According to RFC 7616, nonce-prime and cnonce-prime is used for SHA-256-sess only and not for SHA-256.
This commit updates the check and uses nonce only for "-sess" algorithms.
Regression from 66995965e7
Fixed vulnerability where malicious HTTP servers could trigger OOB reads
by sending empty or very short algorithm fields in WWW-Authenticate headers.
Changes:
- Replace unsafe memcmp() with strcasecmp() for algorithm comparison
- Add algorithm NULL validation at function entry point
- Fix duplicate md5-sess check, add missing SHA-256 check
This commit updated the client closing condition to avoid spurious
dispatching of event HTTP_EVENT_DISCONNECTED while closing closeed connection.
Closes https://github.com/espressif/esp-idf/issues/16070
Fixed memory leak in esp_http_client_cleanup() where current_header_value
buffer was not being freed when ESP_ERR_HTTP_FETCH_HEADER is returned
during header parsing failures.
Problem:
1. In low-memory scenarios, the dynamic buffer feature can fail due to memory fragmentation.
2. It requires a contiguous 16KB heap chunk, but continuous allocation and deallocation of
the RX buffer can lead to fragmentation.
3. If another component allocates memory between these operations, it can break up the
available 16KB block, causing allocation failure.
Solution:
1. Introduce configurable strategy for using dynamic buffers in TLS connections.
2. For example, convert RX buffers to static after the TLS handshake.
3. Allow users to select the strategy via a new field in the esp_http_client_cfg_t structure.
4. The strategy can be controlled independently for each TLS session.
- esp_http_client support just PEM ca_cert and client_cert.
- Although esp_tls supports both PEM and DER certificate. We have logic
based on cert_len and client_cert_len which decides whether given cert or client_cert
is in PEM or DER format.
- If length is 0 then it is PEM certificate and if length is passed then DER is
considered. This is true for both ca_cert and client_cert
This commits allow to pass the DER certificate in esp_http_client
Prior to v5.4, headers could be deleted from an HTTP client by calling
esp_http_client_set_header("Header", NULL). This pattern is used by
esp_http_client_set_post_field(NULL, 0), which is the only API usage
that will delete the request body in a persistent connection scenario.
An IPv6 IP that occurs in the 'Host:' header of an HTTP request must be enclosed
in square brackets (RFC3986 section 3.2.2).
Searches for ':' in the host string to efficiently determine if the host is an
IPv6 IP address.
In case a request with no content is sent after one with the content
length header set the header of the previous request is sent with the
subsequent one.
For instance, an empty GET request after a PUT request will still
indicate the non-zero content length of the previous request.
This is fixed by clearing the content length header when it shouldn't be
set.
This commit removes depcriacted tag marked on priavte APIs'
http_utils_get_string_between() and http_utils_get_string_after().
As these are not publick API, necessary changes been applied on these
APIs' directly withput adding new similar one and marking them as depricated.
In commit a0bcffcc, some ESP_RETURN and ESP_GOTO debug macros were
introduced. But this caused a regression with CONFIG_COMPILER_OPTIMIZATION_CHECKS_SILENT
case. Its better to move this macros to HTTP client component itself, as
the debug log is still desired for the specific use-case.
This commit replace macro MEM_CHECK with return on failure and
updated usage of reespctive APIs' in IDF.
This also update th prototype of API esp_http_client_add_auth().
Closes https://github.com/espressif/esp-idf/issues/14463
If the TLS server (e.g., openssl) closes connection with encrypted close-notify alert
then `errno` is not explicitly set on the socket by LwIP stack.
For this scenario, we must rely only on `ERR_TCP_TRANSPORT_CONNECTION_CLOSED_BY_FIN`
return value as the connection close case and do the graceful connection closure.
Closes https://github.com/espressif/esp-idf/issues/14724
Added support http REPORT method and tested it using local server.
Added test case for REPOPRT method in esp_http_client_example.c
The URL(httpbin.org) does not support for /report endpoint.
Closes https://github.com/espressif/esp-idf/issues/14147
Ashish Sharma
nilesh.kale
Mahavir Jain
Jiang Jiang Jian
Richard Allen
hrushikesh.bhosale
Mathew Harman
Chen Jichang
igor.udot
Aditya Patwardhan
Bernhard Heinloth
gaoxu
Christopher Durand
Lorenzo Consolaro
Xu Si Yu
Duco Sebel
Serhii Kulyk
wanlei