | Part 1 of 2 - Moved the SSPI based Negotiate authentication code.
* vauth: Refactored function names after move to new vauth directorySteve Holme2016-03-2512-146/+147
| | | | | Renamed all the SASL functions that moved to the new vauth directory to include the correct module name.
* vauth: Updated the copyright year after recent changesSteve Holme2016-03-259-9/+9
| | | | | As most of this work was performed in 2015 but not pushed until 2016 updated the copyright year to reflect the public facing changes.
* vauth: Moved the OAuth 2.0 authentication code to the new vauth directorySteve Holme2016-03-252-0/+93
|
* vauth: Moved the NTLM authentication code to the new vauth directorySteve Holme2016-03-254-0/+1326
|
* vauth: Moved the Kerberos V5 authentication code to the new vauth directorySteve Holme2016-03-253-0/+888
|
View Lorry Controller Status