neon

neon is an HTTP/1.1 and WebDAV client library, with a C interface. Features:

High-level wrappers for common HTTP and WebDAV operations (GET, MOVE, DELETE, etc) Low-level interface to the HTTP request/response engine, allowing the use of arbitrary HTTP methods, headers, etc.
Authentication support including Basic and Digest support, along with GSSAPI-based Negotiate on Unix, and SSPI-based Negotiate/NTLM on Win32
SSL/TLS support using OpenSSL or GnuTLS; exposing an abstraction layer for verifying server certificates, handling client certificates, and examining certificate properties.
Smartcard-based client certificates are also supported via a PKCS#11 wrapper interface
Abstract interface to parsing XML using libxml2 or expat, and wrappers for simplifying handling XML HTTP response bodies
WebDAV metadata support; wrappers for PROPFIND and PROPPATCH to simplify property manipulation

neon is free software, distributed under the GNU Library GPL.

Feature requests, bug reports etc should be reported via the Github repository.

Changes in release 0.32.5 (neon-0.32.5.tar.gz), 21st January 2023

NOTE: Since 0.32.0 the “$KRB5_CONFIG” environment variable is ignored when running configure. Use KRB5_CONF_TOOL instead to specify an alternative to /usr/bin/krb5-config.
Fail for configure –with-gssapi if GSSAPI can’t be enabled (issue #102)
Add Georgian translation (NorwayFun)
Fixes for Windows MSYS2/MinGW build, including cross-build (Jim Klimov)

Changes in release 0.32.4 (neon-0.32.4.tar.gz), 11th September 2022

Fix Digest regression in allowing implicit algorithm= (issue #88)
Fix Digest to safely allow spaces in usernames (without userhash)
ne_ssl_trust_default_ca() now uses the system’s trusted CAs with GnuTLS where supported (matching behaviour of OpenSSL)

Changes in release 0.32.3 (neon-0.32.3.tar.gz), 4th September 2022

Improvements and fixes to Windows build (Chun-wei Fan)
Fix finding pkg-config when cross-compiling (Hugh McMaster)
Fix Digest cnonce entropy sources in non-SSL builds
Fix cases where Digest usernames were rejected as non-ASCII
Fix build failures with OpenSSL 1.1 on some platforms

Changes in release 0.32.2 (neon-0.32.2.tar.gz), 12th January 2022

Fix auth handling for request-target of “*” (regressed since 0.31.x)
Fix bindtextdomain() detection on OS X (Daniel Macks)
Fix regeneration of docs in “make install” (Lonnie Abelbeck)
Fixes for NetBSD build (Thomas Klausner)

Changes in release 0.32.1 (neon-0.32.1.tar.gz), 20th September 2021

Fix configure CFLAGS handling in Kerberos detection.
Various spelling fixes.

Changes in release 0.32.0 (neon-0.32.0.tar.gz), 20th September 2021

Interface changes:
- API and ABI backwards-compatible with 0.27.x and later
- NE_AUTH_DIGEST now only enables RFC 2617/7616 auth by default; to enable weaker RFC 2069 Digest, use NE_AUTH_LEGACY_DIGEST (treated as a security enhancement, not an API/ABI break)
Interface clarifications:
- ne_auth.h: use of non-ASCII usernames with the ne_auth_creds callback type is now rejected for Digest auth since the encoding is not specified. ne_add_auth() can be used instead.
- ne_request.h: the ne_create_request_fn callback is passed the request-target using RFC 7230 terminology
New interfaces and features:
- ne_string.h: added ne_strhash(), ne_vstrhash(), ne_strparam()
- ne_auth.h: added RFC 7616 (Digest authentication) support, including userhash=, username*= and SHA-2 algorithms (SHA-2 requires GnuTLS/OpenSSL). added NE_AUTH_LEGACY_DIGEST
- ne_auth.h: added ne_add_auth() unified auth callback interface, accepts (only) UTF-8 usernames, uses a larger password buffer, and has different/improved attempt counter semantics.
- RFC 7617 scoping rules are now applied for Basic authentication.
- ne_ssl.h: added ne_ssl_cert_hdigest()
- ne_socket.h: added ne_sock_shutdown()
- sendmsg()/send() are used with the MSG_NOSIGNAL flag to write to sockets on Unix, rather than write()/writev(), avoiding SIGPIPE
- explicit_bzero() is used where available to clear credentials
Bug fixes:
- fixed TLS connection shutdown handling for OpenSSL 3
- fix various Coverity and cppcheck warnings (Sebastian Reschke)
- Kerberos library detection uses pkg-config where possible.
- fix some configure checks on Win32 (Christopher Degawa)
- fix some configure errors on MacOS (Ryan Schmidt)

Changes in release neon 0.31.2, 20th June 2020

Fix ne_md5_read_ctx() with OpenSSL on big-endian architectures.
Fix GCC 10 warning in PKCS#11 build.
Fix OpenSSL build w/o deprecated APIs (Rosen Penev).
Fix unnecessary MD5 test for non-Digest auth (Sebastian Reschke).
Fix hang on SSL connection close with IIS (issue #11).
Fix ar, ranlib detection when cross-compiling (Sergei Trofimovich).

Changes in release neon 0.31.1, 17th April 2020

ADMIN: The neon website has moved to https://notroj.github.io/neon/
Restore ne_md5_read_ctx() in OpenSSL build.
Fix gcc warnings on Ubuntu (Jan-Marek Glogowski).
Fix various spelling mistakes in docs and headers (thanks to FOSSIES).
Fix ne_asctime_parse() (Eugenij-W).
Fix build with LibreSSL (Juan RP).

Changes in release neon 0.31.0, 24th March 2020

Interface changes:
- none, API and ABI backwards-compatible with 0.27.x and later
New interfaces and features:
- add more gcc “nonnull” attributes to ne_request_* functions.
- for OpenSSL builds, ne_md5 code uses the OpenSSL implementation
- add NE_SESSFLAG_SHAREPOINT session flag which enables workarounds< for RFC non-compliance issues in Sharepoint (thanks to Jan-Marek Glogowski and Giuseppe Castagno)
- ne_uri.h: add ne_path_escapef() in support of above
- ne_207.h: add ne_207_set_flags() likewise in support of above
API clarification:
- ne_version_match() behaviour now matches actual 0.27+ ABI history
Bug fixes:
- fixes for OpenSSL 1.1.1 and TLSv1.3 support
- fix crash with GnuTLS in client cert support (Henrik Holst)
- fix possible crash in ne_set_request_flag()
- fix build with libxml2 2.9.10 and later
- fix handling lock timeouts >LONG_MAX (Giuseppe Castagno)

Joe Orton