Authorizdation credentials are kept in `struct Curl_creds`. This contains:
* `user`: the username, maybe the empty string
* `passwd`: the password, maybe the empty string
* `sasl_authzid`: the SASL authz value, maybe the empty string
* `oauth_bearer`: the OAUTH bearer token, maybe the empty string
* `source`: where the credentials from from
* `refcount`: a reference counter to link/unkink creds
A `creds` with all values empty is equivalent to NULL, e.g. no `creds`
instance. With reference counting, `creds` can be linked/unlinked
in several places.
See docs/internals/CREDENTIALS.md for use.
Closes#21548
Make CURLOPT_GSSAPI_DELEGATION effective on Windows builds that use SSPI
(instead of a native GSS-API implementation), so Kerberos delegation can
be requested during SPNEGO/Negotiate authentication.
Closes#21528
Previously, the use of checkprefix() alone allowed the code to match not
only on "blksize" but also (mistakenly) on "blksizeFOO" etc.
Reported-by: Andrew Nesbit
Closes#21560
The events on a multi wakeup socketpair were only consumed via
curl_multi_poll()/curl_multi_wait() but not in event based processing on
a curl_multi_socket() call. That led to busy loops as reported in
Fixes#21547
Reported-by: Earnestly on github
Closes#21549
- disable DES with nettle 4. It no longer supports it.
```
lib/curl_ntlm_core.c:67:12: fatal error: 'nettle/des.h' file not found
67 | # include <nettle/des.h>
| ^~~~~~~~~~~~~~
```
- fix MD4 support with nettle 4.
```
lib/md4.c:178:36: error: too many arguments to function call, expected 2, have 3
178 | md4_digest(ctx, MD4_DIGEST_SIZE, digest);
| ~~~~~~~~~~ ^~~~~~
```
- fix unused argument compiler warning:
```
lib/vtls/gtls.c:2267:39: error: unused parameter 'sha256len' [clang-diagnostic-unused-parameter,-warnings-as-errors]
2267 | size_t sha256len)
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970143?pr=21557
- GHA/macos: stop enabling NTLM in the GnuTLS job.
It no longer builds due to missing DES support in nettle 4.
```
lib/curl_ntlm_core.c:90:4: error: "cannot compile NTLM support without a crypto library with DES."
90 | # error "cannot compile NTLM support without a crypto library with DES."
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970170?pr=21557
Follow-up to cfadbaa133#21169Closes#21557
These macros are leftovers from when DNS caching was moved out of
hostip.c into its own source file. Both are still defined and used in
lib/dnscache.c; the copies in lib/hostip.c are unreferenced.
Detected with clang -Wunused-macros.
Follow-up to 96d5b5c688Closes#21550
This bit was used to do Digest authentication like Internet Explorer
before version 7 (released on October 18, 2006). Presumably no one uses
this anymore and since it is hard to use and does broken auth, starting
in 8.21.0 this bit does nothing (except setting the actual Digest bit).
Closes#21486
The code would previously read one byte past the provided
CURLOPT_CAINFO_BLOB if the blob ends exactly with -----BEGIN
CERTIFICATE-----
Reported-by: Andrew Nesbit
Closes#21543
- passing an unknown string to CURLOPT_ECH now returns error
To properly allow applications to spot if they pass in a typo or
something to libcurl.
- CURLECH_DISABLE is now a plain zero internally, not a dedicated bit which
simplifies checks for when ECH is enabled
- Dropped the CURLECH_CLA_CFG bit, and just check STRING_ECH_CONFIG
- Turn grease/enable/hard into three different numerical values, no bitmask
needed
- Convert the struct field 'tls_ech' from an int to a byte.
Closes#21532
The 'ber' pointer could remain allocated in the exit path if the write
callback returned error for one of the Curl_client_write() calls.
Reported-by: Andrew Nesbit
Closes#21530
When a connection is tested for reuse in a transfer that *may* upgrade
to TLS (commonly via STARTTLS), the SSL configuration must match the
existing connection.
Reported-by: Andrew Nesbit
Closes#21522
- rename `req->proxyuserpwd` to `req->hd_proxy_auth`
- rename `req->userpwd` to `req->hd_auth`
- rename parameter `proxytunnel` to `is_connect` for Curl_http_output_auth()
- move path+query concatenation into Curl_http_output_auth(), saving an alloc when no auth is in play
- rename `H1_HD_USER_AUTH` into `H1_HD_AUTH`
Closes#21513
The CURLOPT_SSH_HOST_PUBLIC_KEY_* options are documented to verify the
host at connect time and not for connection reuse. Once the SSH host has
been deemed okay, it remains okay as long as the connection survives.
In addition: this function currently always returned TRUE since the
pointers have been NULLed in the SSH backend code before this function
is called.
Follow-up to c31fcf2dec
Reported-by: Andrew Nesbit
Closes#21519
Unfortunately, mbedtls_pk_parse_key() requires the data to be
null-terminated if the data is PEM encoded (even when provided the exact
length), so this function needs to make a copy that has one.
Reported-by: Elise Vance
Closes#21515
Unix domain socket paths need to be compared case-senstive, in contrast
to DNS hostnames.
Follow-up to bc40e09f63
Pointed out by Codex Security
Closes#21511
`struct Curl_peer` keeps information about a communication endpoint
together. It will replace `conn->host` and `conn->conn_to_host` and
proxyinfo host. It will also become part of `struct ssl_peer`.
It has a reference counter, so an instance can be shared between
connections and filters.
Elminiates `conn->host` and `conn->connect_to_host`, used in the
proxyinfo structures. Passed to DNS resolution and socks filters, etc.
Pass peer to http proxy and socks tunnel filters. Use peer in dns filter
and resolving. Make `Curl_peer` a member in the `struct ssl_peer`.
Add `docs/internals/PEERS.md` for documentation.
Closes#21472
This allows the unit tests to have a prototype involving such a struct
pointer - even when the build is done without threaded resolver.
Follow-up to 117d50b4bfCloses#21503
When building curl 8.20.0 with socketpair disabled, there is no
wakeup socket and the resolve results are not processed.
This fix performs result processing in the absence of a wakeup
socket before checking the resolve result.
Closes#21476
- sha256: fix backend priority in comment.
- URLs: link to IETF URLs to the HTML document, to match others.
- VERSIONS.md: use unified date format for recent entries too.
Ref: ce5d32032f
- GHA/labeler.yml: alpha-sort file masks in a label block.
- tests/server/mqttd: fix call arg list in a disabled function.
- tests/server/mqttd: fix comment.
Closes#21473
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed
headers must have remaining_length set to zero. The previous code
dispatched to mqtt->nextstate based on the queued state alone without
validating remaining_length for these no-payload packet types, allowing
a malicious broker to send a PINGRESP with non-zero remaining_length
whose trailing bytes would be interpreted as the payload of whatever
message type was queued (CONNACK, SUBACK, etc.).
The exploitation path turned out to be narrow — curl sends data to the
server the user chose to talk to — but the spec violation and the
resulting protocol-state error are real. Reject the malformed packets
with CURLE_WEIRD_SERVER_REPLY before state dispatch.
Reported-by: Raymond Steen <raymond@vortiqxconsilium.com>
Found by VORTIQ-X VXF Framework
Bug: https://hackerone.com/reports/3702718
Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com>
Closes#21465
