Commit graph

40 commits

Author SHA1 Message Date
Viktor Szakats
6f0e212f6e
tidy-up: miscellaneous (cont.)
- examples: replace magic numbers with `sizeof()`.
- typos: drop rules no longer needed after excluding tests/data.
- typos: move an exception inline.
- alpha-sort lists.
- fix indentation, whitespace.

Closes #18898
2025-10-06 22:33:38 +02:00
Viktor Szakats
51b85bdc6c
windows: use consistent format when showing error codes
For `GetLastError()` and `SECURITY_STATUS`:
0x-prefixed, 8-digit, lowercase, hex: 0x1234abcd

Also: say `GetLastError()` instead of `errno` in one message.

Closes #18877
2025-10-06 14:00:29 +02:00
Viktor Szakats
1429858bce
tidy-up: update MS links, allow long URLs via checksrc
- update Microsoft documentation links.
  (also drop language designator where present.)

- checksrc: allow longer than 78 character lines if they
  contain a https URL. To make these links easier to use and parse.

- merge links that were split into two lines.

Closes #18626
2025-09-20 11:49:23 +02:00
Viktor Szakats
87cbeecee4
windows: stop passing unused, optional argument for Win9x compatibility
Expiry timestamp in `AcquireCredentialsHandle()` (SSPI) and
`InitializeSecurityContext()` (Schannel) calls. The argument is optional
in both. The returned value was never used in curl. The reason for
passing it was Windows 95 compatibility, according to comments in
the SSPI code. curl no longer supports Windows 95.

Ref: https://learn.microsoft.com/windows/win32/api/sspi/nf-sspi-acquirecredentialshandlea
Ref: https://learn.microsoft.com/windows/win32/secauthn/initializesecuritycontext--schannel

Ref: 3fe5311967
Ref: aaa42aa0d5

Closes #18490
2025-09-20 02:27:07 +02:00
Viktor Szakats
a4196e2249
tidy-up: whitespace
Closes #18553
2025-09-15 15:00:11 +02:00
Viktor Szakats
89771d19d5
tidy-up: prefer ifdef/ifndef for single checks
Closes #18018
2025-07-27 22:35:17 +02:00
Viktor Szakats
4d977fe552
tidy-up: more whitespace/indent, comments
Also a couple of minor formatting updates in the root `CMakeLists.txt`.
One swap to `#ifdef`.

Closes #17929
2025-07-25 11:47:51 +02:00
Daniel Stenberg
2d528898f7
lib: move multibyte.[ch] to curlx/
This file provides functions in the curlx set.

Closes #17285
2025-05-08 10:19:19 +02:00
Daniel Stenberg
255aac56f9
curlx: move into to curlx/
Move curlx_ functions into its own subdir.

The idea is to use the curlx_ prefix proper on these functions, and use
these same function names both in tool, lib and test suite source code.
Stop the previous special #define setup for curlx_ names.

The printf defines are now done for the library alone. Tests no longer
use the printf defines. The tool code sets its own defines. The printf
functions are not curlx, they are publicly available.

The strcase defines are not curlx_ functions and should not be used by
tool or server code.

dynbuf, warnless, base64, strparse, timeval, timediff are now proper
curlx functions.

When libcurl is built statically, the functions from the library can be
used as-is. The key is then that the functions must work as-is, without
having to be recompiled for use in tool/tests. This avoids symbol
collisions - when libcurl is built statically, we use those functions
directly when building the tool/tests. When libcurl is shared, we
build/link them separately for the tool/tests.

Assisted-by: Jay Satiro

Closes #17253
2025-05-07 11:01:15 +02:00
Daniel Stenberg
625f2c1644
lib: include files using known path
by including headers using "../[header]" when done from C files in
subdirectories, we do not need to specify the lib source dir as an
include path and we reduce the risk of header name collisions with
headers in the SDK using the same file names.

Idea-by: Kai Pastor

Ref: #16949
Closes #16991
2025-04-08 17:00:00 +02:00
Viktor Szakats
f4e23950c7
build: enable -Wcast-qual, fix or silence compiler warnings
The issues found fell into these categories, with the applied fixes:

- const was accidentally stripped.
  Adjust code to not cast or cast with const.

- const/volatile missing from arguments, local variables.
  Constify arguments or variables, adjust/delete casts. Small code
  changes in a few places.

- const must be stripped because an API dependency requires it.
  Strip `const` with `CURL_UNCONST()` macro to silence the warning out
  of our control. These happen at API boundaries. Sometimes they depend
  on dependency version, which this patch handles as necessary. Also
  enable const support for the zlib API, using `ZLIB_CONST`. Supported
  by zlib 1.2.5.2 and newer.

- const must be stripped because a curl API requires it.
  Strip `const` with `CURL_UNCONST()` macro to silence the warning out
  of our immediate control. For example we promise to send a non-const
  argument to a callback, though the data is const internally.

- other cases where we may avoid const stripping by code changes.
  Also silenced with `CURL_UNCONST()`.

- there are 3 places where `CURL_UNCONST()` is cast again to const.
  To silence this type of warning:
  ```
  lib/vquic/curl_osslq.c:1015:29: error: to be safe all intermediate
    pointers in cast from 'unsigned char **' to 'const unsigned char **'
    must be 'const' qualified [-Werror=cast-qual]
  lib/cf-socket.c:734:32: error: to be safe all intermediate pointers in
    cast from 'char **' to 'const char **' must be 'const' qualified
    [-Werror=cast-qual]
  ```
  There may be a better solution, but I couldn't find it.

These cases are handled in separate subcommits, but without further
markup.

If you see a `-Wcast-qual` warning in curl, we appreciate your report
about it.

Closes #16142
2025-03-10 22:30:15 +01:00
Viktor Szakats
5474d70c3e
tidy-up: drop parenthesis around return expression
Closes #15990
2025-01-14 12:11:42 +01:00
Daniel Stenberg
cd2b45201a
src/lib: remove redundant ternary operators
Closes #15435
2024-10-29 08:18:30 +01:00
Daniel Stenberg
bca9c7719a
lib: make SSPI global symbols use Curl_ prefix
Do not pollute the namespace.

Closes #14776
2024-09-04 14:55:10 +02:00
Daniel Stenberg
c074ba64a8
code: language cleanup in comments
Based on the standards and guidelines we use for our documentation.

 - expand contractions (they're => they are etc)
 - host name = > hostname
 - file name => filename
 - user name = username
 - man page => manpage
 - run-time => runtime
 - set-up => setup
 - back-end => backend
 - a HTTP => an HTTP
 - Two spaces after a period => one space after period

Closes #14073
2024-07-01 22:58:55 +02:00
Viktor Szakats
3829759bd0
build: enable missing OpenSSF-recommended warnings, with fixes
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
as of 2023-11-29 [1].

Enable new recommended warnings (except `-Wsign-conversion`):

- enable `-Wformat=2` for clang (in both cmake and autotools).
- add `CURL_PRINTF()` internal attribute and mark functions accepting
  printf arguments with it. This is a copy of existing
  `CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible
  with redefinting the `printf` symbol:
  https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94
- fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for
  mingw-w64 and enable it on this platform.
- enable `-Wimplicit-fallthrough`.
- enable `-Wtrampolines`.
- add `-Wsign-conversion` commented with a FIXME.
- cmake: enable `-pedantic-errors` the way we do it with autotools.
  Follow-up to d5c0351055 #2747
- lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format
  checks. Previously it was always disabled due to the internal `printf`
  macro.

Fix them:

- fix bug where an `set_ipv6_v6only()` call was missed in builds with
  `--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`.
- add internal `FALLTHROUGH()` macro.
- replace obsolete fall-through comments with `FALLTHROUGH()`.
- fix fallthrough markups: Delete redundant ones (showing up as
  warnings in most cases). Add missing ones. Fix indentation.
- silence `-Wformat-nonliteral` warnings with llvm/clang.
- fix one `-Wformat-nonliteral` warning.
- fix new `-Wformat` and `-Wformat-security` warnings.
- fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its
  definition to `lib/curl_setup.h` allowing use in `tests/server`.
- lib: fix two wrongly passed string arguments in log outputs.
  Co-authored-by: Jay Satiro
- fix new `-Wformat` warnings on mingw-w64.

[1] 56c0fde389/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md

Closes #12489
2023-12-16 13:12:37 +00:00
Daniel Stenberg
7c992dd9f8
lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding
Since the copy does not stop at a null byte, let's not call it anything
that makes you think it works like the common strndup() function.

Based on feedback from Jay Satiro, Stefan Eissing and Patrick Monnerat

Closes #12490
2023-12-08 17:22:33 +01:00
Daniel Stenberg
7309b9cbbf
lib: strndup/memdup instead of malloc, memcpy and null-terminate
- bufref: use strndup
 - cookie: use strndup
 - formdata: use strndup
 - ftp: use strndup
 - gtls: use aprintf instead of malloc + strcpy * 2
 - http: use strndup
 - mbedtls: use strndup
 - md4: use memdup
 - ntlm: use memdup
 - ntlm_sspi: use strndup
 - pingpong: use memdup
 - rtsp: use strndup instead of malloc, memcpy and null-terminate
 - sectransp: use strndup
 - socks_gssapi.c: use memdup
 - vtls: use dynbuf instead of malloc, snprintf and memcpy
 - vtls: use strdup instead of malloc + memcpy
 - wolfssh: use strndup

Closes #12453
2023-12-07 08:47:44 +01:00
Daniel Stenberg
2bc1d775f5
copyright: update all copyright lines and remove year ranges
- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205
2023-01-03 09:19:21 +01:00
max.mehl
ad9bc5976d
copyright: make repository REUSE compliant
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869
2022-06-13 09:13:00 +02:00
Sergey Markelov
e919848ead build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
fix compiler warnings about unused variables and parameters when
built with --disable-verbose.

Closes https://github.com/curl/curl/pull/7377
2021-07-16 13:55:52 -04:00
Daniel Stenberg
e7416cfd2b
infof: remove newline from format strings, always append it
- the data needs to be "line-based" anyway since it's also passed to the
  debug callback/application

- it makes infof() work like failf() and consistency is good

- there's an assert that triggers on newlines in the format string

- Also removes a few instances of "..."

- Removes the code that would append "..." to the end of the data *iff*
  it was truncated in infof()

Closes #7357
2021-07-07 22:54:01 +02:00
Patrick Monnerat
19ea52da4d
vauth: factor base64 conversions out of authentication procedures
Input challenges and returned messages are now in binary.
Conversions from/to base64 are performed by callers (currently curl_sasl.c
and http_ntlm.c).

Closes #6654
2021-04-22 09:06:07 +02:00
Daniel Stenberg
aba01da639
failf: remove newline from formatting strings
... as failf adds one itself.

Also: add an assert() to failf() that triggers on a newline in the
format string!

Closes #6365
2020-12-25 23:42:16 +01:00
Daniel Stenberg
4d2f800677
curl.se: new home
Closes #6172
2020-11-04 23:59:47 +01:00
Daniel Stenberg
2a81439553
ntlm_sspi: fix bad use of CURLE_NOT_BUILT_IN
That return code is reserved for build-time conditional code not being
present while this was a regular run-time error from a Windows API.

Reported-by: wangp on github
Fixes #5349
Closes #5350
2020-05-07 12:58:57 +02:00
migueljcrum
67b30b3418
sspi: fix memory leaks
Closes #4299
2019-09-10 08:06:05 +02:00
Jay Satiro
dca6f73613 vauth: Use CURLE_AUTH_ERROR for auth function errors
- Add new error code CURLE_AUTH_ERROR.

Prior to this change auth function errors were signaled by
CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was
technically correct.

Ref: https://github.com/curl/curl/pull/3848

Co-authored-by: Dominik Hölzl

Closes https://github.com/curl/curl/pull/3864
2019-08-14 03:14:01 -04:00
Steve Holme
52dfab65d6
auth: Rename the various authentication clean up functions
For consistency and to a avoid confusion.

Closes #3869
2019-05-12 18:37:00 +01:00
georgeok
0966233744 ntlm_sspi: add support for channel binding
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

Fixes #3280
Closes #3321
2019-01-19 13:00:53 +01:00
Daniel Gustafsson
e182fc1613 comment: Fix multiple typos in function parameters
Ensure that the parameters in the comment match the actual names in the
prototype.

Closes #3079
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03 10:27:27 +02:00
toughengineer
bc4b8c9717
ntlm_sspi: fix authentication using Credential Manager
If you pass empty user/pass asking curl to use Windows Credential
Storage (as stated in the docs) and it has valid credentials for the
domain, e.g.
curl -v -u : --ntlm example.com
currently authentication fails.
This change fixes it by providing proper SPN string to the SSPI API
calls.

Fixes https://github.com/curl/curl/issues/1622
Closes https://github.com/curl/curl/pull/1660
2018-04-16 20:43:21 +02:00
Daniel Gustafsson
94400f32e9 all: Refactor malloc+memset to use calloc
When a zeroed out allocation is required, use calloc() rather than
malloc() followed by an explicit memset(). The result will be the
same, but using calloc() everywhere increases consistency in the
codebase and avoids the risk of subtle bugs when code is injected
between malloc and memset by accident.

Closes https://github.com/curl/curl/pull/2497
2018-04-15 03:00:37 -04:00
Jay Satiro
953b5c4e26 ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
.. and include the core NTLM header in all NTLM-related source files.

Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
but did not include vtls.h where it was defined.

Closes https://github.com/curl/curl/pull/1911
2017-09-23 13:58:14 -04:00
Patrick Monnerat
6869d65f54 Curl_base64_encode: always call with a real data handle.
Some calls in different modules were setting the data handle to NULL, causing
segmentation faults when using builds that enable character code conversions.
2017-09-02 12:49:59 +01:00
Steve Holme
43dbd76616 vauth: Added check for supported SSPI based authentication mechanisms
Completing commit 00417fd66c and 2708d4259b.
2016-08-21 10:27:09 +01:00
Steve Holme
a0f212946b vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
As Windows SSPI authentication calls fail when a particular mechanism
isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
and Negotiate to allow both HTTP and SASL authentication the opportunity
to query support for a supported mechanism before selecting it.

For now each function returns TRUE to maintain compatability with the
existing code when called.
2016-08-18 20:31:20 +01:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Steve Holme
58a7bc96ec vauth: Refactored function names after move to new vauth directory
Renamed all the SASL functions that moved to the new vauth directory to
include the correct module name.
2016-03-25 17:40:12 +00:00
Steve Holme
6012fa5aee vauth: Moved the NTLM authentication code to the new vauth directory 2016-03-25 15:11:09 +00:00
Renamed from lib/curl_sasl_sspi.c (Browse further)