_ _ ____ _ ___| | | | _ \| | / __| | | | |_) | | | (__| |_| | _ <| |___ \___|\___/|_| \_\_____| Changelog Version 7.40.0 (7 Jan 2015) Daniel Stenberg (7 Jan 2015) - RELEASE-NOTES: version 7.40.0 - darwinssl: fix session ID keys to only reuse identical sessions ...to avoid a session ID getting cached without certificate checking and then after a subsequent _enabling_ of the check libcurl could still re-use the session done without cert checks. Bug: http://curl.haxx.se/docs/adv_20150108A.html Reported-by: Marc Hesse - tests: make sure CRLFs can't be used in URLs passed to proxy Bug: http://curl.haxx.se/docs/adv_20150108B.html - url-parsing: reject CRLFs within URLs Bug: http://curl.haxx.se/docs/adv_20150108B.html Reported-by: Andrey Labunets Steve Holme (7 Jan 2015) - ldap: Convert attribute output to UTF-8 when Unicode - ldap: Convert DN output to UTF-8 when Unicode Daniel Stenberg (7 Jan 2015) - hostip: remove 'stale' argument from Curl_fetch_addr proto Also, remove the log output of the resolved name is NOT in the cache in the spirit of only telling when something is actually happening. Steve Holme (7 Jan 2015) - ldap/imap: Fixed spelling mistake in comments and variable names Reported-by: Michael Osipov Daniel Stenberg (7 Jan 2015) - RELEASE-NOTES: updated with ./contributors.sh output Dan Fandrich (5 Jan 2015) - curl_multibyte.h: Eliminated some trailing whitespace Steve Holme (4 Jan 2015) - RELEASE-NOTES: Synced with ea93252ef1 - ldap: Fixed Unicode usage for all Win32 builds Otherwise, the fixes in the previous commits would only be applicable to IDN and SSPI based builds and not others such as OpenSSL with LDAP enabled. - ldap: Fixed memory leak from commit efb64fdf80 - ldap: Fix memory leak from commit 3a805c5cc1 - ldap: Fixed attribute variable warnings when Unicode is enabled Use 'TCHAR *' for local attribute variable rather than 'char *'. - ldap: Fixed DN variable warnings when Unicode is enabled Use 'TCHAR *' for local DN variable rather than 'char *'. - ldap: Remove the unescape_elements() function Due to the recent modifications this function is no longer used. - ldap.c: Fixed compilation warning ldap.c:98: warning: extra tokens at end of #endif directive - ldap: Fixed support for Unicode filter in Win32 search call - ldap.c: Fixed compilation warning ldap.c:802: warning: comparison between signed and unsigned integer expressions - ldap: Fixed support for Unicode attributes in Win32 search call - ldap: Fixed memory leak from commit efb64fdf80 The unescapped DN was not freed after a successful character conversion. - ldap.c: Fixed compilation error ldap.c:738: error: macro "LDAP_TRACE" passed 2 arguments, but takes just 1 - ldap.c: Fixed compilation warning ldap.c:89: warning: extra tokens at end of #endif directive - ldap: Fixed support for Unicode DN in Win32 search call - ldap: Fixed Unicode user and password in Win32 bind calls - ldap: Fixed Unicode host name in Win32 initialisation calls - ldap: Use host.dispname for infof() connection failure messages As host.name may be encoded use dispname for infof() failure messages. - ldap: Prefer 'CURLcode result' for curl result codes - ldap: Pass write length in all Curl_client_write() calls As we get the length for the DN and attribute variables, and we know the length for the line terminator, pass the length values rather than zero as this will save Curl_client_write() from having to perform an additional strlen() call. - ldap: Fixed attribute memory leaks on failed client write Fixed memory leaks from commit 086ad79970 as was noted in the commit comments. - ldap: Fixed DN memory leaks on failed client write Fixed memory leaks from commit 086ad79970 as was noted in the commit comments. - curl_ntlm_core.c: Fixed compilation warning from commit 1cb17b2a5d curl_ntlm_core.c:146: warning: passing 'DES_cblock' (aka 'unsigned char [8]') to parameter of type 'char *' converts between pointers to integer types with different sign - ntlm: Use extend_key_56_to_64() for all cryptography engines Rather than duplicate the code in setup_des_key() for OpenSSL and in extend_key_56_to_64() for non-OpenSSL based crypto engines, as it is the same, use extend_key_56_to_64() for all engines. - RELEASE-NOTES: Synced with 34f0bd110f - curl_ntlm_core.c: Fixed compilation warning curl_ntlm_core.c:458: warning: 'ascii_uppercase_to_unicode_le' defined but not used - endian: Fixed bit-shift in 64-bit integer read functions From commit 43792592ca and 4bb5a351b2. Reported-by: Michael Osipov - smb: Use endian functions for reading NBT and message size values - endian: Added big endian read functions - endian: Added 64-bit integer read function - COPYING: Bumped copyright year to 2015 - version: Bump copyright year to 2015 - smb.c: Fixed compilation warnings smb.c:780: warning: passing 'char *' to parameter of type 'unsigned char *' converts between pointers to integer types with different sign smb.c:781: warning: passing 'char *' to parameter of type 'unsigned char *' converts between pointers to integer types with different sign smb.c:804: warning: passing 'char *' to parameter of type 'unsigned char *' converts between pointers to integer types with different sign - smb: Use endian functions for reading length and offset values - endian: Added 16-bit integer write function - endian: Fixed Linux compilation issues Having files named endian.[c|h] seemed to cause issues under Linux so renamed them both to have the curl_ prefix in the filenames. - [Julien Nabet brought this change] lib1900.c: Fixed cppcheck error lib1900.c:182: (style) Array index 'handlenum' is used before limits check Bug: https://github.com/bagder/curl/pull/133 - endian: Added standard function descriptions - endian: Renamed functions for curl API naming convention - endian: Moved write functions to new module - endian: Moved read functions to new module - endian: Introduced endian module To allow the little endian functions, currently used in two of the NTLM source files, to be used by other modules such as the SMB module. - sepheaders.c: Applied curl oding standards - [Julien Nabet brought this change] sepheaders.c: Fixed resource leak on failure - vtls: Use '(void) arg' for unused parameters Prefer void for unused parameters, rather than assigning an argument to itself as a) unintelligent compilers won't optimize it out, b) it can't be used for const parameters, c) it will cause compilation warnings for clang with -Wself-assign and d) is inconsistent with other areas of the curl source code. - smb.c: Fixed compilation warning smb.c:586: warning: conversion to 'short unsigned int' from 'int' may alter its value - [Bill Nagel brought this change] smb: Use the connection's upload buffer Use the connection's upload buffer instead of allocating our own send buffer. - RELEASE-NOTES: Synced with 1933f9d33c - schannel: Moved the ISC return flag definitions to the SSPI module Moved our Initialize Security Context return attribute definitions to the SSPI module, as a) these can be used by other SSPI based providers and b) the ISC required attributes are defined there. - [Bill Nagel brought this change] smb: Close the connection after a failed client write - darwinssl: Fixed compilation warning vtls.c:683:43: warning: unused parameter 'data' - sockfilt.c: Fixed compilation warnings sockfilt.c:288: warning: conversion to 'DWORD' from 'size_t' may alter its value sockfilt.c:291: warning: conversion to 'DWORD' from 'size_t' may alter its value sockfilt.c:323: warning: conversion to 'DWORD' from 'size_t' may alter its value sockfilt.c:326: warning: conversion to 'DWORD' from 'size_t' may alter its value - test1509: Fixed compilation warning lib1509.c:93:18: warning: conversion to 'long int' from 'size_t' may alter its value - test556: Fixed compilation warning lib556.c:90: warning: conversion to 'unsigned int' from 'size_t' may alter its value - sasl_gssapi: Fixed use of dummy username with real username - vtls: Fixed compilation warning and an ignored return code curl_schannel.h:123: warning: right-hand operand of comma expression has no effect Some instances of the curlssl_close_all() function were declared with a void return type whilst others as int. The schannel version returned CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the return code was ignored by the calling function Curl_ssl_close_all(). For the time being and to keep the internal API consistent, changed all declarations to use a void return type. To reduce code we might want to consider removing the unimplemented versions and use a void #define like schannel does. Daniel Stenberg (28 Dec 2014) - TODO: 2.3 Better support for same name resolves Steve Holme (28 Dec 2014) - test1520: Fixed initial teething problems * Missing initialisation of upload status caused a seg fault * Missing data termination caused corrupt data to be uploaded * Data verification should be performed in element * Added missing recipient list cleanup - test1520: Fixed compilation errors - tests: Added test for bug #1456 - checksrc.bat: Fixed a problem opening files with spaces in the filename - openldap: Prefer use of 'CURLcode result' - openldap: Use 'LDAPMessage *msg' for messages This frees up the 'result' variable for CURLcode based result codes. - nss: Don't ignore Curl_extract_certinfo() OOM failure - nss: Don't ignore Curl_ssl_init_certinfo() OOM failure - nss: Use 'CURLcode result' for curl result codes ...and don't use CURLE_OK in failure/success comparisons. - getinfo: Code style policing - getinfo: Use 'CURLcode result' for curl result codes - darwinssl: Use 'CURLcode result' for curl result codes - polarssl: Use 'CURLcode result' for curl result codes - docs: Updated following the addition of SASL GSSAPI via GSS-API libraries As this feature has been implemented for 7.40.0. - asiohiper.cpp: No need to initialise members of ConnInfo ...as calloc() automatically clears the area of memory with zeros. - asiohiper.cpp: Updated for curl coding standards ...with the exception of the start of block statement curly brackets. - code/docs: Use correct case for IPv4 and IPv6 For consistency, as we seem to have a bit of a mixed bag, changed all instances of ipv4 and ipv6 in comments and documentations to use the correct case. - runtests: Fixed detection of Unix Sockets feature ...following change in curl --version output. - code/docs: Use Unix rather than UNIX to avoid use of the trademark Use Unix when generically writing about Unix based systems as UNIX is the trademark and should only be used in a particular product's name. - ip2ip.c: Fixed compilation warning when IPv6 Scope ID not supported if2ip.c:119: warning: unused parameter 'remote_scope_id' ...and some minor code style policing in the same function. - vtls: Don't set cert info count until memory allocation is successful Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs member variable to the requested count, which could then be used incorrectly as libcurl closes down. - vtls: Use CURLcode for Curl_ssl_init_certinfo() return type The return type for this function was 0 on success and 1 on error. This was then examined by the calling functions and, in most cases, used to return CURLE_OUT_OF_MEMORY. Instead use CURLcode for the return type and return the out of memory error directly, propagating it up the call stack. - configure: Use camel case for UNIX sockets feature output To match the curl --version output. Marc Hoersken (26 Dec 2014) - sockfilt.c: Reduce the number of individual memory allocations Merge multiple internal arrays into one, even if some variables will not not be used. They are all created with the number of file descriptors as their size. Also fix possible thread handle leak in CloseHandle-loop. - sockfilt.c: Replace 100ms sleep with thread throttle Improves performance of test cases 574 and 575 by 50%. A value of zero causes the thread to relinquish the remainder of its time slice to any other thread of equal priority that is ready to run. If there are no other threads of equal priority ready to run, the function returns immediately, and the thread continues execution. http://msdn.microsoft.com/library/windows/desktop/ms686307.aspx Steve Holme (25 Dec 2014) - tool_help: Use camel case for UNIX sockets feature output In line with the other features listed in the --version output, capitalise the UNIX socket feature. - vtls: Use bool for Curl_ssl_getsessionid() return type The return type of this function is a boolean value, and even uses a bool internally, so use bool in the function declaration as well as the variables that store the return value, to avoid any confusion. - schannel: Minor code style policing for casts - schannel: Prefer 'CURLcode result' for curl result codes - cyassl: Prefer 'CURLcode result' for curl result codes - tool_xattr: Use 'CURLcode result' for curl result codes - curl_ntlm_core.c: Fixed compilation warnings curl_ntlm_core.c:301: warning: pointer targets in passing argument 2 of 'CryptImportKey' differ in signedness curl_ntlm_core.c:310: warning: passing argument 6 of 'CryptEncrypt' from incompatible pointer type curl_ntlm_core.c:540: warning: passing argument 4 of 'CryptGetHashParam' from incompatible pointer type - RELEASE-NOTES: Synced with 8830df8b66 - gtls: Use preferred 'CURLcode result' - openldap: Use standard naming for setup connection function Renamed ldap_setup() to ldap_setup_connection() to follow more widely used function naming. - rtmp: Use standard naming for setup connection function Renamed rtmp_setup() to rtmp_setup_connection() to follow more widely used function naming. - smb: Use standard naming for setup connection function Renamed smb_setup() to smb_setup_connection() to follow more widely used function naming. - config-win32.h: Fixed line length > 79 columns - openssl: Prefer we don't use NULL in comparisons - build: Removed WIN32 definition from the Visual Studio projects As this pre-processor definition is defined in curl_setup.h there is no need to include it in the Visual Studio project files. - build: Removed WIN64 definition from the libcurl Visual Studio projects Removed the WIN64 pre-processor definition from the libcurl project files as: * WIN64 is not used in our source code * The curl projects files don't define it * It isn't required by or used in the platform SDK * For backwards compatability curl_setup.h defines WIN32 * The compiler automatically defines _WIN64 for x64 builds Historically Visual Studio projects have defined WIN32, in addition to the compiler defined _WIN32 definition, and I had incorrectly changed that to WIN64 for the x64 libcurl builds but not in the curl projects. As such, it is questionable whether this should be defined or not. For more information see the following cache of a discussion that took place on the microsoft.public.vc.mfc newsgroup: http://www.tech-archive.net/Archive/VC/microsoft.public.vc.mfc/2008-06/msg00074.html - openssl.c Fix for compilation errors with older versions of OpenSSL openssl.c:1408: error: 'TLS1_1_VERSION' undeclared openssl.c:1411: error: 'TLS1_2_VERSION' undeclared Daniel Stenberg (22 Dec 2014) - [John Malmberg brought this change] Fix comment edit in vms/backup_gnv_curl_src.com packages/vms/backup_gnv_curl_src.com: Originally copied from Bash port. - curl: show size of inhibited data when using -v To offer some more info and yet it doesn't use more lines. - openssl: fix SSL/TLS versions in verbose output - openssl: make it compile against openssl 1.1.0-DEV master branch Marc Hoersken (22 Dec 2014) - sshserver.pl: clarify and streamline variable names Daniel Stenberg (21 Dec 2014) - openssl: warn for SRP set if SSLv3 is used, not for TLS version ... as it requires TLS and it was was left to warn on the default from when default was SSL... - smb: use memcpy() instead of strncpy() ... as it never copies the trailing zero anyway and always just the four bytes so let's not mislead anyone into thinking it is actually treated as a string. Coverity CID: 1260214 - [John E. Malmberg brought this change] VMS: Updates for 0740-0D1220 lib/setup-vms.h : VAX HP OpenSSL port is ancient, needs help. More defines to set symbols to uppercase. src/tool_main.c : Fix parameter to vms_special_exit() call. packages/vms/ : backup_gnv_curl_src.com : Fix the error message to have the correct package. build_curl-config_script.com : Rewrite to be more accurate. build_libcurl_pc.com : Use tool_version.h now. build_vms.com : Fix to handle lib/vtls directory. curl_gnv_build_steps.txt : Updated build procedure documentation. generate_config_vms_h_curl.com : * VAX does not support 64 bit ints, so no NTLM support for now. * VAX HP SSL port is ancient, needs some help. * Disable NGHTTP2 for now, not ported to VMS. * Disable UNIX_SOCKETS, not available on VMS yet. * HP GSSAPI port does not have gss_nt_service_name. gnv_link_curl.com : Update for new curl structure. pcsi_product_gnv_curl.com : Set up to optionally do a complete build. Marc Hoersken (21 Dec 2014) - sockfilt.c: use non-Ex functions that are available before WinXP It was initially reported by Guenter that GetFileSizeEx requires (_WIN32_WINNT >= 0x0500) to be true. - tests: use Cygwin-style paths in SSH, SSHD and SFTP config files Second patch to enable Windows support using Cygwin-based OpenSSH. Tested with CopSSH 5.0.0 free edition using an msys shell on Windows 7. - tests: support spaces in paths to SSH, SSHD and SFTP binaries First patch to enable Windows support using Cygwin-based OpenSSH. Steve Holme (20 Dec 2014) - non-ascii: Reduce variable usage Removed 'next' variable in Curl_convert_form(). Rather than setting it from 'form->next' and using that to set 'form' after the conversion just use 'form = form->next' instead. - non-ascii: Prefer while loop rather than a do loop This also removes the need to check that the 'form' argument is valid. - non-ascii: Reduce variable scope As 'result' isn't used out side the conversion callback code and previously caused variable shadowing in the libiconv based code. - non-ascii: We prefer 'CURLcode result' This also fixes a variable shadowing issue when HAVE_ICONV is defined as rc was declared for the result code of libiconv based functions. Marc Hoersken (19 Dec 2014) - secureserver.pl: clean up formatting of config and fix verbose output Verbose output was not matching the actual configuration file, because FIPS and Windows conditions were ignored. - secureserver.pl: update Windows detection and fix path conversion - secureserver.pl: make OpenSSL CApath and cert absolute path values Recent stunnel versions (5.08) seem to have trouble with relative paths on Windows. This turns the relative paths into absolute ones. Patrick Monnerat (18 Dec 2014) - if2ip: dummy scope parameter for Curl_if2ip() call in SIOCGIFADDR-enabled code. - [Kyle J. McKay brought this change] parseurlandfillconn(): fix improper non-numeric scope_id stripping. Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/ - IPV6: address scope != scope id There was a confusion between these: this commit tries to disambiguate them. - Scope can be computed from the address itself. - Scope id is scope dependent: it is currently defined as 1-based local interface index for link-local scoped addresses, and as a site index(?) for (obsolete) site-local addresses. Linux only supports it for link-local addresses. The URL parser properly parses a scope id as an interface index, but stores it in a field named "scope": confusion. The field has been renamed into "scope_id". Curl_if2ip() used the scope id as it was a scope. This caused failures to bind to an interface. Scope is now computed from the addresses and Curl_if2ip() matches them. If redundantly specified in the URL, scope id is check for mismatch with the interface index. This commit should fix SF bug #1451. - connect: singleipconnect(): properly try other address families after failure Daniel Stenberg (16 Dec 2014) - SFTP: work-around servers that return zero size on STAT Bug: http://curl.haxx.se/mail/lib-2014-12/0103.html Pathed-by: Marc Renault - glob_next_url: make the loop count upwards As the former contruct apparently caused a compiler warning, mentioned in d8efde07e556c. - tool_operate: we prefer 'CURLcode result' - tool_urlglob: unify return codes to use CURLcode There was a mix of GlobCode, CURLcode and ints and they were mostly passing around CURLcode errors. This change makes the functions use only CURLcode and removes the GlobCode type completely. - tool_urlglob.c: partly reverse dc19789444 The loop in glob_next_url() needs to be done backwards to maintain the logic. dc19789444 caused test 1235 to fail. - KNOWN_BUGS: the SFTP code doesn't support CURLINFO_FILETIME - [Jay Satiro brought this change] opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS Change CURLOPT_TIMEOUT doc to warn that if CURLOPT_TIMEOUT and CURLOPT_TIMEOUT_MS are both set whichever one is set last is the one that will be used. Prior to this change that behavior was only noted in the CURLOPT_TIMEOUT_MS doc. Nick Zitzmann (15 Dec 2014) - darwinssl: fix incorrect usage of aprintf() Commit b13923f changed an snprintf() to use aprintf(), but the API usage wasn't correct, and was causing a crash to occur. This fixes it. Steve Holme (14 Dec 2014) - copyright: Updated the copyright year following recent updates Daniel Stenberg (14 Dec 2014) - tool_urlglob.c: reverse two loops By counting from 0 and up instead of backwards like before, we remove the need for the "funny" check of the unsigned variable when decreased passed zero. Easier to read and less risk for compiler warnings. Marc Hoersken (14 Dec 2014) - tool_urlglob.c: Added braces to clarify the conditions - tool_urlglob.c: Silence warning C6293: Ill-defined for-loop The >= 0 is actually not required, since i underflows and the for-loop is stopped using the < condition, but this makes the VS2012 compiler and code analysis happy. - tool_binmode.c: Explicitly ignore the return code of setmode Fixes code analysis warning C6031: return value ignored: could return unexpected value - lib: Fixed multiple code analysis warnings if SAL are available warning C28252: Inconsistent annotation for function: parameter has another annotation on this instance Steve Holme (14 Dec 2014) - smb.c: Fixed code analysis warning smb.c:320: warning C6297: Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit value. Result may not be an expected value Marc Hoersken (14 Dec 2014) - tool_util.c: Use GetTickCount64 if it is available Steve Holme (14 Dec 2014) - smb: Use HAVE_PROCESS_H for process.h inclusion Rather than testing against _WIN32 use the preferred HAVE_PROCESS_H pre-processor define when including process.h. Daniel Stenberg (14 Dec 2014) - darwinssl: aprintf() to allocate the session key ... to avoid using a fixed memory size that risks being too large or too small. Marc Hoersken (14 Dec 2014) - curl_schannel: Improvements to memory re-allocation strategy - do not grow memory by doubling its size - do not leak previously allocated memory if reallocation fails - replace while-loop with a single check to make sure that the requested amount of data fits into the buffer Bug: http://curl.haxx.se/bug/view.cgi?id=1450 Reported-by: Warren Menzer Steve Holme (14 Dec 2014) - asyn-ares: We prefer use of 'CURLcode result' Marc Hoersken (14 Dec 2014) - curl_schannel.c: Data may be available before connection shutdown Steve Holme (14 Dec 2014) - http2: Use 'CURLcode result' for curl result codes - asyn-thread: We prefer 'CURLcode result' - smb: Fixed unnecessary initialisation of struct member variables There is no need to set the 'state' and 'result' member variables to SMB_REQUESTING (0) and CURLE_OK (0) after the allocation via calloc() as calloc() initialises the contents to zero. - ntlm: Fixed return code for bad type-2 Target Info Use CURLE_BAD_CONTENT_ENCODING for bad type-2 Target Info security buffers just like we do for bad decodes. - ntlm: Remove unnecessary casts in readshort_le() I don't think both of my fix ups from yesterday were needed to fix the compilation warning, so remove the one that I think is unnecessary and let the next Android autobuild prove/disprove it. - curl_ntlm_msgs.c: Another attempt to fix compilation warning curl_ntlm_msgs.c:170: warning: conversion to 'short unsigned int' from 'int' may alter its value Guenter Knauf (13 Dec 2014) - synctime.c: added own user-agent string. Steve Holme (13 Dec 2014) - smb.c: Fixed line longer than 79 columns - curl_ntlm_msgs.c: Fixed compilation warning from commit 783b5c3b11 curl_ntlm_msgs.c:169: warning: conversion to 'short unsigned int' from 'int' may alter its value Guenter Knauf (13 Dec 2014) - mk-ca-bundle.pl: restored forced run again. - synctime.c: removed another timeserver URL. worldtimeserver.com seems also no longer available. - synctime.c: fixed timeserver URLs. For getting the date header its not necessary to access special pages or even CGI scripts - all pages including the main index reply with the date header, therefore shortened URLs to domain. Removed worldtime.com; added pool.ntp.org. Steve Holme (13 Dec 2014) - ftp.c: Fixed compilation warning when no verbose string support ftp.c:819: warning: unused parameter 'lineno' - smb: Added state change functions to assist with debugging For debugging purposes, and as per other protocols within curl, added state change functions rather than changing the states directly. - ntlm: Use short integer when decoding 16-bit values - RELEASE-NOTES: Synced with 6291a16b20 - smtp.c: Fixed compilation warnings smtp.c:2357 warning: adding 'size_t' (aka 'unsigned long') to a string does not append to the string smtp.c:2375 warning: adding 'size_t' (aka 'unsigned long') to a string does not append to the string smtp.c:2386 warning: adding 'size_t' (aka 'unsigned long') to a string does not append to the string Used array index notation instead. - smb: Disable SMB when 64-bit integers are not supported This fixes compilation issues with compilers that don't support 64-bit integers through long long or __int64. - ntlm: Disable NTLM v2 when 64-bit integers are not supported This fixes compilation issues with compilers that don't support 64-bit integers through long long or __int64 which was introduced in commit 07b66cbfa4. - ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined Previously USE_NTLM2SESSION would only be defined automatically when USE_NTRESPONSES wasn't already defined. Separated the two definitions so that the user can manually set USE_NTRESPONSES themselves but USE_NTLM2SESSION is defined automatically if they don't define it. - smtp.c: Fixed line longer than 79 columns - config-win32.h: Don't enable Windows Crypt API if using OpenSSL As the OpenSSL and NSS Crypto engines are prefered by the core NTLM routines, to the Windows Crypt API, don't define USE_WIN32_CRYPT automatically when either OpenSSL or NSS are in use - doing so would disable NTLM2Session responses in NTLM type-3 messages. - smtp: Fixed inappropriate free of the scratch buffer If the scratch buffer was allocated in a previous call to Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent call and no action taken by that call, then an attempt would be made to try and free the buffer which, by now, would be part of the data->state structure. This bug was introduced in commit 4bd860a001. - smtp: Fixed dot stuffing when EOL characters were at end of input buffers Fixed a problem with the CRLF. detection when multiple buffers were used to upload an email to libcurl and the line ending character(s) appeared at the end of each buffer. This meant any lines which started with . would not be escaped into .. and could be interpreted as the end of transmission string instead. This only affected libcurl based applications that used a read function and wasn't reproducible with the curl command-line tool. Bug: http://curl.haxx.se/bug/view.cgi?id=1456 Assisted-by: Patrick Monnerat Daniel Stenberg (11 Dec 2014) - telnet: fix "cast increases required alignment of target type" - ntlm_wb_response: fix "statement not reached" ... and I could use a break instead of a goto to end the loop. Bug: http://curl.haxx.se/mail/lib-2014-12/0089.html Reported-by: Tor Arntsen Steve Holme (10 Dec 2014) - RELEASE-NOTES: Synced with 1cc5194337 Added some bug fixes that I had missed in previous synchronisations. Daniel Stenberg (10 Dec 2014) - Curl_unix2addr: avoid using the variable name 'sun' I suspect this causes compile failures on Solaris: Bug: http://curl.haxx.se/mail/lib-2014-12/0081.html Steve Holme (10 Dec 2014) - url.c: Fixed compilation warning when USE_NTLM is not defined url.c:3078: warning: variable 'credentialsMatch' set but not used - parsedate.c: Fixed compilation warning parsedate.c:548: warning: 'parsed' may be used uninitialized in this function As curl_getdate() returns -1 when parsedate() fails we can initialise parsed to -1. Daniel Stenberg (10 Dec 2014) - TODO: Cache negative name resolves Worth exploring - ldap: check Curl_client_write() return codes There might be one or two memory leaks left in the error paths. - ldap: rename variables to comply to curl standards Dan Fandrich (10 Dec 2014) - sws.c: Fixed 'rc' may be used uninitialized warning - cookies: Improved OOM handling in cookies This fixes the test 506 torture test. The internal cookie API really ought to be improved to separate cookie parsing errors (which may be ignored) with OOM errors (which should be fatal). Guenter Knauf (9 Dec 2014) - synctime.c: fixed user-agent setting. Some websites meanwhile refuse to reply to requests from ancient browsers like IE6, therefore I've comment out this setting, but also fixed the string to now fake IE8 if someone enables it. Daniel Stenberg (9 Dec 2014) - smb: fix unused return code warning Patrick Monnerat (9 Dec 2014) - Curl_client_write() & al.: chop long data, convert data only once. Guenter Knauf (9 Dec 2014) - VC build: added sspi define for winssl-zlib builds. Daniel Stenberg (9 Dec 2014) - schannel_recv: return the correct code Bug: http://curl.haxx.se/bug/view.cgi?id=1462 Reported-by: Tae Hyoung Ahn - http2: avoid logging neg "failure" if h2 was not requested - openldap: do not ignore Curl_client_write() return codes - compile: warn on unused return code from Curl_client_write() Patrick Monnerat (8 Dec 2014) - SMB: Fix a data size mismatch that broke SMB on big-endian platforms Steve Holme (7 Dec 2014) - smb: Fixed Windows autoconf builds following commit eb88d778e7 As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO either explicitly through --enable-win32-cypto or automatically on _WIN32 based platforms, subsequent builds broke with the following error message: "Can't compile NTLM support without a crypto library." - RELEASE-NOTES: Synced with 526603ff05 - [Bill Nagel brought this change] smb: Build with SSPI enabled Build SMB/CIFS protocol support when SSPI is enabled. - [Bill Nagel brought this change] ntlm: Use Windows Crypt API Allow the use of the Windows Crypt API for NTLMv1 functions. Dan Fandrich (7 Dec 2014) - cookie.c: Refactored cleanup code to simplify Also, fixed the outdated comments on the cookie API. - get_url_file_name: Fixed crash on OOM on debug build This caused a null-pointer dereference which caused a few dozen torture tests to fail. Steve Holme (6 Dec 2014) - sws.c: Fixed compilation warning sws.c:2191 warning: 'rc' may be used uninitialized in this function - ftp.c: Fixed compilation warnings when proxy support disabled ftp.c:1827 warning: unused parameter 'newhost' ftp.c:1827 warning: unused parameter 'newport' - smb: Fixed a problem with large file transfers Fixed an issue with the message size calculation where the raw bytes from the buffer were interpreted as signed values rather than unsigned values. Reported-by: Gisle Vanem Assisted-by: Bill Nagel - smb: Moved the URL decoding into a separate function - smb: Fixed URL encoded URLs not working - Makefile.inc: Added our standard header and updated file formatting - Makefile.inc: Updated file formatting Aligned continuation character and used space as the separator character as per other makefile files. - curl_md4.h: Updated copyright year following recent edit ...and minor layout adjustment. Patrick Monnerat (5 Dec 2014) - SMB: Fix big endian problems. Make it OS/400 aware. - OS400: enable NTLM authentication Steve Holme (5 Dec 2014) - multi.c: Fixed compilation warning multi.c:2695: warning: declaration of `exp' shadows a global declaration Guenter Knauf (5 Dec 2014) - build: updated dependencies in makefiles. Steve Holme (5 Dec 2014) - sasl: Corrected formatting of function descriptions - sasl_gssapi: Added missing function description - RELEASE-NOTES: Provided better descriptions As it is often difficult to choose the best description for a single feature when it spans many commits, updated the descriptions for the recent SMB/CIFS protocol and GSS-API additions. - sasl_sspi: Corrected some typos - sasl_sspi: Don't use hard coded sizes in Kerberos V5 security data Don't use a hard coded size of 4 for the security layer and buffer size in Curl_sasl_create_gssapi_security_message(), instead, use sizeof() as we have done in the sasl_gssapi module. - sasl_sspi: Free the Kerberos V5 challenge as soon as we're done with it Reduced the amount of free's required for the decoded challenge message in Curl_sasl_create_gssapi_security_message() as a result of coding it differently in the sasl_gssapi module. - gssapi: Corrected typo in comments - sasl_gssapi: Added body to Curl_sasl_create_gssapi_security_message() Daniel Stenberg (4 Dec 2014) - [Stefan Bühler brought this change] http_perhapsrewind: don't abort CONNECT requests ...they never have a body - [Stefan Bühler brought this change] HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request Sending NTLM/Negotiate header again after successful authentication breaks the connection with certain Proxies and request types (POST to MS Forefront). - [Stefan Bühler brought this change] HTTP: don't abort connections with pending Negotiate authentication ... similarly to how NTLM works as Negotiate is in fact often NTLM with another name. - [Stefan Bühler brought this change] fix gdb libtool invocation path Steve Holme (4 Dec 2014) - sasl_gssapi: Fixed missing include from commit d3cca934ee Daniel Stenberg (4 Dec 2014) - [Jay Satiro brought this change] examples: remove sony.com from 10-at-a-time Prior to this change the 10-at-a-time example showed CURLE_RECV_ERROR for the sony website because it ends the connection when the request is missing a user agent. Steve Holme (4 Dec 2014) - sasl_gssapi: Fixed missing decoding debug failure message - sasl_gssapi: Fixed honouring of no mutual authentication - sasl_sspi: Added more Kerberos V5 decoding debug failure messages Daniel Stenberg (4 Dec 2014) - [Anthon Pang brought this change] docs: Fix FAILONERROR typos It returns error for >= 400 HTTP responses. Bug: https://github.com/bagder/curl/pull/129 - [Peter Wu brought this change] tool: fix CURLOPT_UNIX_SOCKET_PATH in --libcurl output Mark CURLOPT_UNIX_SOCKET_PATH as string to ensure that it ends up as option in the file generated by --libcurl. Signed-off-by: Peter Wu - [Peter Wu brought this change] opts: fix CURLOPT_UNIX_SOCKET_PATH formatting Add .nf and .fi such that the code gets wrapped in a pre on the web. Fixed grammar, fixed formatting of the "See also" items. Signed-off-by: Peter Wu Patrick Monnerat (4 Dec 2014) - OS400: enable Unix sockets. Daniel Stenberg (3 Dec 2014) - RELEASE-NOTES: synced with b216427e73b5e9 - opts: added CURLOPT_UNIX_SOCKET_PATH to Makefile.am - updateconninfo: clear destination struct before getsockname() Otherwise we may read uninitialized bytes later in the unix-domain sockets case. - curl.1: added --unix-socket - [Peter Wu brought this change] tool: add --unix-socket option Signed-off-by: Peter Wu - [Peter Wu brought this change] libcurl: add UNIX domain sockets support The ability to do HTTP requests over a UNIX domain socket has been requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a discussion happened, no patch seems to get through. I decided to give it a go since I need to test a nginx HTTP server which listens on a UNIX domain socket. One patch [3] seems to make it possible to use the CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket. Another person wrote a Go program which can do HTTP over a UNIX socket for Docker[4] which uses a special URL scheme (though the name contains cURL, it has no relation to the cURL library). This patch considers support for UNIX domain sockets at the same level as HTTP proxies / IPv6, it acts as an intermediate socket provider and not as a separate protocol. Since this feature affects network operations, a new feature flag was added ("unix-sockets") with a corresponding CURL_VERSION_UNIX_SOCKETS macro. A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This option enables UNIX domain sockets support for all requests on the handle (replacing IP sockets and skipping proxies). A new configure option (--enable-unix-sockets) and CMake option (ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I deliberately did not mark this feature as advanced, this is a feature/component that should easily be available. [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/ [2]: http://sourceforge.net/p/curl/feature-requests/53/ [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html [4]: https://github.com/Soulou/curl-unix-socket Signed-off-by: Peter Wu - [Peter Wu brought this change] tests: add two HTTP over UNIX socket tests test1435: a simple test that checks whether a HTTP request can be performed over the UNIX socket. The hostname/port are interpreted by sws and should be ignored by cURL. test1436: test for the ability to do two requests to the same host, interleaved with one to a different hostname. Signed-off-by: Peter Wu - [Peter Wu brought this change] tests: add HTTP UNIX socket server testing support The variable `$ipvnum` can now contain "unix" besides the integers 4 and 6 since the variable. Functions which receive this parameter have their `$port` parameter renamed to `$port_or_path` to support a path to the UNIX domain socket (as a "port" is only meaningful for TCP). Signed-off-by: Peter Wu - [Peter Wu brought this change] sws: try to remove socket and retry bind If sws is killed it might leave a stale socket file on the filesystem which would cause an EADDRINUSE error. After this patch, it is checked whether the socket is really stale and if so, the socket file gets removed and another bind is executed. Signed-off-by: Peter Wu - [Peter Wu brought this change] sws: add UNIX domain socket support This extends sws with a --unix-socket option which causes the port to be ignored (as the server now listens on the path specified by --unix-socket). This feature will be available in the following patch that enables checking for UNIX domain socket support. Proxy support (CONNECT) is not considered nor tested. It does not make sense anyway, first connecting through a TCP proxy, then let that TCP proxy connect to a UNIX socket. Signed-off-by: Peter Wu - [Peter Wu brought this change] sws: restrict TCP_NODELAY to IP sockets TCP_NODELAY does not make sense for Unix sockets, so enable it only if the socket is using IP. Signed-off-by: Peter Wu Dan Fandrich (3 Dec 2014) - [Dave Reisner brought this change] curl.1: fix trivial typo Steve Holme (3 Dec 2014) - sasl_gssapi: Added body to Curl_sasl_create_gssapi_user_message() - sasl_gssapi: Added body to Curl_sasl_gssapi_cleanup() - sasl_gssapi: Added Curl_sasl_build_gssapi_spn() function Added helper function for returning a GSS-API compatible SPN. Daniel Stenberg (3 Dec 2014) - NSS: enable the CAPATH option Bug: http://curl.haxx.se/bug/view.cgi?id=1457 Patch-by: Tomasz Kojm Steve Holme (3 Dec 2014) - sasl_gssapi: Enable USE_KERBEROS5 for GSS-API based builds - sasl_gssapi: Added GSS-API based Kerberos V5 variables - sws.c: Fixed compilation warning when IPv6 is disabled sws.c:69: warning: comma at end of enumerator list - sasl_gssapi: Made log_gss_error() a common GSS-API function Made log_gss_error() a common function so that it can be used in both the http_negotiate code as well as the curl_sasl_gssapi code. - sasl_gssapi: Introduced GSS-API based SASL module Added the initial version of curl_sasl_gssapi.c and updated the project files in preparation for adding GSS-API based Kerberos V5 support. - smb: Don't try to connect with empty credentials On some platforms curl would crash if no credentials were used. As such added detection of such a use case to prevent this from happening. Reported-by: Gisle Vanem - smb.c: Coding policing of pointer usage - configure: Fixed inclusion of SMB when no crypto engines available Guenter Knauf (1 Dec 2014) - build: in Makefile.m32 simplified autodetection. Daniel Stenberg (30 Nov 2014) - [Peter Wu brought this change] sws: move away from IPv4/IPv4-only assumption Instead of depending the socket domain type on use_ipv6, specify the domain type (AF_INET / AF_INET6) as variable. An enum is used here with switch to avoid compiler warnings in connect_to, complaining that rc is possibly undefined (which is not possible as socket_domain is always set). Besides abstracting the socket type, make the debugging messages be independent on IP (introduce location_str which points to "port XXXXX"). Rename "ipv_inuse" to "socket_type" and tighten the scope (main). Signed-off-by: Peter Wu - [Peter Wu brought this change] lib/connect: restrict IP/TCP options to said sockets This patch prepares for adding UNIX domain sockets support. TCP_NODELAY and TCP_KEEPALIVE are specific to TCP/IP sockets, so do not apply these to other socket types. bindlocal only works for IP sockets (independent of TCP/UDP), so filter that out too for other types. Signed-off-by: Peter Wu - smb.c: use size_t as input argument types for msg sizes This fixes warnings about conversions to int Steve Holme (30 Nov 2014) - version: The next release will become 7.40.0 - [Bill Nagel brought this change] docs: Updated for the SMB protocol This patch updates the documentation for the SMB/CIFS protocol. - curl tool: Exclude SMB from the protocol redirect As local files could be accessed through \\localhost\c$. - [Bill Nagel brought this change] curl tool: Enable support for the SMB protocol This patch enables SMB/CIFS support in the curl command-line tool. - smb.c: Fixed compilation warnings smb.c:398: warning: comparison of integers of different signs: 'ssize_t' (aka 'long') and 'unsigned long' smb.c:443: warning: comparison of integers of different signs: 'ssize_t' (aka 'long') and 'unsigned long' - libcurl: Exclude SMB from the protocol redirect As local files could be accessed through \\localhost\c$. - [Bill Nagel brought this change] libcurl: Enable support for the SMB protocol This patch enables SMB/CIFS support in libcurl. - smb.c: Fixed compilation warnings smb.c:322: warning: conversion to 'short unsigned int' from 'unsigned int' may alter its value smb.c:323: warning: conversion to 'short unsigned int' from 'unsigned int' may alter its value smb.c:482: warning: conversion to 'short unsigned int' from 'int' may alter its value smb.c:521: warning: conversion to 'unsigned int' from 'curl_off_t' may alter its value smb.c:549: warning: conversion to 'unsigned int' from 'curl_off_t' may alter its value smb.c:550: warning: conversion to 'short unsigned int' from 'int' may alter its value - smb.c: Renamed SMB command message variables to avoid compiler warnings smb.c:489: warning: declaration of 'close' shadows a global declaration smb.c:511: warning: declaration of 'read' shadows a global declaration smb.c:528: warning: declaration of 'write' shadows a global declaration - smb.c: Fixed compilation warnings smb.c:212: warning: unused parameter 'done' smb.c:380: warning: ISO C does not allow extra ';' outside of a function smb.c:812: warning: unused parameter 'premature' smb.c:822: warning: unused parameter 'dead' - smb.c: Fixed compilation warnings smb.c:311: warning: conversion from 'unsigned __int64' to 'u_short', possible loss of data smb.c:425: warning: conversion from '__int64' to 'unsigned short', possible loss of data smb.c:452: warning: conversion from '__int64' to 'unsigned short', possible loss of data - smb.c: Fixed compilation warnings smb.c:162: error: comma at end of enumerator list smb.c:469: warning: conversion from 'size_t' to 'unsigned short', possible loss of data smb.c:517: warning: conversion from 'curl_off_t' to 'unsigned int', possible loss of data smb.c:545: warning: conversion from 'curl_off_t' to 'unsigned int', possible loss of data - [Bill Nagel brought this change] smb: Added initial SMB functionality Initial implementation of the SMB/CIFS protocol. - [Bill Nagel brought this change] smb: Added SMB handler interfaces Added the SMB and SMBS handler interface structures and associated functions required for SMB/CIFS operation. - transfer: Code style policing Prefer ! rather than NULL in if statements, added comments and updated function spacing, argument spacing and line spacing to be more readble. - transfer: Fixed existing scratch buffer being checked for NULL twice If the scratch buffer already existed when the CRLF conversion was performed then the buffer pointer would be checked twice for NULL. This second check is only necessary if the call to malloc() was performed by the first check. - smtp: Fixed dot stuffing being performed when no new data read Whilst I had moved the dot stuffing code from being performed before CRLF conversion takes place to after it, in commit 4bd860a001, I had moved it outside the 'when something read' block of code when meant it could perform the dot stuffing twice on partial send if nread happened to contain the right values. It also meant the function could potentially read past the end of buffer. This was highlighted by the following warning: warning: `nread' might be used uninitialized in this function Daniel Stenberg (29 Nov 2014) - smb.h: fixed picky compiler warning smb.h:30:16: error: comma at end of enumerator list [-Werror=pedantic] Steve Holme (29 Nov 2014) - tests: Disable test 1013 until SMB is fully added - [Bill Nagel brought this change] smb: Added SMB protocol and port definitions Added the necessary protocol and port definitions in order to support SMB/CIFS. - [Bill Nagel brought this change] smb: Added internal SMB definitions and structures Added the internal definitions and structures necessary for SMB/CIFS support. - [Bill Nagel brought this change] smb: Added SMB connection structure Added the connection structure that will be required in urldata.h for SMB/CIFS based connections. - [Bill Nagel brought this change] smb: Added initial source files for SMB Added the initial source files and updated the relevant project files in order to support SMB/CIFS. - [Bill Nagel brought this change] smb: Added configuration options for SMB Added --enable-smb and --disable-smb configuration options for the upcoming SMB/CIFS protocol support. Daniel Stenberg (28 Nov 2014) - [Peter Wu brought this change] runtests.pl: fix startup of IPv6 servers Commit curl-7_23_1-143-g8218064 changed the parameter of responsive_http_server to accept types other than IPv6 (converting from a boolean to a string), but only considered the lower-case "ipv6" and not the "IPv6" variant. This caused all servers to start in IPv4 mode instead. This patch converts the remaining cases to "ipv6". While not strictly necessary for the run*server variants, these got also converted for consistency and to prevent future errors. Signed-off-by: Peter Wu - [Peter Wu brought this change] runtests.pl: fix warning message, remove duplicate value Signed-off-by: Peter Wu Steve Holme (27 Nov 2014) - http.c: Fixed compilation warnings from features being disabled warning: unused variable 'data' warning: variable 'addcookies' set but not used ...and some very minor coding style policing. - RELEASE-NOTES: Synced with c5399c827d - tests: Added SMTP with --crlf test case - docs: Updated for commit 4bd860a001 and SMTP Unix line ending conversion - smtp: Fixed const'ness of nread parameter in Curl_smtp_escape_eob() ...and some comment typos! - smtp: Added support for the conversion of Unix newlines during mail send Added support for the automatic conversion of Unix newlines to CRLF during mail uploads. Feature: http://curl.haxx.se/bug/view.cgi?id=1456 - CURLOPT_CRLF.3: Fixed inclusion of SMTP in listed protocols Daniel Stenberg (25 Nov 2014) - curl*3: added small examples and some minor edits - libcurl.3: fix formatting refer to functions with the man page section properly - man pages: SEE ALSO curl_multi_wait - curl_multi_wait.3: clarify numfds being used if not NULL - multi-single.c: switch to use curl_multi_wait Makes the example much easier and straight-forward! - testcurl: bump the version of this script! - testcurl: skip reading the setup file if given enough cmdline info This makes it much easier to run multiple tests in the same directory, just altering the command lines used. - select.c: fix compilation for VxWorks Reported-by: Brian Bug: http://curl.haxx.se/bug/view.cgi?id=1455 Patrick Monnerat (24 Nov 2014) - [moparisthebest brought this change] SSL: Add PEM format support for public key pinning Kamil Dudka (24 Nov 2014) - Revert "repository: ignore patch files generated by git" This reverts commit 217024a687ce86eb6d2317822ed81c7e5abc4b61. Bug: https://github.com/bagder/curl/commit/217024a6#commitcomment-8693738 Steve Holme (23 Nov 2014) - multi.c: Fixed compilation warnings when no verbose string support warning: variable 'connection_id' set but not used warning: unused parameter 'lineno' - RELEASE-NOTES: Synced with 1450712e76 - sasl: Tidied up some parameter comments - sasl: Reduced the need for two sets of NTLM functions - ntlm: Moved NSS initialisation to base decode function - http_ntlm: Fixed additional NSS initialisation call when decoding type-2 After commit 48d19acb7c the HTTP code would call Curl_nss_force_init() twice when decoding a NTLM type-2 message, once directly and the other through the call to Curl_sasl_decode_ntlm_type2_message(). - ntlm: Fixed static'ness of local decode function - ntlm: Corrected some parameter names and comments - runtests.pl: Re-aligned feature support comments - runtests.pl: Use Kerberos and SPNEGO as proxies for the crypto feature In addition to NTLM, use Kerberos and SPNEGO as proxies to the crypto feature. ...and converted tab characters, from commit 4b4e8a5853, to spaces. - runtests.pl: Added support for SPNEGO - runtests.pl: Added Kerberos detection - runtests.pl: Added GSS-API detection - FILEFORMAT: Added SSPI, GSS-API and Kerberos to the features list - FILEFORMAT: Added test requires feature not present information Such as !SSPI as we do for the NTLM and Digest tests. Daniel Stenberg (20 Nov 2014) - http.c: log if it notices HTTP 1.1 after a upgrade to http2 - test1801: first real http2 test case - sws: initial tiny steps toward http2 support - FILEFORMAT: mention the new upgrade support - test1800: first plain-text http2 test case Verifies the upgrade request, but gets a plain 1.1 response - [Tatsuhiro Tsujikawa brought this change] http: Disable pipelining for HTTP/2 and upgraded connections This commit disables pipelining for HTTP/2 or upgraded connections. For HTTP/2, we do not support multiplexing. In general, requests cannot be pipelined in an upgraded connection, since it is now different protocol. - [Brad Harder brought this change] CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option Steve Holme (19 Nov 2014) - multi-uv.c: Updated for curl coding standards - conncache: Fixed specifiers in infof() for long and size_t variables - [Peter Wu brought this change] cmake: add Kerberos to the supported features Updated following commit eda919f and a4b7f71. Acked-by: Brad King Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: fix NTLM detection when CURL_DISABLE_HTTP defined Updated following changes in commit f0d860d. Acked-by: Brad King Signed-off-by: Peter Wu Daniel Stenberg (19 Nov 2014) - RELEASE-NOTES: synced with cb13fad733e - [Jay Satiro brought this change] examples: Wait recommended 100ms when no file descriptors are ready Prior to this change when no file descriptors were ready on platforms other than Windows the multi examples would sleep whatever was in timeout, which may or may not have been less than the minimum recommended value [1] of 100ms. [1]: http://curl.haxx.se/libcurl/c/curl_multi_fdset.html - [Waldek Kozba brought this change] multi-uv.c: close the file handle after download - [Jon Spencer brought this change] multi: inform about closed sockets before they are closed When the connection code decides to close a socket it informs the multi system via the Curl_multi_closed function. The multi system may, in turn, invoke the CURLMOPT_SOCKETFUNCTION function with CURL_POLL_REMOVE. This happens after the socket has already been closed. Reorder the code so that CURL_POLL_REMOVE is called before the socket is closed. Guenter Knauf (19 Nov 2014) - build: in Makefile.m32 moved target autodetection. Moved target autodetection block after defining CC macro. - build: in Makefile.m32 simplify platform flags. - build: in Makefile.m32 try to detect 64bit target. Daniel Stenberg (19 Nov 2014) - [Brad King brought this change] CMake: Simplify if() conditions on check result variables Remove use of an old hack that takes advantage of the auto-dereference behavior of the if() command to detect if a variable is defined. The hack has the form: if("${VAR} MATCHES "^${VAR}$") where "${VAR}" is a macro argument reference. Use if(DEFINED) instead. This also avoids warnings for CMake Policy CMP0054 in CMake 3.1. - TODO-RELEASE: removed - [Carlo Wood brought this change] debug: added new connection cache output, plus fixups Debug output 'typo' fix. Don't print an extra "0x" in * Pipe broke: handle 0x0x2546d88, url = / Add debug output. Print the number of connections in the connection cache when adding one, and not only when one is removed. Fix typos in comments. - multi: move the ending condition into the loop as well ... as it was before I changed the loop in commit e04ccbd50. It caused test 2030 and 2032 to fail. Steve Holme (18 Nov 2014) - multi: Prefer we don't use CURLE_OK and NULL in comparisons Daniel Stenberg (18 Nov 2014) - multi_runsingle: use 'result' for local CURLcode storage ... and assign data->result only at the end. Makes the code more compact (easier to read) and more similar to other code. - multi_runsingle: rename result to rc save 'result' for CURLcode types - multi: make multi_runsingle loop internally simplifies the use of this function at little cost. - [Carlo Wood brought this change] multi: when leaving for timeout, close accordingly Fixes the problem when a transfer in a pipeline times out. Guenter Knauf (18 Nov 2014) - build: in Makefile.m32 add -m32 flag for 32bit. - mk-ca-bundle.vbs: update copyright year. - build: in Makefile.m32 pass -F flag to windres. Steve Holme (17 Nov 2014) - config-win32: Fixed build targets for the VS2012+ Windows XP toolset Even though commit 23e70e1cc6 mentioned the v110_xp toolset, I had forgotten to include the relevant pre-processor definitions. - sasl_sspi: Removed note about the NTLM functions being a wrapper - connect.c: Fixed compilation warning when no verbose string support warning: unused parameter 'reason' - easy.c: Fixed compilation warning when no verbose string support warning: unused parameter 'easy' - win32: Updated some legacy APIs to use the newer extended versions Updated the usage of some legacy APIs, that are preventing curl from compiling for Windows Store and Windows Phone build targets. Suggested-by: Stefan Neis Feature: http://sourceforge.net/p/curl/feature-requests/82/ - config-win32: Introduce build targets for VS2012+ Visual Studio 2012 introduced support for Windows Store apps as well as supporting Windows Phone 8. Introduced build targets that allow more modern APIs to be used as certain legacy ones are not available on these new platforms. - sasl_sspi: Fixed compilation warnings when no verbose string support - sasl_sspi: Added base64 decoding debug failure messages Just like in the NTLM code, added infof() failure messages for DIGEST-MD5 and GSSAPI authentication when base64 decoding fails. - ntlm: Moved the SSPI based Type-3 message generation into the SASL module - ntlm: Moved the SSPI based Type-2 message decoding into the SASL module - ntlm: Moved the SSPI based Type-1 message generation into the SASL module - [Michael Osipov brought this change] kerberos: Use symbol qualified with _KERBEROS5 For consistency renamed USE_KRB5 to USE_KERBEROS5. Daniel Stenberg (15 Nov 2014) - [Jay Satiro brought this change] examples: Don't call select() to sleep on windows Windows does not support using select() for sleeping without a dummy socket. Instead use Windows' Sleep() and sleep for 100ms which is the minimum suggested value in the curl_multi_fdset() doc. Prior to this change the multi examples would exit prematurely since select() would error instead of sleeping when called without an fd. Reported-by: Johan Lantz Bug: http://curl.haxx.se/mail/lib-2014-11/0221.html - [Tatsuhiro Tsujikawa brought this change] http2: Don't send Upgrade headers when we already do HTTP/2 Steve Holme (15 Nov 2014) - sasl: Corrected Curl_sasl_build_spn() function description There was a mismatch in function parameter names. - tool: Removed krb4 from the supported features Although libcurl would never return CURL_VERSION_KERBEROS4 after 7.33, so would not be output with --version, removed krb4 from the supported features output. - [Michael Osipov brought this change] tool: Use Kerberos for supported features - urldata: Don't define sec_complete when no GSS-API support present This variable is only used with HAVE_GSSAPI is defined by the FTP code so let's place the definition with the other GSS-API based variables. - [Michael Osipov brought this change] docs: Use consistent naming for Kerberos - TODO: Lets support QOP options in GSSAPI authentication - sasl_sspi: Corrected a couple of comment typos - sasl: Moved Curl_sasl_gssapi_cleanup() definition into header file Rather than define the function as extern in the source files that use it, moved the function declaration into the SASL header file just like the Digest and NTLM clean-up functions. Additionally, added a function description comment block. - sasl_sspi: Added missing RFC reference for HTTP Digest authentication - ntlm: Clean-up and standardisation of base64 decoding - ntlm: We prefer 'CURLcode result' Daniel Stenberg (13 Nov 2014) - [Brad King brought this change] CMake: Restore order-dependent library checks Revert commit 2257deb502 (Cmake: Avoid cycle directory dependencies, 2014-08-22) and add a comment explaining the purpose of the original code. The check_library_exists_concat macro is intended to be called multiple times on a sequence of possibly dependent libraries. Later libraries may depend on earlier libraries when they are static. They cannot be safely linked in reverse order on some platforms. Signed-off-by: Brad King - [Brad King brought this change] CMake: Restore order-dependent header checks Revert commit 1269df2e3b (Cmake: Don't check for all headers each time, 2014-08-15) and add a comment explaining the purpose of the original code. The check_include_file_concat macro is intended to be called multiple times on a sequence of possibly dependent headers. Later headers may depend on earlier headers to provide declarations. They cannot be safely included independently on some platforms. For example, many POSIX APIs document including sys/types.h before some other headers. Also on some OS X versions sys/socket.h must be included before net/if.h or the check for the latter will fail. Signed-off-by: Brad King - [Peter Wu brought this change] test22: expand a backtick command This is the only user of the backtick operator in the command. As the commands will soon not be executed by a shell anymore (but by perl), replace the command with its output. Signed-off-by: Peter Wu - RELEASE-NOTES: synced with 2ee3c63b13 - http2: fix switched macro when http2 is not enabled - [Tatsuhiro Tsujikawa brought this change] http2: Deal with HTTP/2 data inside response header buffer Previously if HTTP/2 traffic is appended to HTTP Upgrade response header (thus they are in the same buffer), the trailing HTTP/2 traffic is not processed and lost. The appended data is most likely SETTINGS frame. If it is lost, nghttp2 library complains server does not obey the HTTP/2 protocol and issues GOAWAY frame and curl eventually drops connection. This commit fixes this problem and now trailing data is processed. Steve Holme (11 Nov 2014) - configure: Fixed inclusion of krb5 when CURL_DISABLE_CRYPTO_AUTH is defined Commit fe0f8967bf fixed a problem with krb5 not being defined as a supported feature when HAVE_GSSAPI is defined, however, it should only be included if CURL_DISABLE_CRYPTO_AUTH is not set, like when SPNEGO is listed as a feature. Daniel Stenberg (10 Nov 2014) - multi: removed Curl_multi_set_easy_connection It isn't used anywhere! Reported-by: Carlo Wood - [Peter Wu brought this change] symbol-scan.pl: do not require autotools Makes test1119 pass when building with cmake. configurehelp.pm is generated by configure (autotools). As cmake does not provide a separate variable for the C preprocessor, default to cpp. Before commit ef24ecde68a5f577a7f0f423a767620f09a0ab16 ("symbol-scan: use configure script knowledge about how to run the C preprocessor"), this tool would also use 'cpp'. Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: add ENABLE_THREADED_RESOLVER, rename ARES Fix detection of the AsynchDNS feature which not just depends on pthreads support, but also on whether USE_POSIX_THREADS is set or not. Caught by test 1014. This patch adds a new ENABLE_THREADED_RESOLVER option (corresponding to --enable-threaded-resolver of autotools) which also needs a check for HAVE_PTHREAD_H. For symmetry with autotools, CURL_USE_ARES is renamed to ENABLE_ARES (--enable-ares). Checks that test for the availability actually use USE_ARES instead as that is the result of whether a-res is available or not (in practice this does not matter as CARES is marked as required package, but nevertheless it is better to write the intent). Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: build libhostname for test suite Used by some test cases via LD_PRELOAD in order to fake the host name. Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: fix HAVE_GETHOSTNAME definition Otherwise Curl_gethostname always fails. Windows has gethostname since Vista according to http://msdn.microsoft.com/en-us/library/ms738527%28VS.85%29.aspx, but accordings to byte_bucket's VC 2005 documentation, it is available even in Windows 95. (possibly after installing a Platform SDK, the Windows Server 2003 SP1 Platform SDK should be sufficient). Signed-off-by: Peter Wu - [Peter Wu brought this change] tests: fix libhostname visibility I noticed that a patched cmake build would pass tests with a fake local hostname, but the autotools build skips them: got unexpected host name back, LD_PRELOAD failed It turns out that -fvisibility=hidden hides the symbol, and since the tests are not part of libcurl, it fails too. Just remove the LIBCURL guard. Broken since cURL 7.30 (commit 83a42ee20ea7fc25abb61c0b7ef56ebe712d7093, "curl.h: stricter CURL_EXTERN linkage decorations logic"). Signed-off-by: Peter Wu - [Peter Wu brought this change] tests: fix memleak in server/resolve.c This makes LeakSanitizer happy. Signed-off-by: Peter Wu - configure: assume krb5 when gss-api works To please test 1014 while we work out if this is truly the a correct assumption. Steve Holme (9 Nov 2014) - vtls.h: Fixed compiler warning when compiled without SSL vtls.c:185:46: warning: unused parameter 'data' - RELEASE-NOTES: Synced with 2fbf23875f - ntlm: Added separate SSPI based functions In preparation for moving the NTLM message code into the SASL module, and separating the native code from the SSPI code, added functions that simply call the functions in curl_ntlm_msg.c. - http_ntlm: Use the SASL functions instead In preparation for moving the NTLM message code into the SASL module use the SASL functions in the HTTP code instead. Daniel Stenberg (9 Nov 2014) - libssh2: detect features based on version, not configure checks ... so that non-configure builds get the correct functions too based on the libssh2 version used. - [Nobuhiro Ban brought this change] SSH: use the port number as well for known_known checks ... if the libssh2 version is new enough. Bug: http://curl.haxx.se/bug/view.cgi?id=1448 Steve Holme (9 Nov 2014) - INSTALL: Updated pre-processor references to the old VC6 project files Reworked the two sections that discuss modifying the Visual Studio pre- processor settings, and vc6libcurl.dsw/vc6libcurl.dsp, to remove the project files references as they have been superseded by a more thorough set of project files for VC6 through VC12, but to also give the correct reference to this setting in later versions of Visual Studio. - INSTALL: Added email protocols to the "Disabling in Win32 builds" section - configure: Fixed NTLM missing from features when CURL_DISABLE_HTTP defined - build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined USE_NTLM would only be defined if: HTTP support was enabled, NTLM and cryptography weren't disabled, and either a supporting cryptography library or Windows SSPI was being compiled against. This means it was not possible to build libcurl without HTTP support and use NTLM for other protocols such as IMAP, POP3 and SMTP. Rather than introduce a new SASL pre-processor definition, removed the HTTP prerequisite just like USE_SPNEGO and USE_KRB5. Note: Winbind support still needs to be dependent on CURL_DISABLE_HTTP as it is only available to HTTP at present. This bug dates back to August 2011 when I started to add support for NTLM to SMTP. - ntlm: Removed an unnecessary free of native Target Info Due to commit 40ee1ba0dc the free in Curl_ntlm_decode_type2_target() is longer required. - ntlm: Moved the native Target Info clean-up from HTTP specific function - ntlm: Moved SSPI clean-up code into SASL module - Makefile.dist: Added support for WinIDN - Makefile.vc6: Added support for WinIDN - Makefile.dist: Added some missing SSPI configurations - Makefile.dist: Separated the groups of SSL configurations from each other - Makefile.dist: Grouped the x64 configurations next to their x86 counterparts - curl.h: Tidy up of CURL_VERSION_* flags As the list has gotten a little messy and hard to read, especially with the introduction of deprecated items, aligned the values and comments into clean columns and reworked some of the comments in the process. - curl_tool: Added krb5 to the supported features - configure: Added krb5 to the supported features - version info: Added Kerberos V5 to the supported features Guenter Knauf (7 Nov 2014) - mk-ca-bundle.vbs: switch to new certdata.txt url. Steve Holme (7 Nov 2014) - RELEASE-NOTES: Synced with dcad09e125 - http_digest: Fixed some memory leaks introduced in commit 6f8d8131b1 Fixed a couple of memory leaks as a result of moving code that used to populate allocuserpwd and relied on it's clean up. - docs: Updated following the addition of SSPI based HTTP digest auth - sasl_sspi: Tidy up of the existing digest code Following the addition of SSPI support for HTTP digest, synchronised elements of the email digest code with that of the new HTTP code. - http_digest: Post SSPI support tidy up Post tidy up to ensure commonality of code style and variable names. Dan Fandrich (6 Nov 2014) - test552: Don't run HTTP digest tests for SSPI based builds Technical difficulties prevented this from going into the previous commit. Steve Holme (6 Nov 2014) - tests: Don't run HTTP digest tests for SSPI based builds Added !SSPI to the features list of the HTTP digest tests, as SSPI based builds now use the Windows SSPI messaging API rather than the internal functions, and we can't control the random numbers that get used as part of the digest. Daniel Stenberg (6 Nov 2014) - curl.1: show zone index use in a URL Steve Holme (6 Nov 2014) - http_digest: Fixed auth retry loop when SSPI based authentication fails - http_digest: Reworked the SSPI based input token storage Reworked the input token (challenge message) storage as what is passed to the buf and desc in the response generation are typically blobs of data rather than strings, so this is more in keeping with other areas of the SSPI code, such as the NTLM message functions. - sasl_sspi: Fixed compilation warning from commit 2d2a62e3d9 Added void reference to unused 'data' parameter back to fix compilation warning. - sspi: Align definition values to even columns as we use 2 char spacing - sspi: Fixed missing definition of ISC_REQ_USE_HTTP_STYLE Some versions of Microsoft's sspi.h don't define this. - sasl: Removed non-SSPI Digest functions and defines from SSPI based builds Introduced in commit 7e6d51a73c these functions and definitions are only required by the internal challenge-response functions now. - sasl_sspi: Added HTTP digest response generation code - http_digest: Added SSPI based challenge decoding code - http_digest: Added SSPI based clean-up code - http_digest: Added SSPI based authentication functions This temporarily breaks HTTP digest authentication in SSPI based builds, causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will resume normal operation. - http_digest: Added required SSPI based variables to digest structure Daniel Stenberg (6 Nov 2014) - [Frank Gevaerts brought this change] contributors.sh: --releasenotes reads in names from RELEASE-NOTES This is very handy when updating the RELEASE-NOTES as then we sometimes have names added manually in the existing list and we use this script to update the set. - RELEASE-NOTES: synced with 68542e72a9 - curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY Reported-by: Christian Hägele Bug: http://curl.haxx.se/mail/lib-2014-11/0078.html Steve Holme (5 Nov 2014) - build: Fixed Visual Studio project file generation of strdup.[c|h] As the curl command-line tool now includes it's own version of strdup(), for platforms that don't have it, fixed up the git respository Visual Studio project file generator to not include the version from lib in the tool project files, rather than having both lib\strdup.[c|h] and src\tool_strdup.[c|h] present. Daniel Stenberg (5 Nov 2014) - tool_strdup.c: include the tool strdup.h ... not the lib/ one that the tool no longer uses! - THANKS-filter: added another Michał Górny version we've used - contributors.sh: split lists using " and " ... and require the space after the filtering to make the filter able to remove names. Steve Holme (5 Nov 2014) - http_digest: Fixed memory leaks from commit 6f8d8131b1 - sasl: Fixed compilation warning from commit 25264131e2 Added forward declaration of digestdata to overcome the following compilation warning: warning: 'struct digestdata' declared inside parameter list Additionally made the ntlmdata forward declaration dependent on USE_NTLM similar to how digestdata and kerberosdata are. - sasl: Fixed HTTP digest challenges with spaces between auth parameters Broken as part of the rework, in commit 7e6d51a73c, to assist with the addition of HTTP digest via Windows SSPI. - http_digest: Fixed compilation errors from commit 6f8d8131b1 error: invalid operands to binary warning: pointer targets in assignment differ in signedness - http_digest: Moved response generation into SASL module - http_digest: Moved challenge decoding into SASL module - http_digest: Moved clean-up function into SASL module - http_digest: Moved algorithm definitions to SASL module - [Gisle Vanem brought this change] ssh: Fixed build on platforms where R_OK is not defined Bug: http://curl.haxx.se/mail/lib-2014-11/0035.html Reported-by: Jan Ehrhardt - strdup: Removed irrelevant comment ...as Curl_memdup() duplicates an area of fix size memory, that may be binary, and not a null terminated string. - url.c: Fixed compilation warning conversion from 'curl_off_t' to 'size_t', possible loss of data - http_digest: Use CURLcode instead of CURLdigest To provide consistent behaviour between the various HTTP authentication functions use CURLcode based error codes for Curl_input_digest() especially as the calling code doesn't use the specific error code just that it failed. Daniel Stenberg (5 Nov 2014) - contributors.sh: filter common alternative name spellings docs/THANKS-filter is a new filter file for converting contributor names we get or have recorded in alternative formats to the one we already use in THANKS. To help us show individual contributors using a single presentation of their names. - THANKS: added missing contributor from 2012 - [Frank Gevaerts brought this change] Remove duplicate names. The removed names also appear as: Andrés García, François Charlier, Gökhan Şengün, Michał Górny, Sébastien Willemijns, Christopher Conroy, John E. Malmberg, Luca Altea, Peter Su, S. Moonesamy, Samuel Listopad, Yasuharu Yamada, Karl Moerder Steve Holme (5 Nov 2014) - sspi: Define authentication package name constants These were previously hard coded, and whilst defined in security.h, they may or may not be present in old header files given that these defines were never used in the original code. Not only that, but there appears to be some ambiguity between the ANSI and UNICODE NTLM definition name in security.h. Patrick Monnerat (5 Nov 2014) - Adjust OS400-specific support to last release Daniel Stenberg (5 Nov 2014) - THANKS: added two missing names and removed a duplicate ./contributors.sh found these extra ones that somehow had fallen through the cracks and never gotten added here. Reported-by: Frank Gevaerts - bump: towards next release - THANKS: added names from 7.39.0 release notes Version 7.39.0 (5 Nov 2014) Daniel Stenberg (5 Nov 2014) - RELEASE-NOTES: 7.39.0 release (commit b3875606925) - curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds When duplicating a handle, the data to post was duplicated using strdup() when it could be binary and contain zeroes and it was not even zero terminated! This caused read out of bounds crashes/segfaults. Since the lib/strdup.c file no longer is easily shared with the curl tool with this change, it now uses its own version instead. Bug: http://curl.haxx.se/docs/adv_20141105.html CVE: CVE-2014-3707 Reported-By: Symeon Paraschoudis - lib544.c: use duphandle for test 545 To verify that curl_easy_duphandle() works fine on a handle that has gotten data stored with *_COPYPOSTFIELDS. - tests: add new feature 'SSLpinning' ... and make test 2034 and 2035 require it, and have it set when built with OpenSSL or GnuTLS. - buildconf: update copyright year Steve Holme (4 Nov 2014) - INSTALL: Consistent spacing in section headings, paragraphs and examples Daniel Stenberg (4 Nov 2014) - buildconf: stop checking for libtool As we only use libtoolize, only check for that! Steve Holme (4 Nov 2014) - INSTALL: Corrected MIT Kerberos and Heimdal package names - README: Corrected inconsistent use of --help - INSTALL: Use GSS-API rather than GSSAPI As implementations are refereed to GSS-API libraries as per the RFC and GSSAPI typically refers to the SASL authentication mechanism. ...and minor rewording on the same paragraph. - README: Added note about using Visual Studio projects out of git repository Daniel Stenberg (4 Nov 2014) - [K. R. Walker brought this change] cmake: fix ZLIB_INCLUDE_DIRS use CMake 2.8's FindZLIB.cmake documents ZLIB_INCLUDE_DIRS, see http://www.cmake.org/cmake/help/v2.8.0/cmake.html#module:FindZLIB Bug: https://github.com/bagder/curl/pull/123 - [Jay Satiro brought this change] SSL: PolarSSL default min SSL version TLS 1.0 - Prior to this change no SSL minimum version was set by default at runtime for PolarSSL. Therefore in most cases PolarSSL would probably have defaulted to a minimum version of SSLv3 which is no longer secure. - opts-Makefile: put more man pages into dist and make hmtl+pdf - curl_multi_setopt.3: refer to stand-alone pages ... instead of duplicating info. - opts: more multi options as stand-alone man pages - Makefile.am: two cmake files are gone 8cb010144 removed the CurlCheckCSourceCompiles.cmake and CurlCheckCSourceRuns.cmake files - opts: made stand-alone man-pages for several multi options - [Carlo Wood brought this change] Curl_single_getsock: fix hold/pause sock handling The previous condition that checked if the socket was marked as readable when also adding a writable one, was incorrect and didn't take the pause bits properly into account. - [Peter Wu brought this change] cmake: fix struct sockaddr_storage check CHECK_TYPE_SIZE_PREINCLUDE is an internal, undocumented variable which was removed in cmake 2.8.1. According to the MSDN docs[1], inclusion of winsock2.h is sufficient. WIN32_LEAN_AND_MEAN does not really seem to affect the tests, so remove it too[2]. For the non-windows case, remove inet headers as POSIX only requires sys/socket.h. [1]: http://msdn.microsoft.com/en-us/library/windows/desktop/ms740504%28v=vs.85%29.aspx [2]: http://stackoverflow.com/questions/11040133/what-does-defining-win32-lean-and-mean-exclude-exactly Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: clean OtherTests, fixing -Werror There were several -Wunused warnings and one duplicate macro definition. The EXTRA_DEFINES variable of the CurlCheckCSources macro was being abused ("__unused1\n#undef inline\n#define __unused2", seriously?) to insert extra C code. Avoid this broken abstraction and use cmake's check_c_source_compiles directly (works fine with CMake 2.8, maybe even cmake 2.6). After cleaning up all related variables (EXTRA_DEFINES, HEADER_INCLUDES, auxiliary headers_hack), also remove a duplicate add_headers_include macro and remove duplicate header additions before the struct timeval check. Oh, and now the code is converted to use CheckCSourceRuns and CheckCSourceCompiles, the two curl-specific helpers can be removed. Unfortunately, the cmake output is now slightly more verbose. Before: Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test) Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test) - Failed Since check_c_source_compiles prints the varname, now you see: Performing Test curl_cv_func_send_test Performing Test curl_cv_func_send_test - Failed Tested: int send(int, const void *, size_t, int) Compared cmake output with each other using vimdiff, no functional differences were found. Tested with GCC 4.9.1 and Clang 3.5.0. Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: fix gethostby{addr,name}_r in CurlTests This patch cleans up the automatically-generated (?) code and fixes one case that will always fail due to syntax error. HAVE_GETHOSTBYADDR_R_5_REENTRANT always failed because of a trailing character ("int length;q"). Several parameter type and unused variable warnings popped up. This causes a detection failure with -Werror. Observe that the REENTRANT cases are exactly the same as their non-REENTRANT cases except for a `_REENTRANT` macro definition. Merge all these pieces and build one big main function with different cases, but reusing variables where logical. For the cases where the parameters where NULL, I looked at lib/hostip4.c to get an idea of the parameters types. void-cast variables such as 'rc' to avoid -Wuninitialized errors. Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: drop _BSD_SOURCE macro usage autotools does not use features.h nor _BSD_SOURCE. As this macro triggers warnings since glibc 2.20, remove it. It should not have functional differences. Signed-off-by: Peter Wu Steve Holme (2 Nov 2014) - RELEASE-NOTES: Synced with d71ea7c01e Additionally, updated "GSSAPI" to "GSS-API" for a Cmake related change as GSSAPI can be confused with the authentication mechanism rather than a GSS-API implementation library such as MIT or Heimdal. - build: Added WinIDN build configuration options Added support for WinIDN build configurations to the VC6 project files. - build: Added WinIDN build configuration options Added support for WinIDN build configurations to the VC7 and VC7.1 project files. - build: Fixed the pre-processor separator in Visual Studio project files A left over from the VC6 project files, so mainly cosmetic in Visual Studio .NET as it can handle both comma and semi-colon characters for separating multiple pre-processor definitions. However, the IDE uses semi-colons if the value is edited, and as such, this may cause problems in future for anyone updating the files or merging patches. Used the Visual Studio IDE to correct the separator character. - build: Added optional specific version generation of VC project files ..when working from the git repository. This is particularly useful for single development environments where the project files for all supported versions of Visual Studio may not be required. - [Jay Satiro brought this change] build-openssl.bat: Fix x64 release build Prior to this change if x64 release was specified a failed attempt was made to build x86 release instead. - CURLOPT_XOAUTH2_BEARER.3: Corrected the OAuth version number - CURLOPT_SASL_IR.3: Added supported mechanism information ...and removed duplication of what protocols are supported from the description text. - opts: Use common wording for MAIL related names - opts: Use common wording for TLS user/password option names ...and revised the proxy wording a little as well. - CURLOPT_MAXCONNECTS.3: Reworked the description to be less confusing ...and corrected a related typo in curl_easy_setopt.3. Guenter Knauf (2 Nov 2014) - RELEASE-NOTES: removed obsolete entry; fixed entry. Steve Holme (2 Nov 2014) - RELEASE-NOTES: Synced with e7da67f5d3 - docs: Added mention of Kerberos for CURL_VERSION_SSPI As this has been present for SOCKSv5 proxy since v7.19.4 and for IMAP, POP3 and SMTP authentication since v7.38.0. - CURL_VERSION_KERBEROS4: Mark as deprecated Support for Kerberos V4 was removed in v7.33.0. - sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used Typically the USE_WINDOWS_SSPI definition would not be used when the CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication data structures and functions would incorrectly be used when they shouldn't be. Introduced a new USE_KRB5 definition that takes into account the use of CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do. - openssl: Use 'CURLcode result' More CURLcode fixes. Daniel Stenberg (1 Nov 2014) - resume: consider a resume from [content-length] to be OK Basically since servers often then don't respond well to this and instead send the full contents and then libcurl would instead error out with the assumption that the server doesn't support resume. As the data is then already transfered, this is now considered fine. Test case 1434 added to verify this. Test case 1042 slightly modified. Reported-by: hugo Bug: http://curl.haxx.se/bug/view.cgi?id=1443 Steve Holme (1 Nov 2014) - openssl: Use 'CURLcode result' More standardisation of CURLcode usage and coding style. - openssl: Use 'CURLcode result' ...and some minor code style changes. - ftplistparser: We prefer 'CURLcode result' - opts: Use common wording for user/password option names - CURLOPT_CONNECT_ONLY.3: Removed "This option is implemented for..." text As this is covered by the PROTOCOLS section and saves having to update two parts of the document with the same information in future. - CURLOPT_GSSAPI_DELEGATION.3: Use GSS-API rather than GSSAPI As implementations are refereed to GSS-API libraries as per the RFC and GSSAPI typically refers to an authentication mechanism. - CURLOPT_CONNECT_ONLY.3: Fixed incomplete protocol list Added missing IMAP to the protocol list. - code cleanup: Use 'CURLcode result' - curl_easy_setopt.3: Fixed lots of typos - curl_easy_setopt.3: Moved CURLOPT_DIRLISTONLY into PROTOCOL OPTIONS ...as this option affects more that just FTP. Guenter Knauf (30 Oct 2014) - build: added Watcom support to build with WinSSL. Daniel Stenberg (30 Oct 2014) - CURLOPT_PINNEDPUBLICKEY.3: added details Steve Holme (30 Oct 2014) - CURLOPT_CUSTOMREQUEST.3: Fixed incomplete protocol list Whilst the description included information about SMTP, the protocol list only showed "TTP, FTP, IMAP, POP3". - CURLOPT_DIRLISTONLY.3: Added information about the usage in POP3 Daniel Stenberg (29 Oct 2014) - openssl: enable NPN separately from ALPN ... and allow building with nghttp2 but completely without NPN and ALPN, as nghttp2 can still be used for plain-text HTTP. Reported-by: Lucas Pardue - configure.ac: remove checks for OpenSSL NPN/ALPN funcs again ... since the conditional in the code are now based on OpenSSL versions instead to better support non-configure builds. - opts: added some "SEE ALSO" references Steve Holme (29 Oct 2014) - RELEASE-NOTES: Synced with 32913182dc - vtls.c: Fixed compilation warning conversion from 'size_t' to 'unsigned int', possible loss of data - sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure Return a more appropriate error, rather than CURLE_OUT_OF_MEMORY when acquiring the credentials handle fails. This is then consistent with the code prior to commit f7e24683c4 when log-in credentials were empty. - sasl_sspi: Allow DIGEST-MD5 to use current windows credentials Fixed the ability to use the current log-in credentials with DIGEST-MD5. I had previously disabled this functionality in commit 607883f13c as I couldn't get this to work under Windows 8, however, from testing HTTP Digest authentication through Windows SSPI and then further testing of this code I have found it works in Windows 7. Some further investigation is required to see what the differences are between Windows 7 and 8, but for now enable this functionality as the code will return an error when AcquireCredentialsHandle() fails. Kamil Dudka (29 Oct 2014) - transfer: drop the code handling the ssl_connect_retry flag Its last use has been removed by the previous commit. - nss: drop the code for libcurl-level downgrade to SSLv3 This code was already deactivated by commit ec783dc142129d3860e542b443caaa78a6172d56. - openssl: fix a line length warning Guenter Knauf (29 Oct 2014) - Added NetWare support to build with nghttp2. - Fixed error message since we require ALPN support. - Check for ALPN via OpenSSL version number. This check works also with to non-configure platforms. Steve Holme (28 Oct 2014) - sasl_sspi: Fixed typo in comment - code cleanup: We prefer 'CURLcode result' Daniel Stenberg (28 Oct 2014) - TODO: consider supporting STAT - mk-ca-bundle: spell fix "version" - HTTP: return larger than 3 digit response codes too HTTP 1.1 is clearly specified to only allow three digit response codes, and libcurl used sscanf("%3d") for that purpose. This made libcurl support smaller numbers but not larger. It does now, but we will not make any specific promises nor document this further since it is going outside of what HTTP is. Bug: http://curl.haxx.se/bug/view.cgi?id=1441 Reported-by: Balaji - src/: remove version.h.dist from gitignore It has not been used since commit f7bfdbab in 2011 Steve Holme (26 Oct 2014) - ntlm: We prefer 'CURLcode result' Continuing commit 0eb3d15ccb more return code variable name changes. Guenter Knauf (26 Oct 2014) - Cosmetics: lowercase non-special subroutine names. Steve Holme (26 Oct 2014) - RELEASE-NOTES: Synced with 07ac29a058 - http_negotiate: We prefer 'CURLcode result' Continuing commit 0eb3d15ccb more return code variable name changes. - http_negotiate: Fixed missing check for USE_SPNEGO - sspi: Synchronization of cleanup code between auth mechanisms - sspi: Renamed max token length variables Code cleanup to try and synchronise code between the different SSPI based authentication mechanisms. - sspi: Renamed expiry time stamp variables Code cleanup to try and synchronise code between the different SSPI based authentication mechanisms. - sspi: Only call CompleteAuthToken() when complete is needed Don't call CompleteAuthToken() after InitializeSecurityContext() has returned SEC_I_CONTINUE_NEEDED as this return code only indicates the function should be called again after receiving a response back from the server. This only affected the Digest and NTLM authentication code. Dan Fandrich (26 Oct 2014) - Added the "flaky" keyword to a number of tests Each shows evidence of flakiness on at least one platform on the autobuilds. Users can use this keyword to skip these tests if desired. Steve Holme (26 Oct 2014) - ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash() For consistency with other areas of the NTLM code propagate all errors from Curl_ntlm_core_mk_nt_hash() up the call stack rather than just CURLE_OUT_OF_MEMORY. - ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash() - ntlm: Use 'CURLcode result' Continuing commit 0eb3d15ccb more return code variable name changes. - ntlm: Only define ntlm data structure when USE_NTLM is defined - ntlm: Changed handles to be dynamic like other SSPI handles Code cleanup to try and synchronise code between the different SSPI based authentication mechanisms. - ntlm: Renamed handle variables to match other SSPI structures Code cleanup to try and synchronise code between the different SSPI based authentication mechanisms. - ntlm: Renamed SSPI based input token variables Code cleanup to try and synchronise code between the different SSPI based authentication mechanisms. - ntlm: We prefer 'CURLcode result' Continuing commit 0eb3d15ccb more return code variable name changes. - build: Added WinIDN build configuration options Added support for WinIDN build configurations to the VC8 and VC9 project files. Nick Zitzmann (24 Oct 2014) - darwinssl: detect possible future removal of SSLv3 from the framework If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3. Patrick Monnerat (24 Oct 2014) - gskit.c: remove SSLv3 from SSL default. - gskit.c: use 'CURLcode result' Daniel Stenberg (24 Oct 2014) - [Jay Satiro brought this change] SSL: Remove SSLv3 from SSL default due to POODLE attack - Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, openssl effectively making the default TLS 1.x. axTLS is not affected since it supports only TLS, and gnutls is not affected since it already defaults to TLS 1.x. - Update CURLOPT_SSLVERSION doc - pipelining: only output "is not blacklisted" in debug builds - *.3: add/extend "SEE ALSO" sections - curl_easy_pause.3: minor wording edit - curl_getdate.3: provide a "SEE ALSO" section - curl_global_init.3: minor formatting fix, add version info - url.c: use 'CURLcode result' - code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK) - Curl_add_timecondition: skip superfluous varible assignment Detected by cppcheck. - Curl_pp_flushsend: skip superfluous assignment Detected by cppcheck. - Curl_pp_readresp: remove superfluous assignment Variable already assigned a few lines up. Detected by cppcheck. - Curl_proxyCONNECT: remove superfluous statement The variable is already assigned, skip the duplicate assignment. Pointed out by cppcheck. Guenter Knauf (24 Oct 2014) - Added MinGW support to build with nghttp2. - Added VC ssh2 target to main Makefile. - Some cosmetics and simplifies. - Remove dependency on openssl and cut. Prefer usage of Perl modules for sha1 calculation since there might be systems where openssl is not installed or not in path. If openssl is used for sha1 calculation then dont rely on cut since it is usually not available on other systems than Linux. Daniel Stenberg (23 Oct 2014) - RELEASE-NOTES: synced with e116d0a62 - CURLOPT_RESOLVE.3: add an example - gnutls: removed dead code Bug: http://curl.haxx.se/bug/view.cgi?id=1437 Reported-by: Julien - Curl_rand: Uninitialized variable: r This is not actually used uninitialized but we silence warnings. Bug: http://curl.haxx.se/bug/view.cgi?id=1437 Reported-by: Julien - opts: provide more and updated examples - CURLOPT_RANGE.3: works for SFTP as well ... and added a small example - curl.1: edited for clarity - CURLOPT_SSLVERSION.3: provide an example - docs/libcurl/ABI: more markdown friendly - docs: edited lots of libcurl docs for clarity - opts: added examples - HISTORY: two glimpses in 2014 Kamil Dudka (20 Oct 2014) - nss: reset SSL handshake state machine ... when the handshake succeeds This fixes a connection failure when FTPS handle is reused. Daniel Stenberg (20 Oct 2014) - [Peter Wu brought this change] cmake: generate pkg-config and curl-config Initial work to generate a pkg-config and curl-config script. Static linking (`curl-config --static-libs` and `pkg-config --shared --libs libcurl`) is broken and therefore disabled. CONFIGURE_OPTIONS does not make sense for CMake, use an empty string for now. At least `curl-config --features` and `curl-config --protocols` work which is needed by runtests.pl. Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: use LIBCURL_VERSION from curlver.h This matches the behavior from autotools. The auxiliary major, minor and patch components are not needed anymore and therefore removed. Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS For compatibility with autoconf, it will be used later for curl-config and pkg-config. Not all features and or protocols can be enabled as these are missing additional checks (see new TODOs). SUPPORT_PROTOCOLS is partially scripted (grep for SUPPORT_PROTOCOLS=) and manually verified/modified. SUPPORT_FEATURES is manually added. Signed-off-by: Peter Wu - cmake: add CMake/Macros.cmake to the release tarball - test545: make it not use a trailing zero CURLOPT_COPYPOSTFIELDS with a given CURLOPT_POSTFIELDSIZE does not require a trailing zero of the data and by making sure this test doesn't use one we know it works (combined with valgrind). Steve Holme (16 Oct 2014) - ntlm: Fixed empty type-2 decoded message info text Updated the info text when the base-64 decode of the type-2 message returns a null buffer to be more specific. - ntlm: Fixed empty/bad base-64 decoded buffer return codes - ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token Daniel Stenberg (16 Oct 2014) - httpcustomheader.c: make use of more CURLOPT_HTTPHEADER features ... and only do a single request for clarity. Steve Holme (15 Oct 2014) - sasl_sspi: Fixed some typos - sasl_sspi: Fixed Kerberos response buffer not being allocated when using SSO Daniel Stenberg (15 Oct 2014) - [Bruno Thomsen brought this change] mk-ca-bundle: added SHA-384 signature algorithm Certificates based on SHA-1 are being phased out[1]. So we should expect a rise in certificates based on SHA-2. Adding SHA-384 as a valid signature algorithm. [1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Signed-off-by: Bruno Thomsen Patrick Monnerat (14 Oct 2014) - OS400: fix bugs in curl_*escape_ccsid() and reduce variables scope - Implement pinned public key in GSKit backend Daniel Stenberg (14 Oct 2014) - CURLOPT_TLSAUTH_*.3: fix reference typos - cleanups: reduce variable scope cppcheck pointed these out. - singleipconnect: remove dead assignment never used cppcheck pointed this out. - pinning: minor code style policing Patrick Monnerat (13 Oct 2014) - Factorize pinned public key code into generic file handling and backend specific - vtls: remove QsoSSL - gskit: supply dummy randomization function - vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementation Daniel Stenberg (13 Oct 2014) - [Peter Wu brought this change] tests: move TESTCASES to Makefile.inc, add show for cmake This change allows runtests.pl to be run from the CMake builddir: export srcdir=/tmp/curl/tests; perl -I$srcdir $srcdir/runtests.pl -l In order to make this possible, all test cases have been moved from Makefile.am to Makefile.inc. Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: enable IPv6 by default if available ENABLE_IPV6 depends on HAVE_GETADDRINFO or you will get a Curl_getaddrinfo_ex error. Enable IPv6 by default, disabling it if struct sockaddr_in6 is not found in netinet/in.h. Note that HAVE_GETADDRINFO_THREADSAFE is still not set as it needs more platform checks even though POSIX requires a thread-safe getaddrinfo. Verified on Arch Linux x86_64 with glibc 2.20-2 and Linux 3.16-rc7. Signed-off-by: Peter Wu - [Peter Wu brought this change] cmake: build tool_hugehelp (ENABLE_MANUAL) Rather than always outputting an empty manual page for the '-M' option, generate a full manual page as done by autotools. For simplicity in CMake, always generate the gzipped page as it will not be used anyway when zlib is not available. Signed-off-by: Peter Wu - [Peter Wu brought this change] tests/http_pipe.py: Python 3 support The 2to3 tool converted socketserver (which I manually fixed up with an import fallback) and the print(e) line. The xrange option was converted to range, but it seems better to use the '*' operator here for simplicity. Signed-off-by: Peter Wu - SECURITY: slightly nicer markdown format - RELEASE-PROCEDURE: better markdown, more content - RELEASE-NOTES: synced with 6637b237e6eb ... and bumped the planned release version. - vtls: have vtls.h include the backend header files It turned out some features were not enabled in the build since for example url.c #ifdefs on features that are defined on a per-backend basis but vtls.h didn't include the backend headers. CURLOPT_CERTINFO was one such feature that was accidentally disabled. - test2036: verify -O with no slash at all in the URL Similar to test 76 but that test's URL has a slash just no file name part. - get_url_file_name: make no slash equal empty string - get_url_file_name: never return a NULL string *and* OK Change 987a4a73 assumes that as it simplifies life in the calling function. Reported-by: Fabian Keil - [Jakub Zakrzewski brought this change] Cmake: Build with GSSAPI (MIT or Heimdal) It tries hard to recognise SDK's on different platforms. On windows MIT Kerberos installs SDK with other things and puts path into registry. Heimdal have separate zip archive. On linux pkg-config is tried, then krb5-config script and finally old-style libs and headers detection. Command line args: * CMAKE_USE_GSSAPI - enables GSSAPI detection * GSS_ROOT_DIR - if set, should point to the root of GSSAPI installation (the one with include and lib directories) - [Jakub Zakrzewski brought this change] Cmake: Got rid of setup_curl_dependencies There is no need for such function. Include_directories propagate by themselves and having a function with one simple link statement makes little sense. - [Jakub Zakrzewski brought this change] Cmake: Avoid cycle directory dependencies. Because we prepended libraries to list, CMake had troubles resolving link directory order as it detected some cycles. Appending to list ensures that dependencies will preceed dependees. - [Jakub Zakrzewski brought this change] Cmake: Fix library list provided to cURL tests. The list must be set after those nice CMake tests as we mess with CMAKE_REQUIRED_LIBRARIES there. - [Jakub Zakrzewski brought this change] Cmake: Check for OpenSSL before OpenLDAP. OpenLDAP might have been build with OpenSSL. Checking for OpenLDAP first may result in undefined symbols. Of course, the found OpenSSL libraries must also be linked whenever OpenLDAP is. - curl_multi_fdset.3: improved the formatting slightly - curl_multi_fdset: explain the fd_set arguments Kamil Dudka (8 Oct 2014) - nss: do not fail if a CRL is already cached This fixes a copy-paste mistake from commit 2968f957. Patrick Monnerat (8 Oct 2014) - OS400: upgrade interface for pinned public key (no implementation yet) Daniel Stenberg (8 Oct 2014) - FormAdd: precaution against memdup() of NULL pointer Coverity CID 252518. This function is in general far too complicated for its own good and really should be broken down into several smaller funcitons instead - but I'm adding this protection here now since it seems there's a risk the code flow can end up here and dereference a NULL pointer. - operate: avoid NULL dereference Coverity CID 1241948. dumpeasysrc() would get called with config->current set to NULL which could be dereferenced by a warnf() call. - do_sec_send: remove dead code Coverity CID 1241951. The condition 'len >= 0' would always be true at that point and thus not necessary to check for. - krb5_encode: remove unused argument Coverity CID 1241957. Removed the unused argument. As this struct and pointer now are used only for krb5, there's no need to keep unused function arguments around. - operate_do: skip superfluous check for NULL pointer Coverity CID 1243583. get_url_file_name() cannot fail and return a NULL file name pointer so skip the check for that - it tricks coverity into believing it can happen and it then warns later on when we use 'outfile' without checking for NULL. - curl_easy_getinfo.3: spell-fix Reported-By: Luan Cestari - [moparisthebest brought this change] GnuTLS: Implement public key pinning - [moparisthebest brought this change] SSL: implement public key pinning Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der - multi_runsingle: fix possible memory leak Coverity CID 1202837. 'newurl' can in fact be allocated even when Curl_retry_request() returns failure so free it if need be. - ares::Curl_resolver_cancel: skip checking for NULL conn Coverity CID 1243581. 'conn' will never be NULL here, and if it would be the subsequent statement would dereference it! - parseconfig: skip a NULL check Coverity CID 1154198. This NULL check implies that the pointer _can_ be NULL at this point, which it can't. Thus it is dead code. It tricks static analyzers to warn about dereferencing the pointer since the code seems to imply it can be NULL. - [Waldek Kozba brought this change] multi-uv.c: call curl_multi_info_read() better Improves it for low-latency cases (like the communication with localhost) - tool_go_sleep: use (void) to spell out we ignore the return value Coverity CID 1222080. - ssh_statemach_act: split out assignment from check just a minor code style thing to make the code clearer Marc Hoersken (4 Oct 2014) - curl_schannel.c: Fixed possible memory or handle leak First try to fix possible memory leaks, in this case: Only connssl->ctxt xor onnssl->cred being initialized. Daniel Stenberg (4 Oct 2014) - getparameter: remove dead code Coverity CID 1061126. 'parse' will always be non-NULL here. - getparameter: comment a switch FALLTHROUGH Coverity CID 1061118. Point out that it is on purpose. - choose_mech: fix return code Coverity CID 1241950. The pointer is never NULL but it might point to NULL. - Curl_sec_read_msg: spell out that we ignore return code Coverity CID 1241947. Since if sscanf() fails, the previously set value remains set. - nonblock: call with (void) to show we ignore the return code Coverity pointed out several of these. - parse_proxy: remove dead code. Coverity CID 982331. - Curl_debug: document switch fallthroughs - curl_multi_remove_handle: remove dead code Coverify CID 1157776. Removed a superfluous if() that always evaluated true (and an else clause that never ran), and then re-indented the function accordingly. - Curl_pipeline_server_blacklisted: handle a NULL server name Coverity CID 1215284. The server name is extracted with Curl_copy_header_value() and passed in to this function, and copy_header_value can actually can fail and return NULL. - ssh: comment "fallthrough" in switch statement - [Jeremy Lin brought this change] ssh: improve key file search For private keys, use the first match from: user-specified key file (if provided), ~/.ssh/id_rsa, ~/.ssh/id_dsa, ./id_rsa, ./id_dsa Note that the previous code only looked for id_dsa files. id_rsa is now generally preferred, as it supports larger key sizes. For public keys, use the user-specified key file, if provided. Otherwise, try to extract the public key from the private key file. This means that passing --pubkey is typically no longer required, and makes the key-handling behavior more like OpenSSH. - CURLOPT_HTTPHEADER.3: libcurl doesn't copy the whole list - detect_proxy: fix possible single-byte memory leak Coverity CID 1202836. If the proxy environment variable returned an empty string, it would be leaked. While an empty string is not really a proxy, other logic in this function already allows a blank string to be returned so allow that here to avoid the leak. - multi_runsingle: fix memory leak Coverity CID 1202837. There's a potential risk that 'newurl' gets overwritten when it was already pointing to allocated memory. - pop3_perform_authentication: fix memory leak Coverity CID 1215287. There's a potential risk for a memory leak in here, and moving the free call to be unconditional seems like a cheap price to remove the risk. - imap_perform_authentication: fix memory leak Coverity CID 1215296. There's a potential risk for a memory leak in here, and moving the free call to be unconditional seems like a cheap price to remove the risk. - wait_or_timeout: return failure when Curl_poll() fails Coverity detected this. CID 1241954. When Curl_poll() returns a negative value 'mcode' was uninitialized. Pretty harmless since this is debug code only and would at worst cause an error to _not_ be returned... - curl.1: mention quoting in the URL section and separate the example URLs with newlines Steve Holme (30 Sep 2014) - [Bill Nagel brought this change] smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL appears to require the same pointer on a write that follows a retry (CURLE_AGAIN) as discussed here: http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr Daniel Stenberg (30 Sep 2014) - RELEASE-NOTES: synced with 53cbea22310f15 - file: reject paths using embedded %00 Mostly because we use C strings and they end at a binary zero so we know we can't open a file name using an embedded binary zero. Reported-by: research@g0blin.co.uk Dan Fandrich (26 Sep 2014) - test506: Fixed a couple of memory leaks in test Daniel Stenberg (25 Sep 2014) - [Yousuke Kimoto brought this change] CURLOPT_COOKIELIST: Added "RELOAD" command - [Michael Wallner brought this change] CURLOPT_POSTREDIR.3: Added availability for CURL_REDIR_POST_303 - threaded-resolver: revert Curl_expire_latest() switch The switch to using Curl_expire_latest() in commit cacdc27f52b was a mistake and was against the advice even mentioned in that commit. The comparison in asyn-thread.c:Curl_resolver_is_resolved() makes Curl_expire() the suitable function to use. Bug: http://curl.haxx.se/bug/view.cgi?id=1426 Reported-By: graysky - libcurl docs: improvements all over Steve Holme (19 Sep 2014) - build: Added WinIDN build configuration options Added initial support for WinIDN build configurations to the VC10+ project files. Daniel Stenberg (19 Sep 2014) - tutorial: signals aren't used for the threaded resolver - FAQ: update the pronunciation section As we weren't using the correct phonetic description and doing it correctly involves funny letters that I'm sure will cause problems for people in a text document so I instead rephrased it and link to a WAV file with a person actually saying 'curl'. Reported-By: Dimitar Boevski - CURLOPT_COOKIE*: added more cross-references - BINDINGS: add node-libcurl Reported-By: Jonathan Cardoso Machado URL: http://curl.haxx.se/mail/lib-2014-09/0102.html - README.http2: updated to reflect current status - formdata: removed unnecessary USE_SSLEAY use - curlssl: make tls backend symbols use curlssl in the name - url: let the backend decide CURLOPT_SSL_CTX_ support ... to further remove specific TLS backend knowledge from url.c - vtls: have the backend tell if it supports CERTINFO - [Catalin Patulea brought this change] configure: allow --with-ca-path with PolarSSL too Missed this in af45542c. Signed-off-by: Catalin Patulea - CURLOPT_CAPATH: return failure if set without backend support - [Tatsuhiro Tsujikawa brought this change] http2: Fix busy loop when EOF is encountered Previously we did not handle EOF from underlying transport socket and wrongly just returned error code CURL_AGAIN from http2_recv, which caused busy loop since socket has been closed. This patch adds the code to handle EOF situation and tells the upper layer that we got EOF. Steve Holme (13 Sep 2014) - build: Added batch wrapper to checksrc.pl - RELEASE-NOTES: Synced with bd3df5ec6d - [Marcel Raad brought this change] sasl_sspi: Fixed Unicode build Bug: http://curl.haxx.se/bug/view.cgi?id=1422 Verified-by: Steve Holme Daniel Stenberg (12 Sep 2014) - libcurl-tutorial.3: fix GnuTLS link to thread-safety guidelines The former link was turned into a 404 at some point. Reported-By: Askar Safin - contributors.sh: split list of names at comma ... to support a list of names provided in a commit message. Steve Holme (12 Sep 2014) - [Ulrich Telle brought this change] ntlm: Fixed HTTP proxy authentication when using Windows SSPI Removed ISC_REQ_* flags from calls to InitializeSecurityContext to fix bug in NTLM handshake for HTTP proxy authentication. NTLM handshake for HTTP proxy authentication failed with error SEC_E_INVALID_TOKEN from InitializeSecurityContext for certain proxy servers on generating the NTLM Type-3 message. The flag ISC_REQ_CONFIDENTIALITY seems to cause the problem according to the observations and suggestions made in a bug report for the QT project (https://bugreports.qt-project.org/browse/QTBUG-17322). Removing all the flags solved the problem. Bug: http://curl.haxx.se/mail/lib-2014-08/0273.html Reported-by: Ulrich Telle Assisted-by: Steve Holme, Daniel Stenberg Daniel Stenberg (12 Sep 2014) - [Ray Satiro brought this change] newlines: fix mixed newlines to LF-only I use the curl repo mainly on Windows with the typical Windows git checkout which converts the LF line endings in the curl repo to CRLF automatically on checkout. The automatic conversion is not done on files in the repo with mixed line endings. I recently noticed some weird output with projects/build-openssl.bat that I traced back to mixed line endings, so I scanned the repo and there are files (excluding the test data) that have mixed line endings. I used this command below to do the scan. Unfortunately it's not as easy as git grep, at least not on Windows. This gets the names of all the files in the repo's HEAD, gets each of those files raw from HEAD, checks for mixed line endings of both LF and CRLF, and prints the name if mixed. I excluded path tests/data/test* because those can have mixed line endings if I understand correctly. for f in `git ls-tree --name-only --full-tree -r HEAD`; do if [ -n "${f##tests/data/test*}" ]; then git show "HEAD:$f" | \ perl -0777 -ne 'exit 1 if /([^\r]\n.*\r\n)|(\r\n.*[^\r]\n)/'; if [ $? -ne 0 ]; then echo "$f"; fi; fi; done - [Viktor Szakáts brought this change] mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spaces - ROADMAP: markdown eats underscores It interprets them as italic indictors unless we backtick the word. - ROADMAP: tiny formatting edit for nicer web output Steve Holme (10 Sep 2014) - ROADMAP.md: Updated GSSAPI authentication following 7.38.0 additions - INTERNALS: Added email and updated Kerberos details - FEATURES: Updated Kerberos details Added support for Kerberos 5 to the email protocols following the recent additions in 7.38.0. Removed Kerberos 4 as this has been gone for a while now. Daniel Stenberg (10 Sep 2014) - [Paul Howarth brought this change] openssl: build fix for versions < 0.9.8e Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html - mk-ca-bundle.pl: first, try downloading HTTPS with curl As a sort of step forward, this script will now first try to get the data from the HTTPS URL using curl, and only if that fails it will switch back to the HTTP transfer using perl's native LWP functionality. To reduce the risk of this script being tricked. Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so we can't really ever completely disable HTTP, but chances are that most users already have a ca cert bundle that trusts the mozilla.org site that this script downloads from. A future version of this script will probably switch to require a dedicated "insecure" command line option to allow downloading over HTTP (or unverified HTTPS). - LICENSE-MIXING: removed krb4 info krb4 has been dropped since a while now - bump: on the 7.38.1-DEV train now! - SSLCERTS: minor updates Edited format to look better on the web, added a "it is about trust" section. Version 7.38.0 (10 Sep 2014) Daniel Stenberg (10 Sep 2014) - dist: two cmake files are no more CMake/FindOpenSSL.cmake and FindZLIB.cmake are gone since 14aa8f0c117b - RELEASE-NOTES: final update for 7.38.0 - cookies: reject incoming cookies set for TLDs Test 61 was modified to verify this. CVE-2014-3620 Reported-by: Tim Ruehsen URL: http://curl.haxx.se/docs/adv_20140910B.html - [Tim Ruehsen brought this change] cookies: only use full host matches for hosts used as IP address By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both send cookies to wrong sites and to allow arbitrary sites to set cookies for others. CVE-2014-3613 Bug: http://curl.haxx.se/docs/adv_20140910A.html - HISTORY: fix the 1998 title position - HISTORY: extended and now markdown - SSLCERTS: converted to markdown Only minor edits to make it generate nice HTML output using markdown, as this document serves both in source release tarballs as on the web site. URL: http://curl.haxx.se/docs/sslcerts.html - ftp-wildcard.c: spell fix Reported-By: Frank Gevaerts - RELEASE-NOTES: synced with 921a0c22a6f - THANKS: synced with RELEASE-NOTES for 921a0c22a6f - polarassl: avoid memset() when clearing the first byte is enough - [Catalin Patulea brought this change] polarssl: support CURLOPT_CAPATH / --capath Signed-off-by: Catalin Patulea - SECURITY: eh, make more sense! - SECURITY: how to join the curl-security list - RELEASE-NOTES: fix the required nghttp2 version typo - [Brandon Casey brought this change] Ensure progress.size_dl/progress.size_ul are always >= 0 Historically the default "unknown" value for progress.size_dl and progress.size_ul has been zero, since these values are initialized implicitly by the calloc that allocates the curl handle that these variables are a part of. Users of curl that install progress callbacks may expect these values to always be >= 0. Currently it is possible for progress.size_dl and progress.size_ul to by set to a value of -1, if Curl_pgrsSetDownloadSize() or Curl_pgrsSetUploadSize() are passed a "size" of -1 (which a few places currently do, and a following patch will add more). So lets update Curl_pgrsSetDownloadSize() and Curl_pgrsSetUploadSize() so they make sure that these variables always contain a value that is >= 0. Updates test579 and test599. Signed-off-by: Brandon Casey Steve Holme (7 Sep 2014) - tests: Added test1420 to the makefile - test1420: Removed unnecessary CURLOPT setting - tests: Added more "Clear Text" authentication keywords - tests: Updated "based on" text due to email test renumbering - tests: For consistency added --libcurl to test name - tests: Added --libcurl for IMAP test case - multi.c: Avoid invalid memory read after free() from commit 3c8c873252 As the current element in the list is free()d by Curl_llist_remove(), when the associated connection is pending, reworked the loop to avoid accessing the next element through e->next afterward. - multi.c: Fixed compilation warning from commit 3c8c873252 warning: implicit conversion from enumeration type 'CURLMcode' to different enumeration type 'CURLcode' - url.c: Use CURLAUTH_NONE constant rather than 0 Small follow up to commit 898808fa8c to use auth constants rather than hard code value when clearing picked authentication mechanism. - RELEASE-NOTES: Synced with fd1ce3856a Nick Zitzmann (4 Sep 2014) - [Vilmos Nebehaj brought this change] darwinssl: Use CopyCertSubject() to check CA cert. SecCertificateCopyPublicKey() is not available on iPhone. Use CopyCertSubject() instead to see if the certificate returned by SecCertificateCreateWithData() is valid. Reported-by: Toby Peterson Steve Holme (4 Sep 2014) - RELEASE-NOTES: Clarify email Kerberos support is currently via Windows SSPI Daniel Stenberg (4 Sep 2014) - MAIL-ETIQUETTE: "1.8 I posted, now what?" - CURLOPT_CA*: better refering between *CAINFO and *CAPATH ... and a minor wording edit - THANKS: added Dennis Clarke Dennis Clarke from Blastwave.org for ensuring that nightly builds run smooth on Solaris! - curl_multi_cleanup: remove superfluous NULL assigns ... as the struct is free()d in the end anyway. It was first pointed out to me that one of the ->msglist assignments were supposed to have been ->pending but was a copy and paste mistake when I realized none of the clearing of pointers had to be there. - multi: convert CURLM_STATE_CONNECT_PEND handling to a list ... instead of scanning through all handles, stash only the actual handles that are in that state in the new ->pending list and scan that list only. It should be mostly empty or very short. And only used for pipelining. This avoids a rather hefty slow-down especially notable if you add many handles to the same multi handle. Regression introduced in commit 0f147887 (version 7.30.0). Bug: http://curl.haxx.se/mail/lib-2014-07/0206.html Reported-by: David Meyer - RELEASE-NOTES: synced with e608324f9f9 - [Andre Heinecke brought this change] polarssl: implement CURLOPT_SSLVERSION Forwards the setting as minimum ssl version (if set) to polarssl. If the server does not support the requested version the SSL Handshake will fail. Bug: http://curl.haxx.se/bug/view.cgi?id=1419 nickzman (1 Sep 2014) - Merge pull request #115 from ldx/darwinsslfixpr darwinssl: now accepts cacert bundles in PEM format in addition to single certs Vilmos Nebehaj (1 Sep 2014) - Check CA certificate in curl_darwinssl.c. SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even if the buffer holds an invalid or corrupt certificate. Call SecCertificateCopyPublicKey() to make sure cacert is a valid certificate. Daniel Stenberg (31 Aug 2014) - low-speed-limit: avoid timeout flood Introducing Curl_expire_latest(). To be used when we the code flow only wants to get called at a later time that is "no later than X" so that something can be checked (and another timeout be added). The low-speed logic for example could easily be made to set very many expire timeouts if it would be called faster or sooner than what it had set its own timer and this goes for a few other timers too that aren't explictiy checked for timer expiration in the code. If there's no condition the code that says if(time-passed >= TIME), then Curl_expire_latest() is preferred to Curl_expire(). If there exists such a condition, it is on the other hand important that Curl_expire() is used and not the other. Bug: http://curl.haxx.se/mail/lib-2014-06/0235.html Reported-by: Florian Weimer - [Michael Wallner brought this change] resolve: cache lookup for async resolvers While waiting for a host resolve, check if the host cache may have gotten the name already (by someone else), for when the same name is resolved by several simultanoues requests. The resolver thread occasionally gets stuck in getaddrinfo() when the DNS or anything else is crappy or slow, so when a host is found in the DNS cache, leave the thread alone and let itself cleanup the mess. Vilmos Nebehaj (30 Aug 2014) - Fix CA certificate bundle handling in darwinssl. If the --cacert option is used with a CA certificate bundle that contains multiple CA certificates, iterate through it, adding each certificate as a trusted root CA. Daniel Stenberg (29 Aug 2014) - [Askar Safin brought this change] getinfo-times: Typo fixed - [Askar Safin brought this change] libcurl.3: Typo fixed - curl_formadd.3: setting CURLFORM_CONTENTSLENGTH 0 zero means strlen - curl.1: add an example for -H - FAQ: mention -w in the 4.20 answer as well - FAQ: 4.20 curl doesn't return error for HTTP non-200 responses - CURLOPT_NOBODY.3: clarify this option is for downloads When enabling CURLOPT_NOBODY, libcurl effectively switches off upload mode and will do a download (without a body). This is now better explained in this man page. Bug: http://curl.haxx.se/mail/lib-2014-08/0236.html Reported-by: John Coffey - INTERNALS: nghttp2 must be 0.6.0 or later - [Tatsuhiro Tsujikawa brought this change] Compile with latest nghttp2 Dan Fandrich (26 Aug 2014) - THANKS: removed a few more duplicates Daniel Stenberg (26 Aug 2014) - RELEASE-NOTES: synced with 007242257683a ... and bumped the contributor amount after recount - THANKS: added 52 missing contributors I re-ran contributors.sh on all changes since 7.10 and I found these contributors who are mentioned in the commits but never were added to THANKS before! I also removed a couple of duplicates (mostly due to different spellings). - contributors: grep and sort case insensitively - [Michael Osipov brought this change] configure.ac: Add support for recent GSS-API implementations for HP-UX By default, configure script assumes that libcurl will use the HP-supplied GSS-API implementation which does not have krb5-config. If a dev needs a more recent version which has that config script, the change will allow to pass an appropriate GSSAPI_ROOT. - CONNECT: close proxy connections that fail to CONNECT This is usually due to failed auth. There's no point in us keeping such a connection alive since it shouldn't be re-used anyway. Bug: http://curl.haxx.se/bug/view.cgi?id=1381 Reported-by: Marcel Raad - RELEASE-NOTES: added two missing HTTP/2 bug fixes And renamed all http2 references to HTTP/2 in this file - RELEASE-NOTES: synced with f646e9075f47 - [Jakub Zakrzewski brought this change] Cmake: Possibility to use OpenLDAP, OpenSSL, LibSSH2 on windows At this point I can build libcurl on windows. It provides at least the same list of protocols as for linux build and works with our software. - [Jakub Zakrzewski brought this change] Cmake: Removed repeated content from ending blocks They are unnecesary in modern CMake and removing them improves readability. - [Jakub Zakrzewski brought this change] Cmake: Removed some useless empty SET statements. Undefined variables resolve to empty strings and we do not ever test if the variable is defined thus those SETs are superfluous. - [Jakub Zakrzewski brought this change] Cmake: Removed useless comments from CMakeLists.txt They look like some relics after changes. - [Jakub Zakrzewski brought this change] Cmake: Don't check for all headers each time One header at a time is the right way. Apart from that the output on windows goes from: ... -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h - found -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins ock2.h -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins ock2.h - found -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi o.h -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi o.h - found -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind ows.h -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind ows.h - found -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins ock.h -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins ock.h - found -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ filio.h -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ filio.h - not found -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ ioctl.h -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ ioctl.h - not found -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ resource.h ... To much nicer: ... -- Looking for ws2tcpip.h -- Looking for ws2tcpip.h - found -- Looking for winsock2.h -- Looking for winsock2.h - found -- Looking for stdio.h -- Looking for stdio.h - found -- Looking for windows.h -- Looking for windows.h - found -- Looking for winsock.h -- Looking for winsock.h - found -- Looking for sys/filio.h -- Looking for sys/filio.h - not found -- Looking for sys/ioctl.h -- Looking for sys/ioctl.h - not found -- Looking for sys/resource.h - [Jakub Zakrzewski brought this change] Cmake: Append OpenSSL include directory to search path At this point I can build libcurl with OpenSSL, OpenLDAP and LibSSH2. Supported protocols are at least: HTTP, HTTPS, FTP, SFTP, TFTP, LDAP, LDAPS, POP3, SMTP (those are the ones we have regression tests for in our product's testsuite) - [Jakub Zakrzewski brought this change] Cmake: Search for liblber, LDAP SSL headers, swith for using OpenLDAP code. - [Jakub Zakrzewski brought this change] Cmake: LibSSH2 detection and use. - [Jakub Zakrzewski brought this change] Cmake: Moved macros out of the main CMakeLists.txt - [Jakub Zakrzewski brought this change] Cmake: Added missing protocol-disable switches They already have their defines in config.h. This makes it possible to disable the protocols from command line during configure step. - [Jakub Zakrzewski brought this change] Cmake: Made boolean defines be defined to "1" instead of "ON" It's by convention, for compatibility and because the comments say so. Just mabe someone have written a test like "#if HAVE_XX==1" - [Jakub Zakrzewski brought this change] Cmake: Require at least CMake 2.8. CMake 2.6 is already a bit old. Many bugs have been fixed since its release. We use 2.8 in our company and we have no intention of polluting our environment with old software, so 2.6 would not be tested. This shouldn't be a problem since all one need to build CMake from source is C and C++ compiler. - disconnect: don't touch easy-related state on disconnects This was done to make sure NTLM state that is bound to a connection doesn't survive and gets used for the subsequent request - but disconnects can also be done to for example make room in the connection cache and thus that connection is not strictly related to the easy handle's current operation. The http authentication state is still kept in the easy handle since all http auth _except_ NTLM is connection independent and thus survive over multiple connections. Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html Reported-by: Paras S - curl.1: clarify --limit-rate's effect on both directions Bug: http://curl.haxx.se/bug/view.cgi?id=1414 Reported-by: teo8976 - curl.1: mention the --post30x options within the --location desc Dan Fandrich (22 Aug 2014) - sasl: Fixed a memory leak on OOM Daniel Stenberg (22 Aug 2014) - [Frank Meier brought this change] NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth Problem: if CURLOPT_FORBID_REUSE is set, requests using NTLM failed since NTLM requires multiple requests that re-use the same connection for the authentication to work Solution: Ignore the forbid reuse flag in case the NTLM authentication handshake is in progress, according to the NTLM state flag. Fixed known bug #77. Steve Holme (22 Aug 2014) - openssl.c: Fixed longer than 79 columns - openssl.c: Fixed compilation warning warning: declaration of 'minor' shadows a global declaration Daniel Stenberg (21 Aug 2014) - [Haris Okanovic brought this change] win32: Fixed WinSock 2 #if A conditionally compiled block in connect.c references WinSock 2 symbols, but used `#ifdef HAVE_WINSOCK_H` instead of `#ifdef HAVE_WINSOCK2_H`. Bug: http://curl.haxx.se/mail/lib-2014-08/0155.html - Curl_disconnect: don't free the URL The URL is not a property of the connection so it should not be freed in the connection disconnect but in the Curl_close() that frees the easy handle. Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html Reported-by: Paras S - help output: minor whitespace edits Should've been amended in the previous commit but wasn't due to a mistake. - [Zearin brought this change] help output: use ≥2 spaces between option and description ... and some other cleanups - FAQ: some actually sometimes get paid... Steve Holme (17 Aug 2014) - sasl_sspi: Fixed a memory leak with the GSSAPI base-64 decoded challenge - sasl_sspi: Renamed GSSAPI mutual authentication parameter ...From "mutual" to "mutual_auth" which better describes what it is. - sasl_sspi: Corrected some of the GSSAPI security message error codes Corrected a number of the error codes that can be returned from the Curl_sasl_create_gssapi_security_message() function when things go wrong. It makes more sense to return CURLE_BAD_CONTENT_ENCODING when the inbound security challenge can't be decoded correctly or doesn't contain the KERB_WRAP_NO_ENCRYPT flag and CURLE_OUT_OF_MEMORY when EncryptMessage() fails. Unfortunately the previous error code of CURLE_RECV_ERROR was a copy and paste mistakes on my part and should have been correct in commit 4b491c675f :( - docs: Escaped single backslash - TODO: Updated following GSSAPI (Kerberos V5) additions Updated "FTP 4.6 GSSAPI via Windows SSPI" and "SASL 14.1 Other authentication mechanisms" following recent additions. Added SASL 14.2 GSSAPI via GSS-API libraries. - CURLOPT_USERNAME.3: Added Kerberos V5 and NTLM domain information This repeats what has already been documented in both the curl manpage and CURLOPT_USERPWD documentation but is provided here for completeness as someone may not especially read the latter when using libcurl. - CURLOPT_USERPWD.3: Updated following Kerberos V5 SSPI changes Added information about Kerberos V5 requiring the domain part in the user name. Mentioned that the user name can be specified in UPN format, and not just in Down-Level Logon Name format, following the information added in commit 7679cb3fa8 reworking the exisitng information in the process. - docs: Added Kerberos V5 and NTLM domain information to --user - docs: Added Kerberos V5 to the --user SSPI current credentials usage - sasl_sspi: Tell the server we don't support a GSSAPI receive buffer - smtp: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI - pop3: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI - imap: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI - email: Added mutual authentication flag Daniel Stenberg (15 Aug 2014) - RELEASE-NOTES: synced with 0187c9e11d079 - http: fix the Content-Range: parser ... to handle "*/[total]". Also, removed the strange hack that made CURLOPT_FAILONERROR on a 416 response after a *RESUME_FROM return CURLE_OK. Reported-by: Dimitrios Siganos Bug: http://curl.haxx.se/mail/lib-2014-06/0221.html Steve Holme (14 Aug 2014) - email: Introduced the GSSAPI states - curl_sasl_sspi.c: Fixed more compilation warnings from commit 4b491c675f warning: unused variable 'resp' warning: no previous prototype for 'Curl_sasl_gssapi_cleanup' - SHA-1: 61c93383b7f6cf79d12ff99e9dced1d1cc2a7064 * curl_sasl_sspi.c: Fixed compilation warning from commit 4b491c675f warning: declaration of 'result' shadows a previous local - curl_sasl.h: Fixed compilation error from commit 4b491c675f warning: 'struct kerberos5data' declared inside parameter list Due to missing forward declaration. - urldata.h: Fixed compilation warnings from commit 3ec253532e warning: extra tokens at end of #endif directive - sasl_sspi: Added GSSAPI message functions - urldata: Introduced a GSSAPI (Kerberos V5) data structure Added a kerberos5data structure which is similar in nature to the ntlmdata and negotiatedata structures. - sspi: Moved KERB_WRAP_NO_ENCRYPT from socks_sspi module In preparation for the upcoming SSPI implementation of GSSAPI authentication, moved the definition of KERB_WRAP_NO_ENCRYPT from socks_sspi.c to curl_sspi.h allowing it to be shared amongst other SSPI based code. Daniel Stenberg (13 Aug 2014) - mk-ca-bundle.pl: add missing $ - mk-ca-bundle.pl: switched to using hg.mozilla.org ... as mxr.mozilla.org is due to be retired. The new host doesn't support If-Modified-Since nor ETags, meaning that the script will now defer to download and do a post-transfer checksum check to see if a new output is to be generated. The new output format will hold the SHA1 checksum of the source file for that purpose. We call this version 1.22 Reported-by: Ed Morley Bug: http://curl.haxx.se/bug/view.cgi?id=1409 - [Jose Alf brought this change] openssl: fix version report for the 0.9.8 branch Fixed libcurl to correctly output the newer versions of OpenSSL 0.9.8, starting from openssl-0.9.8za. - [Frank Meier brought this change] create_conn: prune dead connections Bringing back the old functionality that was mistakenly removed when the connection cache was remade. When creating a new connection, all the existing ones are checked and those that are known to be dead get disconnected for real and removed from the connection cache. It helps the cache from holding on to very many stale connections and aids in keeping down the number of system sockets in wait states. Help-by: Jonatan Vela Bug: http://curl.haxx.se/mail/lib-2014-06/0189.html Kamil Dudka (11 Aug 2014) - docs/SSLCERTS: update the section about NSS database Bug: http://curl.haxx.se/mail/lib-2014-07/0335.html Reported-by: David Shaw Daniel Stenberg (11 Aug 2014) - [Peter Wang brought this change] Curl_poll + Curl_wait_ms: fix timeout return value Curl_poll and Curl_wait_ms require the fix applied to Curl_socket_check in commits b61e8b8 and c771968: When poll or select are interrupted and coincides with the timeout elapsing, the functions return -1 indicating an error instead of 0 for the timeout. Steve Holme (10 Aug 2014) - config-tpf.h: Fixed up line lengths > 79 characters - config-symbian.h: Fixed up line lengths > 79 characters - tool_hugehelp.c.cvs: Added copyright Added copyright due to warning from checksrc.pl. - RELEASE-NOTES: Synced with cd6ecf6a89 - sasl_sspi: Fixed hard coded buffer for response generation Given the SSPI package info query indicates a token size of 4096 bytes, updated to use a dynamic buffer for the response message generation rather than a fixed buffer of 1024 bytes. - sasl_sspi: Fixed missing free of challenge buffer on SPN failure - http_negotiate_sspi: Tidy up to remove the get_gss_name() function Due to the reduction of code in commit 3b924b29 of get_gss_name() the function isn't necessary anymore. - http_negotiate_sspi: Use a dynamic buffer for SPN generation Updated to use a dynamic buffer for the SPN generation via the recently introduced Curl_sasl_build_spn() function rather than a fixed buffer of 1024 characters, which should have been more than enough, but by using the new function removes the need for another variable sname to do the wide character conversion in Unicode builds. - sasl: Tidy up to rename SPN variable from URI - sasl: Use a dynamic buffer for SPN generation Updated Curl_sasl_create_digest_md5_message() to use a dynamic buffer for the SPN generation via the recently introduced Curl_sasl_build_spn() function rather than a fixed buffer of 128 characters. - sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds Curl_sasl_create_digest_md5_message() would simply cast the SPN variable to a TCHAR when calling InitializeSecurityContext(). This meant that, under Unicode builds, it would not be valid wide character string. Updated to use the recently introduced Curl_sasl_build_spn() function which performs the correct conversion for us. - sasl: Introduced Curl_sasl_build_spn() for building a SPN Various parts of the libcurl source code build a SPN for inclusion in authentication data. This information is either used by our own native generation routines or passed to authentication functions in third-party libraries such as SSPI. However, some of these instances use fixed buffers rather than dynamically allocated ones and not all of those that should, convert to wide character strings in Unicode builds. Implemented a common function that generates a SPN and performs the wide character conversion where necessary. - sasl_sspi: Fixed memory leak with not releasing Package Info struct Curl_sasl_create_digest_md5_message() wouldn't free the Package Info structure after QuerySecurityPackageInfo() had allocated it. - [Michael Osipov brought this change] docs: Update SPNEGO and GSS-API related doc sections Reflect recent changes in SPNEGO and GSS-API code in the docs. Update them with appropriate namings and remove visible spots for GSS-Negotiate. - sspi: Minor code tidy up to standardise coding style Following the recent changes and in attempt to align the SSPI based authentication code performed the following: * Use NULL and SECBUFFVERSION rather than hard coded constants. * Avoid comparison of zero in if statements. * Standardised the buf and desc setup code. - schannel: Fixed compilation warning in vtls.c vtls.c:688:43: warning: unused parameter 'data' - tool_getparam.c: Fixed compilation warning warning: `orig_opt' might be used uninitialized in this function - RELEASE-NOTES: Synced with 159c3aafd8 Daniel Stenberg (8 Aug 2014) - curl_ntlm_msgs: make < 80 columns wide Steve Holme (8 Aug 2014) - ntlm: Fixed hard coded buffer for SSPI based auth packet generation Given the SSPI package info query indicates a token size of 2888 bytes, and as with the Winbind code and commit 9008f3d56, use a dynamic buffer for the Type-1 and Type-3 message generation rather than a fixed buffer of 1024 bytes. - ntlm: Added support for SSPI package info query Just as with the SSPI implementations of Digest and Negotiate added a package info query so that libcurl can a) return a more appropriate error code when the NTLM package is not supported and b) it can be of use later to allocate a dynamic buffer for the Type-1 and Type-3 output tokens rather than use a fixed buffer of 1024 bytes. Daniel Stenberg (7 Aug 2014) - http2: added some more logging for debugging stream problems - [Tatsuhiro Tsujikawa brought this change] HTTP/2: Reset promised stream, not its associated stream. - [Tatsuhiro Tsujikawa brought this change] HTTP/2: Move :authority before non-pseudo header fields - http2: show the received header for better debugging - openssl: replace call to OPENSSL_config OPENSSL_config() is "strongly recommended" to use but unfortunately that function makes an exit() call on wrongly formatted config files which makes it hard to use in some situations. OPENSSL_config() itself calls CONF_modules_load_file() and we use that instead and we ignore its return code! Reported-by: Jan Ehrhardt Bug: http://curl.haxx.se/bug/view.cgi?id=1401 Dan Fandrich (7 Aug 2014) - [Fabian Keil brought this change] runtests.pl: Pad test case numbers with up to three zeroes Test case numbers with four digits have been available for a while now. Steve Holme (7 Aug 2014) - docs: Added Negotiate to the SSPI current credentials usage description - TODO: HTTP Digest via Windows SSPI - TODO: FTP GSSAPI via Windows SSPI - http_negotiate_sspi: Fixed specific username and password not working Bug: http://curl.haxx.se/mail/lib-2014-06/0224.html Reported-by: Leonardo Rosati - http_negotiate_sspi: Fixed endless unauthorized loop in commit 6bc76194e8 If the server rejects our authentication attempt and curl hasn't called CompleteAuthToken() then the status variable will be SEC_I_CONTINUE_NEEDED and not SEC_E_OK. As such the existing detection mechanism for determining whether or not the authentication process has finished is not sufficient. However, the WWW-Authenticate: Negotiate header line will not contain any data when the server has exhausted the negotiation, so we can use that coupled with the already allocated context pointer. Daniel Stenberg (5 Aug 2014) - RELEASE-NOTES: synced with 5b37db44a3eb Dan Fandrich (5 Aug 2014) - parsedate.c: fix the return code for an overflow edge condition Daniel Stenberg (5 Aug 2014) - [Toby Peterson brought this change] darwinssl: don't use strtok() The GetDarwinVersionNumber() function uses strtok, which is not thread-safe. - Curl_ossl_version: adapted to detect BoringSSL This seems to be the way it should work. Right now we can't build with BoringSSL and try this out properly due to a minor API breakage. - Curl_ossl_version: detect and show libressl LibreSSL is otherwise OpenSSL API compliant (so far) - [Tatsuhiro Tsujikawa brought this change] HTTP/2: Fix infinite loop in readwrite_data() To prevent infinite loop in readwrite_data() function when stream is reset before any response body comes, reset closed flag to false once it is evaluated to true. Dan Fandrich (3 Aug 2014) - gtls: only define Curl_gtls_seed if Nettle is not being used - ssl: provide Curl_ssl_backend even if no SSL library is available Daniel Stenberg (2 Aug 2014) - [Tatsuhiro Tsujikawa brought this change] HTTP2: Support expect: 100-continue "Expect: 100-continue", which was once deprecated in HTTP/2, is now resurrected in HTTP/2 draft 14. This change adds its support to HTTP/2 code. This change also includes stricter header field checking. - CURLOPT_SSL_VERIFYPEER.3. add a warning about disabling it - FEATURES: minor update - openssl: make ossl_send return CURLE_OK better Previously it only returned a CURLcode for errors, which is when it returns a different size than what was passed in to it. The http2 code only checked the curlcode and thus failed. - RELEASE-NOTES: synced with 7bb4c8cadb5d0 - [Michael Wallner brought this change] CURLOPT_HEADEROPT.3: typo: do -> to - [Marcel Raad brought this change] schannel: use CryptGenRandom for random numbers This function is available for every Windows version since Windows 95/NT. reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942.aspx - curl_version_info.3: 'ssl_version_num' is always 0 ... and has been so since 2005 - ssl: generalize how the ssl backend identifier is set Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS one which was missing previously. Dan Fandrich (31 Jul 2014) - axtls: define curlssl_random using axTLS's PRNG - cyassl: fix the test for ASN_NO_SIGNER_E It's an enum so a macro test won't work. The CyaSSL changelog doesn't say exactly when this error code was introduced, but it's likely to be 2.7.0. - cyassl: use RNG_GenerateBlock to generate a good random number - opts: fixed some typos - smtp: fixed a segfault during test 1320 torture test Under these circumstances, the connection hasn't been fully established and smtp_connect hasn't been called, yet smtp_done still calls the state machine which dereferences the NULL conn pointer in struct pingpong. Daniel Stenberg (30 Jul 2014) - vtls: repair build without TLS support ... by defining Curl_ssl_random() properly - polarssl: provide a (weak) random function This now provides a weak random function since PolarSSL doesn't have a quick and easy way to provide a good one. It does however provide the framework to make one so it _can_ and _should_ be done... - [Michael Wallner brought this change] curl_tlsinfo -> curl_tlssessioninfo - cyassl: use the default (weeker) random I couldn't find any dedicated function in its API to get a "good" random with. - cyassl: made it compile with version 2.0.6 again ASN_NO_SIGNER_E didn't exist back then! - vtls: make the random function mandatory in the TLS backend To force each backend implementation to really attempt to provide proper random. If a proper random function is missing, then we can explicitly make use of the default one we use when TLS support is missing. This commit makes sure it works for darwinssl, gnutls, nss and openssl. - libcurl.m4: include the standard source header ... with permission from David Shaw Kamil Dudka (28 Jul 2014) - nss: do not check the version of NSS at run time The minimal required version of NSS is 3.14.x so it does not make sense to check for NSS 3.12.0+ at run time. Daniel Stenberg (28 Jul 2014) - [Anthon Pang brought this change] curl.h: bring back CURLE_OBSOLETE16 Removing defines, even obsolete ones that haven't been used for a very long time, still break a lot of applications. Bug: https://github.com/bagder/curl/pull/106 Dan Fandrich (26 Jul 2014) - [Fabian Keil brought this change] tests: Fix a couple of incomplete response lines - [Fabian Keil brought this change] runtests.pl: Remove filteroff() which hasn't been used since 2001 - [Fabian Keil brought this change] runtests.pl: Don't expect $TESTDIR/DISABLED to exist If a non-standard $TESTDIR is used the file may not be necessary. Previously a "missing" file resulted in the warning: readline() on closed filehandle D at ./runtests.pl line 4940. - [Fabian Keil brought this change] getpart.pm: Fix a comment typo Daniel Stenberg (25 Jul 2014) - c-ares: fix build without IPv6 support Bug: http://curl.haxx.se/mail/lib-2014-07/0337.html Reported-by: Spork Schivago - Curl_base64url_encode: unit-tested in 1302 - base64: added Curl_base64url_encode() This is now used by the http2 code. It has two different symbols at the end of the base64 table to make the output "url safe". Bug: https://github.com/tatsuhiro-t/nghttp2/issues/62 - [Marcel Raad brought this change] SSPI Negotiate: Fix 3 memory leaks Curl_base64_decode allocates the output string by itself and two other strings were not freed either. - symbols: CURL_VERSION_GSSNEGOTIATE is deprecated - test1013.pl: GSS-Negotiate doesn't exist as a feature anymore - [Sergey Nikulov brought this change] libtest: fixed duplicated line in Makefile Bug: https://github.com/bagder/curl/pull/105 Patrick Monnerat (23 Jul 2014) - GSSAPI: remove useless *_MECHANISM defines. Daniel Stenberg (23 Jul 2014) - findprotocol: show unsupported protocol within quotes ... to aid when for example prefixed with a space or other weird character. Patrick Monnerat (23 Jul 2014) - GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date. Daniel Stenberg (23 Jul 2014) - [Marcel Raad brought this change] conncache: fix compiler warning warning C4267: '=' : conversion from 'size_t' to 'long', possible loss of data The member connection_id of struct connectdata is a long (always a 32-bit signed integer on Visual C++) and the member next_connection_id of struct conncache is a size_t, so one of them should be changed to match the other. This patch the size_t in struct conncache to long (the less invasive change as that variable is only ever used in a single code line). Bug: http://curl.haxx.se/bug/view.cgi?id=1399 - RELEASE-NOTES: synced with 81cd24adb8b - http2: more and better error checking 1 - fixes the warnings when built without http2 support 2 - adds CURLE_HTTP2, a new error code for errors detected by nghttp2 basically when they are about http2 specific things. Dan Fandrich (23 Jul 2014) - cyassl.c: return the correct error code on no CA cert CyaSSL 3.0.0 returns a unique error code if no CA cert is available, so translate that into CURLE_SSL_CACERT_BADFILE when peer verification is requested. Daniel Stenberg (23 Jul 2014) - symbols-in-versions: new SPNEGO/GSS-API symbols in 7.38.0 - test1013.pl: remove SPNEGO/GSS-API tweaks No longer necessary after Michael Osipov's rework - http_negotiate: remove unused variable - [Michael Osipov brought this change] docs: Improve inline GSS-API naming in code documentation - [Michael Osipov brought this change] curl.h/features: Deprecate GSS-Negotiate macros due to bad naming - Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE - CURL_VERSION_GSSNEGOTIATE is deprecated which is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and CURUL_VERSION_SPNEGO now. - Remove display of feature 'GSS-Negotiate' - [Michael Osipov brought this change] configure/features: Add feature and version info for GSS-API and SPNEGO - [Michael Osipov brought this change] HTTP: Remove checkprefix("GSS-Negotiate") That auth mech has never existed neither on MS nor on Unix side. There is only Negotiate over SPNEGO. - [Michael Osipov brought this change] curl_gssapi: Add macros for common mechs and pass them appropriately Macros defined: KRB5_MECHANISM and SPNEGO_MECHANISM called from HTTP, FTP and SOCKS on Unix - CONNECT: Revert Curl_proxyCONNECT back to 7.29.0 design This reverts commit cb3e6dfa3511 and instead fixes the problem differently. The reverted commit addressed a test failure in test 1021 by simplifying and generalizing the code flow in a way that damaged the performance. Now we modify the flow so that Curl_proxyCONNECT() again does as much as possible in one go, yet still do test 1021 with and without valgrind. It failed due to mistakes in the multi state machine. Bug: http://curl.haxx.se/bug/view.cgi?id=1397 Reported-by: Paul Saab - [Marcel Raad brought this change] url.c: use the preferred symbol name: *READDATA with CURL_NO_OLDIES defined, it doesn't compile because this deprecated symbol (*INFILE) is used Bug: http://curl.haxx.se/bug/view.cgi?id=1398 Dan Fandrich (19 Jul 2014) - [Alessandro Ghedini brought this change] CURLOPT_CHUNK_BGN_FUNCTION: fix typo Kamil Dudka (18 Jul 2014) - [Alessandro Ghedini brought this change] build: link curl to NSS libraries when NSS support is enabled This fixes a build failure on Debian caused by commit 24c3cdce88f39731506c287cb276e8bf4a1ce393. Bug: http://curl.haxx.se/mail/lib-2014-07/0209.html Steve Holme (17 Jul 2014) - build: Removed unnecessary XML Documentation file directive from VC8 to VC12 The curl tool project files for VC8 to VC12 would set this setting to $(IntDir) which is the Visual Studio default value. To avoid confusion when viewing settings from within Visual Studio and for consistency with the libcurl project files removed this setting. Conflicts: projects/Windows/VC10/src/curlsrc.tmpl projects/Windows/VC11/src/curlsrc.tmpl projects/Windows/VC12/src/curlsrc.tmpl projects/Windows/VC8/src/curlsrc.tmpl projects/Windows/VC9/src/curlsrc.tmpl - build: Removed unnecessary Precompiled Header file directive in VC7 to VC12 The curl tool project files for VC7 to VC12 would set this settings to $(IntDir)$(TargetName).pch which is the Visual Studio default value. To avoid confusion when viewing settings from within Visual Studio and for consistency with the libcurl project files removed this setting. Conflicts: projects/Windows/VC10/src/curlsrc.tmpl projects/Windows/VC11/src/curlsrc.tmpl projects/Windows/VC12/src/curlsrc.tmpl projects/Windows/VC8/src/curlsrc.tmpl projects/Windows/VC9/src/curlsrc.tmpl - build: Removed unnecessary ASM and Object file directives in VC7 to VC12 The curl tool project files for VC7 to VC12 would set these settings to $(IntDir) which is the Visual Studio default value. To avoid confusion when viewing settings from within Visual Studio and for consistency with the libcurl project files removed these two settings. Daniel Stenberg (17 Jul 2014) - [Dave Reisner brought this change] src/Makefile.am: add .DELETE_ON_ERROR This prevents targets like tool_hugehelp.c from leaving around half-constructed files if the rule fails with GNU make. Reported-by: Rafaël Carré - THANKS: added new contributors from 7.37.1 announcement Dan Fandrich (17 Jul 2014) - testcurl.pl: log the value of --runtestopts in the test header Daniel Stenberg (16 Jul 2014) - RELEASE-NOTES: cleared, working towards next release - curl_gssapi.c: make line shorter than 80 columns - [David Woodhouse brought this change] Fix negotiate auth to proxies to track correct state - [David Woodhouse brought this change] Don't abort Negotiate auth when the server has a response for us It's wrong to assume that we can send a single SPNEGO packet which will complete the authentication. It's a *negotiation* — the clue is in the name. So make sure we handle responses from the server. Curl_input_negotiate() will already handle bailing out if it thinks the state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps talking to us, so we should avoid endless loops that way. - [David Woodhouse brought this change] Don't clear GSSAPI state between each exchange in the negotiation GSSAPI doesn't work very well if we forget everything ever time. XX: Is Curl_http_done() the right place to do the final cleanup? - [David Woodhouse brought this change] Use SPNEGO for HTTP Negotiate This is the correct way to do SPNEGO. Just ask for it Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket isn't available. Of course, we bail out when the server responds with the challenge packet, since we don't expect that. But I'll fix that bug next... - [David Woodhouse brought this change] Remove all traces of FBOpenSSL SPNEGO support This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which allows client and server to negotiate the underlying mechanism which will actually be used to authenticate. This is *often* Kerberos, and can also be NTLM and other things. And to complicate matters, there are various different OIDs which can be used to specify the Kerberos mechanism too. A SPNEGO exchange will identify *which* GSSAPI mechanism is being used, and will exchange GSSAPI tokens which are appropriate for that mechanism. But this SPNEGO implementation just strips the incoming SPNEGO packet and extracts the token, if any. And completely discards the information about *which* mechanism is being used. Then we *assume* it was Kerberos, and feed the token into gss_init_sec_context() with the default mechanism (GSS_S_NO_OID for the mech_type argument). Furthermore... broken as this code is, it was never even *used* for input tokens anyway, because higher layers of curl would just bail out if the server actually said anything *back* to us in the negotiation. We assume that we send a single token to the server, and it accepts it. If the server wants to continue the exchange (as is required for NTLM and for SPNEGO to do anything useful), then curl was broken anyway. So the only bit which actually did anything was the bit in Curl_output_negotiate(), which always generates an *initial* SPNEGO token saying "Hey, I support only the Kerberos mechanism and this is its token". You could have done that by manually just prefixing the Kerberos token with the appropriate bytes, if you weren't going to do any proper SPNEGO handling. There's no need for the FBOpenSSL library at all. The sane way to do SPNEGO is just to *ask* the GSSAPI library to do SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context() is for. And then it should all Just Work™. That 'sane way' will be added in a subsequent patch, as will bug fixes for our failure to handle any exchange other than a single outbound token to the server which results in immediate success. - [David Woodhouse brought this change] ntlm_wb: Avoid invoking ntlm_auth helper with empty username - [David Woodhouse brought this change] ntlm_wb: Fix hard-coded limit on NTLM auth packet size Bumping it to 1KiB in commit aaaf9e50ec is all very well, but having hit a hard limit once let's just make it cope by reallocating as necessary. Version 7.37.1 (16 Jul 2014) Daniel Stenberg (16 Jul 2014) - RELEASE-NOTES: synced with 4cb2521595 - test506: verify aa6884845168 After the fixed cookie lock deadlock, this test now passes and it detects double-locking and double-unlocking of mutexes. - [Yousuke Kimoto brought this change] cookie: avoid mutex deadlock ... by removing the extra mutex locks around th call to Curl_flush_cookies() which takes care of the locking itself already. Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html - gnutls: fix compiler warning conversion to 'int' from 'long int' may alter its value Dan Fandrich (15 Jul 2014) - test320: strip off the actual negotiated cipher width It's irrelevant to the test, and will change depending on which SSL library is being used by libcurl. - gnutls: detect lack of SRP support in GnuTLS at run-time and try without Reported-by: David Woodhouse Daniel Stenberg (14 Jul 2014) - [Michał Górny brought this change] configure: respect host tool prefix for krb5-config Use ${host_alias}-krb5-config if available. This improves cross- compilation support and fixes multilib on Gentoo (at least). - [David Woodhouse brought this change] gnutls: handle IP address in cert name check Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function didn't actually check IP addresses in SubjectAltName, even though it was explicitly documented as doing so. So do it ourselves... Dan Fandrich (14 Jul 2014) - build: set _POSIX_PTHREAD_SEMANTICS on Solaris to get proper getpwuid_r Daniel Stenberg (14 Jul 2014) - RELEASE-NOTES: next one is called 7.37.1 Dan Fandrich (13 Jul 2014) - gnutls: improved error message if setting cipher list fails Reported-by: David Woodhouse - netrc: fixed thread safety problem by using getpwuid_r if available The old way using getpwuid could cause problems in programs that enable reading from netrc files simultaneously in multiple threads. Reported-by: David Woodhouse - RELEASE-NOTES: add the reporter of the previous bug fix - netrc: treat failure to find home dir same as missing netrc file This previously caused a fatal error (with a confusing error code, at that). Reported by: Glen A Johnson Jr. Steve Holme (12 Jul 2014) - RELEASE-NOTES: Synced with aaaf9e50ec - ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions Bug: http://curl.haxx.se/mail/lib-2014-07/0103.html Reported-by: David Woodhouse - build: Fixed overridden compiler PDB settings in VC7 to VC12 The curl tool project files for VC7 to VC12 would override the default setting with the output filename being the same as the linker PDB file. As such the compiler file would be overwritten with the linker file for all debug builds. To avoid this overwrite and for consistency with the libcurl project files, removed the setting to force the default filename to be used. Dan Fandrich (12 Jul 2014) - tests: added globbing keyword to URL globbing tests - Fixed some "statement not reached" warnings - gnutls: fixed a couple of uninitialized variable references - gnutls: fixed compilation against versions < 2.12.0 The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but the code path in which they're referenced here is only ever used for somewhat older GnuTLS versions. This caused undeclared identifier errors when compiling against those. - gnutls: explicitly added SRP to the priority string This seems to have become necessary for SRP support to work starting with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS before the function that takes this priority string, there should be no issue with backward compatibility. - tests: adjust for capitalization differences in newer gnutls-serv - test320/1/2/4: fix the port number substitution variables These tests have been broken since commit 1958fe57 in Oct. 2011 - tests: document more test identifiers and variables - gnutls: ignore invalid certificate dates with VERIFYPEER disabled This makes the behaviour consistent with what happens if a date can be extracted from the certificate but is expired. Steve Holme (10 Jul 2014) - CURLOPT_UPLOAD: Corrected argument type Daniel Stenberg (9 Jul 2014) - FAQ: expand the thread-safe section ... with a mention of *NOSIGNAL, based on talk in bug #1386 Dan Fandrich (9 Jul 2014) - url.c: Fixed memory leak on OOM This showed itself on some systems with torture failures in tests 1060 and 1061 - Update instances of some obsolete CURLOPTs to their new names Daniel Stenberg (5 Jul 2014) - [Marcel Raad brought this change] compiler warnings: potentially uninitialized variables ... pointed out by MSVC2013 Bug: http://curl.haxx.se/bug/view.cgi?id=1391 Kamil Dudka (4 Jul 2014) - nss: make the list of CRL items global Otherwise NSS could use an already freed item for another connection. - nss: fix a memory leak when CURLOPT_CRLFILE is used - nss: make crl_der allocated on heap ... and spell it as crl_der instead of crlDER - nss: let nss_{cache,load}_crl return CURLcode - tool: oops, forgot to include ... that contains the declaration of PL_ArenaFinish() - tool: call PL_ArenaFinish() on exit if NSPR is used This prevents valgrind from reporting still reachable memory allocated by NSPR arenas (mainly the freelist). Reported-by: Hubert Kario Daniel Stenberg (3 Jul 2014) - [Dimitrios Siganos brought this change] example: use correct type (long) for CURLOPT_FOLLOWLOCATION - [Dimitrios Siganos brought this change] Document type of argument for CURLOPT_FOLLOWLOCATION. - [Dimitrios Siganos brought this change] Document type of argument for CURLOPT_ERRORBUFFER. - [Dimitrios Siganos brought this change] Document type of argument for CURLOPT_COPYPOSTFIELDS. - [Dimitrios Siganos brought this change] Document type of argument for CURLOPT_ADDRESS_SCOPE. - curl.1: minor language fix Bug: http://curl.haxx.se/mail/archive-2014-07/0006.html - [Ray Satiro brought this change] progress callback: skip last callback update on errors When an error has been detected, skip the final forced call to the progress callback by making sure to pass the current return code variable in the Curl_done() call in the CURLM_STATE_DONE state. This avoids the "extra" callback that could occur even if you returned error from the progress callback. Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html Reported by: Jonathan Cardoso Machado Dan Fandrich (2 Jul 2014) - opts: fixed some CURLOPT references so they get turned into links Kamil Dudka (2 Jul 2014) - tool: call PR_Cleanup() on exit if NSPR is used This prevents valgrind from reporting possibly lost memory that NSPR uses for file descriptor cache and other globally allocated internal data structures. - nss: make the fallback to SSLv3 work again This feature was unintentionally disabled by commit ff92fcfb. - nss: do not abort on connection failure ... due to calling SSL_VersionRangeGet() with NULL file descriptor reported-by: upstream tests 305 and 404 Dan Fandrich (1 Jul 2014) - opts: Document the socket callback function parameters Steve Holme (28 Jun 2014) - opts: Fixed some typos Dan Fandrich (25 Jun 2014) - curl_easy_setopt.3: fixed the error code for an unsupported option - opts: added some DEFAULT and RETURN VALUE sections Daniel Stenberg (21 Jun 2014) - libcurl docs: man page edits mainly to improve how the web versions render Dan Fandrich (21 Jun 2014) - curl_easy_setopt.3: fixed some typos Daniel Stenberg (21 Jun 2014) - lib man pages: update easy setopt option references ... by using the "\fIopt(3)\fP" syntax they will be linked properly when the web version of the page is generated. - opts: the CURLOPT_SSL_ENABLE_*PN options are enabled by default - [Colin Hogben brought this change] lib: documentation updates in README.hostip c-ares now does support IPv6; avoid implying threaded resolver is Windows-only; two referenced source files were renamed in 7de2f92 - curl_easy_setopt.3: CURLOPT_POSTFIELDS is the exception ... to the always-copy-char *-argument. And fix some minor mistakes. - curl_easy_setopt.3: refer to the individual man pages With all the new individual option man pages created, this now refers to each separate one instead of duplicaing the info. Also makes this page easier to overview. Dan Fandrich (21 Jun 2014) - opts: fixed mancheck for out-of-tree builds Daniel Stenberg (21 Jun 2014) - curl_easy_setopt.3: shorten shorten descriptions, mostly refer to the separate descriptions - CURLOPT_DNS_LOCAL_IP4.3: better short desc Dan Fandrich (20 Jun 2014) - opts: document CURLE_OUT_OF_MEMORY among other return values - opts: fixed some typos Daniel Stenberg (20 Jun 2014) - opts: various corrections - opts: add the rest of the options ... and fixed mancheck to ignore obsolete options - opts: the final bunch of options as man pages Now all current options have their own man pages. - opts: 37 additional man pages - CURLOPT_URL: move up the text from "Notes" - ROADMAP: removed, now ROADMAP.md - ROADMAP.md: make it markdown formatted - ROADMAP: initial commit of "curl the next few years" To be further discussed, debated and edited - opts: more man pages - CURLOPT_UNRESTRICTED_AUTH.3: added missing 'T' - opts: makefile now includes all current man pages - opts: 11 more man pages Dan Fandrich (18 Jun 2014) - opts: document CURLE_OUT_OF_MEMORY as RETURN VALUE - opts: fixed a couple of typos Patrick Monnerat (18 Jun 2014) - OS400: make it compilable again. Make RPG binding up to date. - buildconf: do not search tools in current directory. Dan Fandrich (18 Jun 2014) - curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx This is consistent with the existing obsolete error code naming convention. Daniel Stenberg (18 Jun 2014) - opts: 16 more man pages