digest: replace strcpy for empty string with simple assignment

Closes #13586

digest: add check for hashing error

Closes #13072

digest: support SHA-512/256

Also fix the tests. New implementation tested with GNU libmicrohttpd.
The new numbers in tests are real SHA-512/256 numbers (not just some
random ;) numbe

digest: support SHA-512/256

Also fix the tests. New implementation tested with GNU libmicrohttpd.
The new numbers in tests are real SHA-512/256 numbers (not just some
random ;) numbers ).

show more ...

build: add more picky warnings and fix them

Enable more picky compiler warnings. I've found these options in the
nghttp3 project when implementing the CMake quick picky warning
funct

build: add more picky warnings and fix them

Enable more picky compiler warnings. I've found these options in the
nghttp3 project when implementing the CMake quick picky warning
functionality for it [1].

`-Wunused-macros` was too noisy to keep around, but fixed a few issues
it revealed while testing.

- autotools: reflect the more precisely-versioned clang warnings.
Follow-up to 033f8e2a08eb1d3102f08c4d8c8e85470f8b460e #12324
- autotools: sync between clang and gcc the way we set `no-multichar`.
- autotools: avoid setting `-Wstrict-aliasing=3` twice.
- autotools: disable `-Wmissing-noreturn` for MSYS gcc targets [2].
It triggers in libtool-generated stub code.

- lib/timeval: delete a redundant `!MSDOS` guard from a `WIN32` branch.

- lib/curl_setup.h: delete duplicate declaration for `fileno`.
Added in initial commit ae1912cb0d494b48d514d937826c9fe83ec96c4d
(1999-12-29). This suggests this may not be needed anymore, but if
it does, we may restore this for those specific (non-Windows) systems.
- lib: delete unused macro `FTP_BUFFER_ALLOCSIZE` since
c1d6fe2aaa5a26e49a69a4f2495b3cc7a24d9394.
- lib: delete unused macro `isxdigit_ascii` since
f65f750742068f579f4ee6d8539ed9d5f0afcb85.
- lib/mqtt: delete unused macro `MQTT_HEADER_LEN`.
- lib/multi: delete unused macro `SH_READ`/`SH_WRITE`.
- lib/hostip: add `noreturn` function attribute via new `CURL_NORETURN`
macro.
- lib/mprintf: delete duplicate declaration for `Curl_dyn_vprintf`.
- lib/rand: fix `-Wunreachable-code` and related fallouts [3].
- lib/setopt: fix `-Wunreachable-code-break`.
- lib/system_win32 and lib/timeval: fix double declarations for
`Curl_freq` and `Curl_isVistaOrGreater` in CMake UNITY mode [4].
- lib/warnless: fix double declarations in CMake UNITY mode [5].
This was due to force-disabling the header guard of `warnless.h` to
to reapply it to source code coming after `warnless.c` in UNITY
builds. This reapplied declarations too, causing the warnings.
Solved by adding a header guard for the lines that actually need
to be reapplied.
- lib/vauth/digest: fix `-Wunreachable-code-break` [6].
- lib/vssh/libssh2: fix `-Wunreachable-code-break` and delete redundant
block.
- lib/vtls/sectransp: fix `-Wunreachable-code-break` [7].
- lib/vtls/sectransp: suppress `-Wunreachable-code`.
Detected in `else` branches of dynamic feature checks, with results
known at compile-time, e.g.
```c
if(SecCertificateCopySubjectSummary) /* -> true */
```
Likely fixable as a separate micro-project, but given SecureTransport
is deprecated anyway, let's just silence these locally.
- src/tool_help: delete duplicate declaration for `helptext`.
- src/tool_xattr: fix `-Wunreachable-code`.
- tests: delete duplicate declaration for `unitfail` [8].
- tests: delete duplicate declaration for `strncasecompare`.
- tests/libtest: delete duplicate declaration for `gethostname`.
Originally added in 687df5c8c39c370a59999b9afc0917d808d978b7
(2010-08-02).
Got complicated later: c49e9683b85ba9d12cbb6eebc4ab2c8dba68fbdc
If there are still systems around with warnings, we may restore the
prototype, but limited for those systems.
- tests/lib2305: delete duplicate declaration for
`libtest_debug_config`.
- tests/h2-download: fix `-Wunreachable-code-break`.

[1] https://github.com/ngtcp2/nghttp3/blob/a70edb08e954d690e8fb2c1df999b5a056f8bf9f/cmake/PickyWarningsC.cmake
[2] https://ci.appveyor.com/project/curlorg/curl/builds/48553586/job/3qkgjauiqla5fj45?fullLog=true#L1675
[3] https://github.com/curl/curl/actions/runs/6880886309/job/18716044703?pr=12331#step:7:72
https://github.com/curl/curl/actions/runs/6883016087/job/18722707368?pr=12331#step:7:109
[4] https://ci.appveyor.com/project/curlorg/curl/builds/48555101/job/9g15qkrriklpf1ut#L204
[5] https://ci.appveyor.com/project/curlorg/curl/builds/48555101/job/9g15qkrriklpf1ut#L218
[6] https://github.com/curl/curl/actions/runs/6880886309/job/18716042927?pr=12331#step:7:290
[7] https://github.com/curl/curl/actions/runs/6891484996/job/18746659406?pr=12331#step:9:1193
[8] https://github.com/curl/curl/actions/runs/6882803986/job/18722082562?pr=12331#step:33:1870

Closes #12331

show more ...

digest: Use hostname to generate spn instead of realm

In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2

digest-uri-value should be serv-type "/" host , where host is:

digest: Use hostname to generate spn instead of realm

In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2

digest-uri-value should be serv-type "/" host , where host is:

The DNS host name or IP address for the service requested. The
DNS host name must be the fully-qualified canonical name of the
host. The DNS host name is the preferred form; see notes on server
processing of the digest-uri.

Realm may not be the host, so we must specify the host explicitly.

Note this change only affects the non-SSPI digest code. The digest code
used by SSPI builds already uses the hostname to generate the spn.

Ref: https://github.com/curl/curl/issues/11369

Closes https://github.com/curl/curl/pull/11395

show more ...

lib: add ability to disable auths individually

Both with configure and cmake

Closes #11490

digest: clear target buffer

Closes #10814

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- save

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205

show more ...

lib: fix some type mismatches and remove unneeded typecasts

Many of these castings are unneeded if we change the variables to work
better with each other.

Ref: https://github.co

lib: fix some type mismatches and remove unneeded typecasts

Many of these castings are unneeded if we change the variables to work
better with each other.

Ref: https://github.com/curl/curl/pull/9823

Closes https://github.com/curl/curl/pull/9835

show more ...

style: use space after comment start and before comment end

/* like this */

/*not this*/

checksrc is updated accordingly

Closes #9828

misc: typo and grammar fixes

- Replace `Github` with `GitHub`.
- Replace `windows` with `Windows`
- Replace `advice` with `advise` where a verb is used.
- A few fixes on removing

misc: typo and grammar fixes

- Replace `Github` with `GitHub`.
- Replace `windows` with `Windows`
- Replace `advice` with `advise` where a verb is used.
- A few fixes on removing repeated words.
- Replace `a HTTP` with `an HTTP`

Closes #9802

show more ...

misc: null-terminate

Make use of this term consistently.

Closes #9527

misc: ISSPACE() => ISBLANK()

Instances of ISSPACE() use that should rather use ISBLANK(). I think
somewhat carelessly used because it sounds as if it checks for space or
whitespace,

misc: ISSPACE() => ISBLANK()

Instances of ISSPACE() use that should rather use ISBLANK(). I think
somewhat carelessly used because it sounds as if it checks for space or
whitespace, but also includes %0a to %0d.

For parsing purposes, we should only accept what we must and not be
overly liberal. It leads to surprises and surprises lead to bad things.

Closes #9432

show more ...

digest: pass over leading spaces in qop values

When parsing the "qop=" parameter of the digest authentication, and the
value is provided within quotes, the list of values can have leadin

digest: pass over leading spaces in qop values

When parsing the "qop=" parameter of the digest authentication, and the
value is provided within quotes, the list of values can have leading
white space which the parser previously did not handle correctly.

Add test case 388 to verify.

Reported-by: vlubart on github
Fixes #9264
Closes #9270

show more ...

digest: reject broken header with session protocol but without qop

Closes #9077

digest: fix memory leak, fix not quoted 'opaque'

Fix leak regression introduced by 3a6fe0c.

Closes https://github.com/curl/curl/pull/9199

digest: fix missing increment of 'nc' value for auth-int

- Increment nc regardless of qop type.

Prior to this change nc was only incremented for qop type auth even
though libcur

digest: fix missing increment of 'nc' value for auth-int

- Increment nc regardless of qop type.

Prior to this change nc was only incremented for qop type auth even
though libcurl sends nc with any qop.

Closes https://github.com/curl/curl/pull/9090

show more ...

digest: simplify a switch() to a simple if

digest: provide a special bit for "sess" algos

Also shortened the names and moved them to the .c file since they are
private for this source file only. Also made them #defines instead of

digest: provide a special bit for "sess" algos

Also shortened the names and moved them to the .c file since they are
private for this source file only. Also made them #defines instead of
enum.

Closes #9079

show more ...

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

digest: tolerate missing "realm"

Server headers may not define "realm", avoid NULL pointer dereference
in such cases.

Closes #8912

digest: added detection of more syntax error in server headers

Invalid headers should not be processed otherwise they may create
a security risk.

Closes #8912

digest: unquote realm and nonce before processing

RFC 7616 (and 2617) requires values to be "unquoted" before used for
digest calculations. The only place where unquoting can be done

digest: unquote realm and nonce before processing

RFC 7616 (and 2617) requires values to be "unquoted" before used for
digest calculations. The only place where unquoting can be done
correctly is header parsing function (realm="DOMAIN\\host" and
realm=DOMAN\\host are different realms).

This commit adds unquoting (de-escaping) of all values during header
parsing and quoting of the values during header forming. This approach
should be most straightforward and easy to read/maintain as all values
are processed in the same way as required by RFC.

Closes #8912

show more ...

lib: remove support for CURL_DOES_CONVERSIONS

TPF was the only user and support for that was dropped.

Closes #8378

checksrc: detect more kinds of NULL comparisons we avoid

Co-authored-by: Jay Satiro
Closes #8180