aboutsummaryrefslogtreecommitdiff
path: root/lib/http_ntlm.c
AgeCommit message (Collapse)Author
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-10-31strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg
We had some confusions on when each function was used. We should not act differently on different locales anyway.
2016-04-29lib: include curl_printf.h as one of the last headersDaniel Stenberg
curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
2016-04-06URLs: change http to https in many placesViktor Szakats
Closes #754
2016-03-27http_ntlm: Renamed from curl_ntlm.[c|h]Steve Holme
Renamed the header and source files for this module as they are HTTP specific and as such, they should use the naming convention as other HTTP authentication source files do - this revert commit 260ee6b7bf. Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind code needs separating from the HTTP protocol and migrating into the vauth directory, thus adding support for Winbind to the SASL based protocols such as IMAP, POP3 and SMTP.
2011-08-28NTLM: END of refactoring/splitting/movingYang Tse
First: File curl_ntlm.h renamed curl_ntlm_msgs.h File curl_ntlm.c renamed curl_ntlm_msgs.c Afterwards: File http_ntlm.c renamed curl_ntlm.c File http_ntlm.h renamed curl_ntlm.h
2011-08-27NTLM_WB: move NTLM_WB specifics into curl_ntlm_wb.[ch]Yang Tse
2011-08-27NTLM_WB: final congruency naming adjustmentsYang Tse
Configure script option --enable-wb-ntlm-auth renamed to --enable-ntlm-wb Configure script option --disable-wb-ntlm-auth renamed to --disable-ntlm-wb Preprocessor symbol WINBIND_NTLM_AUTH_ENABLED renamed to NTLM_WB_ENABLED Preprocessor symbol WINBIND_NTLM_AUTH_FILE renamed to NTLM_WB_FILE Test harness env var CURL_NTLM_AUTH renamed to CURL_NTLM_WB_FILE Static function wb_ntlm_close renamed to ntlm_wb_cleanup Static function wb_ntlm_initiate renamed to ntlm_wb_init Static function wb_ntlm_response renamed to ntlm_wb_response
2011-08-26NTLM single-sign on adjustments (X)Yang Tse
Functions renamed: Curl_output_ntlm_sso -> Curl_output_ntlm_wb sso_ntlm_close -> wb_ntlm_close sso_ntlm_response -> wb_ntlm_response sso_ntlm_initiate -> wb_ntlm_initiate Preprocessor symbols renamed: CURLAUTH_NTLM_SSO -> CURLAUTH_NTLM_WB CURL_VERSION_NTLM_SSO -> CURL_VERSION_NTLM_WB
2011-08-25http NTLM: refactoring followupSteve Holme
Output of Curl_ntlm_create_type1_message() and Curl_ntlm_create_type3_message() functions is now already base64 encoded.
2011-08-24base64: fix Curl_base64_encode and Curl_base64_decode interfacesYang Tse
Previous interfaces for these libcurl internal functions did not allow to tell apart a legitimate zero size result from an error condition. These functions now return a CURLcode indicating function success or otherwise specific error. Output size is returned using a pointer argument. All usage of these two functions, and others closely related, has been adapted to the new interfaces. Relative error and OOM handling adapted or added where missing. Unit test 1302 also adapted.
2011-08-22http NTLM: remaining bits from 0001-Moved-ntlm-[...]-curl_ntlm-mod_3.patchSteve Holme
* Added function comments: - Curl_ntlm_decode_type2_message - Curl_ntlm_create_type1_message - Curl_ntlm_create_type3_message * Modification of ntlm processing state to NTLMSTATE_TYPE2 is now done only when Curl_ntlm_decode_type2_message() has fully succeeded.
2011-08-15http NTLM: reinstate "nssg.h" "curl_sspi.h" header inclusionsYang Tse
2011-08-14http NTLM: reinstate "memdebug.h" header inclusionYang Tse
Inclusion of header "memdebug.h" in http_ntlm.c got lost in commit 98fb0ef7.
2011-08-14Curl_output_ntlm: remove unused variableDaniel Stenberg
2011-08-14http NTLM: fix 8 compiler warningsYang Tse
Strict splitting of http_ntlm.[ch] may trigger 8 compiler warnings when building with some compilers and strict compiler warnings enabled, depending on other specific configuration options some could get triggered or not. Seven are related with 'unused function parameters' and another one with 'var may be used before its value is set'.
2011-08-14http NTLM: split http_ntlm.[ch] between http_ntlm.[ch] and curl_ntlm.[ch]Yang Tse
For modularity purposes, huge chunks of NTLM existing code is transformed into functions to allow future internal code reuse. Resulting three new libcurl private functions: - Curl_ntlm_create_type1_message() - Curl_ntlm_create_type3_message() - Curl_ntlm_decode_type2_message() Changing static ntlm_sspi_cleanup() into non-static Curl_ntlm_sspi_cleanup() This 'refactoring' has been prepared by previous commits to allow that this specific one does not introduce any change to existing code. All existing goodness and badness previous to this commit should remain the same once it is applied, the only difference should be that existing code is moved into functions. Given the quite big portions of code being moved around, and the importance of change traceability, this commit has been done in such a way that it is possible to perform a three-way diff from initial http_ntlm.[ch] to resulting http_ntlm.[ch] and curl_ntlm.[ch] to actually verify that no functional change is introduced here. Notice that Steve Holme has provided several patches, but these included this refactoring along with 'extra' fixes. I really wanted this 'clean' refactoring done first, in order to allow discussion or committing of 'extra' fixes on a case by case basis, so, I had to bite the bullet ;-) Comments, line adjustments, compiler warning fixes, whatever, may follow afterwards.
2011-08-13http NTLM: change return type of Curl_input_ntlm() to CURLcodeYang Tse
Remove CURLntlm enum, no longer required.
2011-08-13http NTLM: update NTLM type-* message structure descriptions - followupYang Tse
2011-08-12http NTLM: update NTLM message structure notesYang Tse
2011-08-12http NTLM: more adjustments in preparation of code refactoringYang Tse
Use preprocessor symbol NTLM_BUFSIZE to define private NTLM buffer fixed size. Use a SessionHandle 'data' pointer variable to ease refactoring. Update NTLM type-* message structure descriptions. Fix some more spacing and typos (Steve Holme).
2011-08-11http NTLM: fix compiler warningYang Tse
2011-08-11http NTLM: Tidied up more inconsistent spacing.Steve Holme
Moved NTLMSSP_SIGNATURE, HOSTNAME_MAX, SHORTPAIR and LONGQUARTET definitions in ready for move to curl_ntlm.c. Used separate variables for Windows SSPI and native code to ease moving of code to curl_ntlm.c. Fixed typographical erros where SPPI should be SSPI. Fixed compilation warnings on 64-bit builds when calling Windows SSPI functions.
2011-08-09http NTLM: Further tiding up to libcurl standardsYang Tse
2011-08-09http NTLM: Tidied up http_ntlm prior to splitting the ntlm specific codeSteve Holme
2011-08-07NTLM single-sign on adjustments (IX)Yang Tse
Use swrite/sread instead of write/read to avoid SIGPIPE
2011-07-31NTLM single-sign on adjustments (VIII)Yang Tse
Use preprocessor symbols WINBIND_NTLM_AUTH_ENABLED and WINBIND_NTLM_AUTH_FILE for Samba's winbind daemon ntlm_auth helper code implementation and filename. Retain preprocessor symbol USE_NTLM_SSO for NTLM single-sign-on feature availability implementation independent. For test harness, prefix NTLM_AUTH environment vars with CURL_ Refactor and rename configure option --with-ntlm-auth to --enable-wb-ntlm-auth[=FILE]
2011-07-29NTLM single-sign on adjustments (VII)Yang Tse
Initialize variables when connectdata object is created.
2011-07-29socketpair() usage tracking to allow fd leak detectionYang Tse
2011-07-28Give the NTLM SSO helper a moment to cleanly shut down if neededDan Fandrich
2011-07-28Removed an extraneous \n that violated the SSO daemon protocolDan Fandrich
This caused fake_ntlm to abort due to an invalid command causing sporadic test 2005 failures.
2011-07-27Fixed a couple of memory leaks in NTLM SSO supportDan Fandrich
2011-07-27NTLM single-sign on adjustments (IV)Yang Tse
Fix compiler warning
2011-07-27NTLM single-sign on adjustments (III)Yang Tse
Provide some error tracing and fix execl() calling.
2011-07-26stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.hYang Tse
2011-07-24errno.h inclusion conditionally done in setup_once.hYang Tse
2011-07-19sso_ntlm_initiate: unassigned variableMichael Mueller
Bug: http://curl.haxx.se/mail/lib-2011-07/0109.html
2011-07-18NTLM single-sign on supportedMandy Wu
With the use of the 'ntlm_auth' tool from the Samba project
2011-06-02OpenSSL enabled: require OPENSSL_VERSION_NUMBER definition before usage.Yang Tse
2011-05-23compiler warning: fixYang Tse
Fix variable declaration placement
2011-05-23compiler warning: fixYang Tse
Fix missing semicolon
2011-05-23compiler warning: fixYang Tse
Fix compiler warning: expression has no effect
2011-05-21compiler warning: fixYang Tse
Fix compiler warning: enumerated type mixed with another type
2011-04-27source cleanup: unify look, style and indent levelsDaniel Stenberg
By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-25Fixed compiler warning in Windows SSPI caseDan Fandrich
2011-04-22NTLM: work with unicodeDaniel Stenberg
Rewritten code from a patch brought by Matteo Rocco.
2011-04-20CURL_DOES_CONVERSIONS: cleanupDaniel Stenberg
Massively reduce #ifdefs all over (23 #ifdef lines less so far) Moved conversion-specific code to non-ascii.c
2010-07-30NTLM tests: boost coverage by forcing the hostnameKamil Dudka
A shared library tests/libtest/.libs/lihostname.so is preloaded in NTLM test-cases to override the system implementation of gethostname(). It makes it possible to test the NTLM authentication for exact match, and this way test the implementation of MD4 and DES. If LD_PRELOAD doesn't work, a debug build willl also workk as debug builds are now made to prefer a specific environment variable and will then return that content as host name instead of the actual one. Kamil wrote the bulk of this, Daniel Stenberg polished it.
2010-06-30http_ntlm: add support for NSSKamil Dudka
When configured with '--without-ssl --with-nss', NTLM authentication now uses NSS crypto library for MD5 and DES. For MD4 we have a local implementation in that case. More details are available at https://bugzilla.redhat.com/603783 In order to get it working, curl_global_init() must be called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL. That's necessary because NSS needs to be initialized globally and we do so only when the NSS library is actually required by protocol. The mentioned call of curl_global_init() is responsible for creating of the initialization mutex. There was also slightly changed the NSS initialization scenario, in particular, loading of the NSS PEM module. It used to be loaded always right after the NSS library was initialized. Now the library is initialized as soon as any SSL or NTLM is required, while the PEM module is prevented from being loaded until the SSL is actually required.
2010-03-24remove the CVSish $Id$ linesDaniel Stenberg