curl_sasl: initialize NSS before using crypto

sasl: added basic SASL XOAUTH2 support

Added the ability to generated a base64 encoded XOAUTH2 token
containing: "user=<username>^Aauth=Bearer <bearer token>^A^A"
as per RFC6749 "OAu

sasl: added basic SASL XOAUTH2 support

Added the ability to generated a base64 encoded XOAUTH2 token
containing: "user=<username>^Aauth=Bearer <bearer token>^A^A"
as per RFC6749 "OAuth 2.0 Authorization Framework".

show more ...

sasl: allow arbitrarily long username and password

Use appropriately sized buffers on the heap instead of fixed-size
buffers on the stack, to allow for longer usernames and passwords.

sasl: allow arbitrarily long username and password

Use appropriately sized buffers on the heap instead of fixed-size
buffers on the stack, to allow for longer usernames and passwords.

Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp.
MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.

show more ...

formpost: better random boundaries

When doing multi-part formposts, libcurl used a pseudo-random value that
was seeded with time(). This turns out to be bad for users who formpost
da

formpost: better random boundaries

When doing multi-part formposts, libcurl used a pseudo-random value that
was seeded with time(). This turns out to be bad for users who formpost
data that is provided with users who then can guess how the boundary
string will look like and then they can forge a different formpost part
and trick the receiver.

My advice to such implementors is (still even after this change) to not
rely on the boundary strings being cryptographically strong. Fix your
code and logic to not depend on them that much!

I moved the Curl_rand() function into the sslgen.c source file now to be
able to take advantage of the SSL library's random function if it
provides one. If not, try to use the RANDOM_FILE for seeding and as a
last resort keep the old logic, just modified to also add microseconds
which makes it harder to properly guess the exact seed.

The formboundary() function in formdata.c is now using 64 bit entropy
for the boundary and therefore the string of dashes was reduced by 4
letters and there are 16 hex digits following it. The total length is
thus still the same.

Bug: http://curl.haxx.se/bug/view.cgi?id=1251
Reported-by: "Floris"

show more ...

sasl: Corrected a few violations of the curl coding standards

Corrected some incorrectly positioned pointer variable declarations to
be "char *" rather than "char* ".

sasl: Fixed null pointer reference when decoding empty digest challenge

Fixed a null pointer reference when an empty challenge is passed to the
Curl_sasl_create_digest_md5_message() func

sasl: Fixed null pointer reference when decoding empty digest challenge

Fixed a null pointer reference when an empty challenge is passed to the
Curl_sasl_create_digest_md5_message() function.

Bug: http://sourceforge.net/p/curl/bugs/1193/
Reported by: Saran Neti

show more ...

Curl_sasl_create_digest_md5_message: fix buffer overflow

When negotiating SASL DIGEST-MD5 authentication, the function
Curl_sasl_create_digest_md5_message() uses the data provided from t

Curl_sasl_create_digest_md5_message: fix buffer overflow

When negotiating SASL DIGEST-MD5 authentication, the function
Curl_sasl_create_digest_md5_message() uses the data provided from the
server without doing the proper length checks and that data is then
appended to a local fixed-size buffer on the stack.

This vulnerability can be exploited by someone who is in control of a
server that a libcurl based program is accessing with POP3, SMTP or
IMAP. For applications that accept user provided URLs, it is also
thinkable that a malicious user would feed an application with a URL to
a server hosting code targetting this flaw.

Bug: http://curl.haxx.se/docs/adv_20130206.html

show more ...

curl_sasl.c: Corrected references to RFC

The most recent version of the RFC is RFC4422 and not RFC2222 as
previously documented.

build: fix circular header inclusion with other packages

This commit renames lib/setup.h to lib/curl_setup.h and
renames lib/setup_once.h to lib/curl_setup_once.h.

Removes the n

build: fix circular header inclusion with other packages

This commit renames lib/setup.h to lib/curl_setup.h and
renames lib/setup_once.h to lib/curl_setup_once.h.

Removes the need and usage of a header inclusion guard foreign
to libcurl. [1]

Removes the need and presence of an alarming notice we carried
in old setup_once.h [2]

----------------------------------------

1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard
up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H,
this single inclusion guard is enough to ensure that inclusion of
lib/setup_once.h done from lib/setup.h is only done once.

Additionally lib/setup.h has always used __SETUP_ONCE_H macro to
protect inclusion of setup_once.h even after commit ec691ca3, this
was to avoid a circular header inclusion triggered when building a
c-ares enabled version with c-ares sources available which also has
a setup_once.h header. Commit ec691ca3 exposes the real nature of
__SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard
foreign to libcurl belonging to c-ares's setup_once.h

The renaming this commit does, fixes the circular header inclusion,
and as such removes the need and usage of a header inclusion guard
foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl.

2 - Due to the circular interdependency of old lib/setup_once.h and the
c-ares setup_once.h header, old file lib/setup_once.h has carried
back from 2006 up to now days an alarming and prominent notice about
the need of keeping libcurl's and c-ares's setup_once.h in sync.

Given that this commit fixes the circular interdependency, the need
and presence of mentioned notice is removed.

All mentioned interdependencies come back from now old days when
the c-ares project lived inside a curl subdirectory. This commit
removes last traces of such fact.

show more ...

curl_sasl.c: Small code tidy up following imap changes

Revert changes relative to lib/*.[ch] recent renaming

This reverts renaming and usage of lib/*.h header files done
28-12-2012, reverting 2 commits:

f871de0... build: make use

Revert changes relative to lib/*.[ch] recent renaming

This reverts renaming and usage of lib/*.h header files done
28-12-2012, reverting 2 commits:

f871de0... build: make use of 76 lib/*.h renamed files
ffd8e12... build: rename 76 lib/*.h files

This also reverts removal of redundant include guard (redundant thanks
to changes in above commits) done 2-12-2013, reverting 1 commit:

c087374... curl_setup.h: remove redundant include guard

This also reverts renaming and usage of lib/*.c source files done
3-12-2013, reverting 3 commits:

13606bb... build: make use of 93 lib/*.c renamed files
5b6e792... build: rename 93 lib/*.c files
7d83dff... build: commit 13606bbfde follow-up 1

Start of related discussion thread:

http://curl.haxx.se/mail/lib-2013-01/0012.html

Asking for confirmation on pushing this revertion commit:

http://curl.haxx.se/mail/lib-2013-01/0048.html

Confirmation summary:

http://curl.haxx.se/mail/lib-2013-01/0079.html

NOTICE: The list of 2 files that have been modified by other
intermixed commits, while renamed, and also by at least one
of the 6 commits this one reverts follows below. These 2 files
will exhibit a hole in history unless git's '--follow' option
is used when viewing logs.

lib/curl_imap.h
lib/curl_smtp.h

show more ...

build: make use of 76 lib/*.h renamed files

76 private header files renamed to use our standard naming scheme.

This change affects 322 files in libcurl's source tree.

SSPI related code: Unicode support for WinCE

SSPI related code now compiles with ANSI and WCHAR versions of security
methods (WinCE requires WCHAR versions of methods).

Pulled U

SSPI related code: Unicode support for WinCE

SSPI related code now compiles with ANSI and WCHAR versions of security
methods (WinCE requires WCHAR versions of methods).

Pulled UTF8 to WCHAR conversion methods out of idn_win32.c into their own file.

curl_sasl.c - include curl_memory.h to use correct memory functions.

getenv.c and telnet.c - WinCE compatibility fix

With some committer adjustments

show more ...

sasl: Re-factored mechanism constants in preparation for APOP work

sasl: Renamed Curl_sasl_decode_ntlm_type2_message()

For consistency with other SASL based functions renamed this function
to Curl_sasl_create_ntlm_type3_message() which better describes

sasl: Renamed Curl_sasl_decode_ntlm_type2_message()

For consistency with other SASL based functions renamed this function
to Curl_sasl_create_ntlm_type3_message() which better describes its
usage.

show more ...

sasl: Added service parameter to Curl_sasl_create_digest_md5_message()

Added a service type parameter to Curl_sasl_create_digest_md5_message()
to allow the function to be used by differe

sasl: Added service parameter to Curl_sasl_create_digest_md5_message()

Added a service type parameter to Curl_sasl_create_digest_md5_message()
to allow the function to be used by different services rather than being
hard coded to "smtp".

show more ...

sasl: Small code tidy up

Reworked variable names in Curl_sasl_create_cram_md5_message() to match
those in Curl_sasl_create_digest_md5_message() as they are more
appropriate.

sasl: Moved digest-md5 authentication message creation from smtp.c

Moved the digest-md5 message creation from smtp.c into the sasl module
to allow for use by other modules such as pop3.

sasl: Small code tidy up before moving digest-md5 over

Correction of comments and variable names.

Curl_sasl_create_plain_message: remove TAB

sasl: Small code tidy up

Added some comments and removed an unreferenced variable.

sasl: Moved cram-md5 authentication message creation from smtp.c

Moved the cram-md5 message creation from smtp.c into the sasl module
to allow for use by other modules such as pop3.

sasl.c: Fix to avoid warnings introduced in commit d9ca9e9869e8

Applied a fix to avoid warnings on systems where Curl_ntlm_sspi_cleanup()
is just a nop.

sasl: Corrected variable names in comments and parameters

sasl: Small comment style tidy up following ntlm commit