Граф коммитов

133 Коммитов

Автор SHA1 Сообщение Дата
Alex Rousskov cb4e2be7c6 proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

  --proxy-cacert FILE        CA certificate to verify peer against
  --proxy-capath DIR         CA directory to verify peer against
  --proxy-cert CERT[:PASSWD] Client certificate file and password
  --proxy-cert-type TYPE     Certificate file type (DER/PEM/ENG)
  --proxy-ciphers LIST       SSL ciphers to use
  --proxy-crlfile FILE       Get a CRL list in PEM format from the file
  --proxy-insecure           Allow connections to proxies with bad certs
  --proxy-key KEY            Private key file name
  --proxy-key-type TYPE      Private key file type (DER/PEM/ENG)
  --proxy-pass PASS          Pass phrase for the private key
  --proxy-ssl-allow-beast    Allow security flaw to improve interop
  --proxy-sslv2              Use SSLv2
  --proxy-sslv3              Use SSLv3
  --proxy-tlsv1              Use TLSv1
  --proxy-tlsuser USER       TLS username
  --proxy-tlspassword STRING TLS password
  --proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.
2016-11-24 23:41:44 +01:00
Daniel Stenberg 811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg 4f45240bc8 lib: include curl_printf.h as one of the last headers
curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((format(printf, ...))) markers etc.

To avoid that they cause problems with system includes, we include
curl_printf.h after any system headers. That makes the three last
headers to always be, and we keep them in this order:

 curl_printf.h
 curl_memory.h
 memdebug.h

None of them include system headers, they all do funny #defines.

Reported-by: David Benjamin

Fixes #743
2016-04-29 22:32:49 +02:00
Viktor Szakats a24f71aac4 URLs: change http to https in many places
Closes #754
2016-04-06 11:58:34 +02:00
Steve Holme f0bdd72c10 http_ntlm: Renamed from curl_ntlm.[c|h]
Renamed the header and source files for this module as they are HTTP
specific and as such, they should use the naming convention as other
HTTP authentication source files do - this revert commit 260ee6b7bf.

Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind
code needs separating from the HTTP protocol and migrating into the
vauth directory, thus adding support for Winbind to the SASL based
protocols such as IMAP, POP3 and SMTP.
2016-03-27 17:58:50 +01:00
Yang Tse 662c1d87f3 NTLM: END of refactoring/splitting/moving
First:

File curl_ntlm.h renamed curl_ntlm_msgs.h
File curl_ntlm.c renamed curl_ntlm_msgs.c

Afterwards:

File http_ntlm.c renamed curl_ntlm.c
File http_ntlm.h renamed curl_ntlm.h
2011-08-28 02:00:02 +02:00
Yang Tse 260ee6b7bf NTLM_WB: move NTLM_WB specifics into curl_ntlm_wb.[ch] 2011-08-27 19:16:10 +02:00
Yang Tse b976d108f1 NTLM_WB: final congruency naming adjustments
Configure script option --enable-wb-ntlm-auth renamed to --enable-ntlm-wb
Configure script option --disable-wb-ntlm-auth renamed to --disable-ntlm-wb

Preprocessor symbol WINBIND_NTLM_AUTH_ENABLED renamed to NTLM_WB_ENABLED
Preprocessor symbol WINBIND_NTLM_AUTH_FILE renamed to NTLM_WB_FILE

Test harness env var CURL_NTLM_AUTH renamed to CURL_NTLM_WB_FILE

Static function wb_ntlm_close renamed to ntlm_wb_cleanup
Static function wb_ntlm_initiate renamed to ntlm_wb_init
Static function wb_ntlm_response renamed to ntlm_wb_response
2011-08-27 06:31:18 +02:00
Yang Tse 407e08baad NTLM single-sign on adjustments (X)
Functions renamed:

Curl_output_ntlm_sso -> Curl_output_ntlm_wb
sso_ntlm_close -> wb_ntlm_close
sso_ntlm_response -> wb_ntlm_response
sso_ntlm_initiate -> wb_ntlm_initiate

Preprocessor symbols renamed:

CURLAUTH_NTLM_SSO -> CURLAUTH_NTLM_WB
CURL_VERSION_NTLM_SSO -> CURL_VERSION_NTLM_WB
2011-08-26 18:57:50 +02:00
Steve Holme d535cff775 http NTLM: refactoring followup
Output of Curl_ntlm_create_type1_message() and Curl_ntlm_create_type3_message()
functions is now already base64 encoded.
2011-08-25 15:13:13 +02:00
Yang Tse fd00b382b2 base64: fix Curl_base64_encode and Curl_base64_decode interfaces
Previous interfaces for these libcurl internal functions did not allow to tell
apart a legitimate zero size result from an error condition. These functions
now return a CURLcode indicating function success or otherwise specific error.
Output size is returned using a pointer argument.

All usage of these two functions, and others closely related, has been adapted
to the new interfaces. Relative error and OOM handling adapted or added where
missing. Unit test 1302 also adapted.
2011-08-24 08:10:30 +02:00
Steve Holme 006b011cdf http NTLM: remaining bits from 0001-Moved-ntlm-[...]-curl_ntlm-mod_3.patch
* Added function comments:
    - Curl_ntlm_decode_type2_message
    - Curl_ntlm_create_type1_message
    - Curl_ntlm_create_type3_message

* Modification of ntlm processing state to NTLMSTATE_TYPE2 is now done
  only when Curl_ntlm_decode_type2_message() has fully succeeded.
2011-08-22 16:42:59 +02:00
Yang Tse b9d5e72adc http NTLM: reinstate "nssg.h" "curl_sspi.h" header inclusions 2011-08-15 01:34:34 +02:00
Yang Tse e575cbc815 http NTLM: reinstate "memdebug.h" header inclusion
Inclusion of header "memdebug.h" in http_ntlm.c got lost in commit 98fb0ef7.
2011-08-14 21:19:22 +02:00
Daniel Stenberg dfb18da5dc Curl_output_ntlm: remove unused variable 2011-08-14 18:54:21 +02:00
Yang Tse dc4f9d185d http NTLM: fix 8 compiler warnings
Strict splitting of http_ntlm.[ch] may trigger 8 compiler warnings when
building with some compilers and strict compiler warnings enabled, depending
on other specific configuration options some could get triggered or not.

Seven are related with 'unused function parameters' and another one with
'var may be used before its value is set'.
2011-08-14 16:36:47 +02:00
Yang Tse 98fb0ef73e http NTLM: split http_ntlm.[ch] between http_ntlm.[ch] and curl_ntlm.[ch]
For modularity purposes, huge chunks of NTLM existing code is transformed into
functions to allow future internal code reuse.

Resulting three new libcurl private functions:

 - Curl_ntlm_create_type1_message()
 - Curl_ntlm_create_type3_message()
 - Curl_ntlm_decode_type2_message()

Changing static ntlm_sspi_cleanup() into non-static Curl_ntlm_sspi_cleanup()

This 'refactoring' has been prepared by previous commits to allow that this
specific one does not introduce any change to existing code. All existing
goodness and badness previous to this commit should remain the same once it is
applied, the only difference should be that existing code is moved into
functions.

Given the quite big portions of code being moved around, and the importance of
change traceability, this commit has been done in such a way that it is
possible to perform a three-way diff from initial http_ntlm.[ch] to resulting
http_ntlm.[ch] and curl_ntlm.[ch] to actually verify that no functional change
is introduced here.

Notice that Steve Holme has provided several patches, but these included this
refactoring along with 'extra' fixes. I really wanted this 'clean' refactoring
done first, in order to allow discussion or committing of 'extra' fixes on a
case by case basis, so, I had to bite the bullet ;-)

Comments, line adjustments, compiler warning fixes, whatever, may follow
afterwards.
2011-08-14 15:45:19 +02:00
Yang Tse b4d6db83de http NTLM: change return type of Curl_input_ntlm() to CURLcode
Remove CURLntlm enum, no longer required.
2011-08-13 23:59:29 +02:00
Yang Tse 1e4187f8bf http NTLM: update NTLM type-* message structure descriptions - followup 2011-08-13 00:20:51 +02:00
Yang Tse 092189c664 http NTLM: update NTLM message structure notes 2011-08-12 21:13:01 +02:00
Yang Tse 3293150da2 http NTLM: more adjustments in preparation of code refactoring
Use preprocessor symbol NTLM_BUFSIZE to define private NTLM buffer fixed size.

Use a SessionHandle 'data' pointer variable to ease refactoring.

Update NTLM type-* message structure descriptions.

Fix some more spacing and typos (Steve Holme).
2011-08-12 19:51:50 +02:00
Yang Tse 448f982d54 http NTLM: fix compiler warning 2011-08-11 09:06:06 +02:00
Steve Holme f396d94736 http NTLM: Tidied up more inconsistent spacing.
Moved NTLMSSP_SIGNATURE, HOSTNAME_MAX, SHORTPAIR and LONGQUARTET definitions in ready for move to curl_ntlm.c.

Used separate variables for Windows SSPI and native code to ease moving of code to curl_ntlm.c.

Fixed typographical erros where SPPI should be SSPI.

Fixed compilation warnings on 64-bit builds when calling Windows SSPI functions.
2011-08-11 02:18:16 +02:00
Yang Tse c7fb556f26 http NTLM: Further tiding up to libcurl standards 2011-08-09 22:57:22 +02:00
Steve Holme 5ed17de326 http NTLM: Tidied up http_ntlm prior to splitting the ntlm specific code 2011-08-09 22:57:22 +02:00
Yang Tse 1db023d3cb NTLM single-sign on adjustments (IX)
Use swrite/sread instead of write/read to avoid SIGPIPE
2011-08-07 03:05:04 +02:00
Yang Tse 10a0bed485 NTLM single-sign on adjustments (VIII)
Use preprocessor symbols WINBIND_NTLM_AUTH_ENABLED and WINBIND_NTLM_AUTH_FILE
for Samba's winbind daemon ntlm_auth helper code implementation and filename.

Retain preprocessor symbol USE_NTLM_SSO for NTLM single-sign-on feature
availability implementation independent.

For test harness, prefix NTLM_AUTH environment vars with CURL_

Refactor and rename configure option --with-ntlm-auth to --enable-wb-ntlm-auth[=FILE]
2011-07-31 20:44:41 +02:00
Yang Tse ad8193fbb9 NTLM single-sign on adjustments (VII)
Initialize variables when connectdata object is created.
2011-07-29 16:27:15 +02:00
Yang Tse bcbac913d6 socketpair() usage tracking to allow fd leak detection 2011-07-29 13:27:10 +02:00
Dan Fandrich 9779553221 Give the NTLM SSO helper a moment to cleanly shut down if needed 2011-07-28 12:42:39 -07:00
Dan Fandrich 435e2bc757 Removed an extraneous \n that violated the SSO daemon protocol
This caused fake_ntlm to abort due to an invalid command
causing sporadic test 2005 failures.
2011-07-28 12:41:44 -07:00
Dan Fandrich 02e59579ef Fixed a couple of memory leaks in NTLM SSO support 2011-07-27 18:08:10 -07:00
Yang Tse dddf9aa610 NTLM single-sign on adjustments (IV)
Fix compiler warning
2011-07-27 20:10:02 +02:00
Yang Tse 4eb08ac1c0 NTLM single-sign on adjustments (III)
Provide some error tracing and fix execl() calling.
2011-07-27 19:12:06 +02:00
Yang Tse f1586cb477 stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h 2011-07-26 17:23:27 +02:00
Yang Tse ef2176109f errno.h inclusion conditionally done in setup_once.h 2011-07-24 04:39:43 +02:00
Michael Mueller d007c3ca76 sso_ntlm_initiate: unassigned variable
Bug: http://curl.haxx.se/mail/lib-2011-07/0109.html
2011-07-19 23:54:21 +02:00
Mandy Wu a6d4807d02 NTLM single-sign on supported
With the use of the 'ntlm_auth' tool from the Samba project
2011-07-18 23:36:36 +02:00
Yang Tse 970117ef2d OpenSSL enabled: require OPENSSL_VERSION_NUMBER definition before usage. 2011-06-02 12:52:52 +02:00
Yang Tse 328600e02b compiler warning: fix
Fix variable declaration placement
2011-05-23 19:04:49 +02:00
Yang Tse e2747ebbc0 compiler warning: fix
Fix missing semicolon
2011-05-23 16:59:43 +02:00
Yang Tse 30c9799f72 compiler warning: fix
Fix compiler warning: expression has no effect
2011-05-23 16:55:09 +02:00
Yang Tse 3e70c28ce5 compiler warning: fix
Fix compiler warning: enumerated type mixed with another type
2011-05-21 15:06:50 +02:00
Daniel Stenberg b903186fa0 source cleanup: unify look, style and indent levels
By the use of a the new lib/checksrc.pl script that checks that our
basic source style rules are followed.
2011-04-27 09:09:35 +02:00
Dan Fandrich 6d013b0aab Fixed compiler warning in Windows SSPI case 2011-04-25 21:58:37 -07:00
Daniel Stenberg f20b4606de NTLM: work with unicode
Rewritten code from a patch brought by Matteo Rocco.
2011-04-22 22:04:10 +02:00
Daniel Stenberg c828646f60 CURL_DOES_CONVERSIONS: cleanup
Massively reduce #ifdefs all over (23 #ifdef lines less so far)
Moved conversion-specific code to non-ascii.c
2011-04-20 00:50:07 +02:00
Kamil Dudka b5c3feda17 NTLM tests: boost coverage by forcing the hostname
A shared library tests/libtest/.libs/lihostname.so is preloaded in NTLM
test-cases to override the system implementation of gethostname().  It
makes it possible to test the NTLM authentication for exact match, and
this way test the implementation of MD4 and DES.

If LD_PRELOAD doesn't work, a debug build willl also workk as debug
builds are now made to prefer a specific environment variable and will
then return that content as host name instead of the actual one.

Kamil wrote the bulk of this, Daniel Stenberg polished it.
2010-07-30 00:51:24 +02:00
Kamil Dudka f3b77e5611 http_ntlm: add support for NSS
When configured with '--without-ssl --with-nss', NTLM authentication
now uses NSS crypto library for MD5 and DES.  For MD4 we have a local
implementation in that case.  More details are available at
https://bugzilla.redhat.com/603783

In order to get it working, curl_global_init() must be called with
CURL_GLOBAL_SSL or CURL_GLOBAL_ALL.  That's necessary because NSS needs
to be initialized globally and we do so only when the NSS library is
actually required by protocol.  The mentioned call of curl_global_init()
is responsible for creating of the initialization mutex.

There was also slightly changed the NSS initialization scenario, in
particular, loading of the NSS PEM module.  It used to be loaded always
right after the NSS library was initialized.  Now the library is
initialized as soon as any SSL or NTLM is required, while the PEM module
is prevented from being loaded until the SSL is actually required.
2010-06-30 13:12:25 +02:00
Daniel Stenberg 2309b4e330 remove the CVSish $Id$ lines 2010-03-24 11:02:54 +01:00