aboutsummaryrefslogtreecommitdiff
path: root/lib/ssh.c
AgeCommit message (Collapse)Author
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-11realloc: use Curl_saferealloc to avoid common mistakesDaniel Stenberg
Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
2016-11-07ssh: check md5 fingerprints case insensitively (regression)Daniel Stenberg
Revert the change from ce8d09483eea but use the new function Reported-by: Kamil Dudka Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
2016-10-31strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg
We had some confusions on when each function was used. We should not act differently on different locales anyway.
2016-10-31strcasecompare: is the new name for strequal()Daniel Stenberg
... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
2016-10-31SSH: check md5 fingerprint case sensitivelyDaniel Stenberg
2016-10-31escape: avoid using curl_easy_unescape() internallyDaniel Stenberg
Since the internal Curl_urldecode() function has a better API.
2016-10-18select: switch to macros in uppercaseDaniel Stenberg
Curl_select_ready() was the former API that was replaced with Curl_select_check() a while back and the former arg setup was provided with a define (in order to leave existing code unmodified). Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most common shortcuts where only one socket is checked. They're also more visibly macros.
2016-08-25http2: Remove incorrect commentsJay Satiro
.. also remove same from scp
2016-08-04multi: make Curl_expire() work with 0 ms timeoutsDaniel Stenberg
Previously, passing a timeout of zero to Curl_expire() was a magic code for clearing all timeouts for the handle. That is now instead made with the new Curl_expire_clear() function and thus a 0 timeout is fine to set and will trigger a timeout ASAP. This will help removing short delays, in particular notable when doing HTTP/2.
2016-06-29conn: don't free easy handle data in handler->disconnectDaniel Stenberg
Reported-by: Gou Lingfeng Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
2016-06-28SFTP: set a generic error when no SFTP one exists...Daniel Stenberg
... as otherwise we could get a 0 which would count as no error and we'd wrongly continue and could end up segfaulting. Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html Reported-by: 暖和的和暖
2016-06-22typedefs: use the full structs in internal code...Daniel Stenberg
... and save the typedef'ed names for headers and external APIs.
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-05-30ssh: fix version number check typoDaniel Stenberg
2016-05-29ssh: fix build for libssh2 before 1.2.6Daniel Stenberg
The statvfs functionality was added to libssh2 in that version, so we switch off that functionality when built with older libraries. Fixes #831
2016-04-29lib: include curl_printf.h as one of the last headersDaniel Stenberg
curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
2016-04-03code: style updatesDaniel Stenberg
2016-03-30multi: turn Curl_done into file local multi_doneDaniel Stenberg
... as it now is used by multi.c only.
2016-03-27SSH: new CURLOPT_QUOTE command "statvfs"marquis-de-muesli
usage: "statvfs path" returns remote file system statistics
2016-03-27SSH: support CURLINFO_FILETIMEmarquis-de-muesli
2016-02-14SCP: use libssh2_scp_recv2 to support > 2GB files on windowsDavid Byron
libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any day now. Closes #451
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-01-15ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULLKamil Dudka
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle empty strings specially since curl-7_25_0-31-g05a443a but the behavior was unintentionally removed in curl-7_38_0-47-gfa7d04f. This commit restores the original behavior and clarifies it in the documentation that NULL and "" have both the same meaning when passed to CURLOPT_SSH_PUBLIC_KEYFILE. Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-13cleanup: general removal of TODO (and similar) commentsDaniel Stenberg
They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
2015-10-15fread_func: move callback pointer from set to state structDaniel Stenberg
... and assign it from the set.fread_func_set pointer in the Curl_init_CONNECT function. This A) avoids that we have code that assigns fields in the 'set' struct (which we always knew was bad) and more importantly B) it makes it impossibly to accidentally leave the wrong value for when the handle is re-used etc. Introducing a state-init functionality in multi.c, so that we can set a specific function to get called when we enter a state. The Curl_init_CONNECT is thus called when switching to the CONNECT state. Bug: https://github.com/bagder/curl/issues/346 Closes #346
2015-08-10SFTP: fix range request off-by-one in size checkDaniel Stenberg
Reported-by: Tim Stack Closes #359
2015-08-02SSH: three state machine fixupsDaniel Stenberg
The SSH state machine didn't clear the 'rc' variable appropriately in a two places which prevented it from looping the way it should. And it lacked an 'else' statement that made it possible to erroneously get stuck in the SSH_AUTH_AGENT state. Reported-by: Tim Stack Closes #357
2015-05-20read_callback: move to SessionHandle from connectdataDaniel Stenberg
With many easy handles using the same connection for multiplexing, it is important we store and keep the transfer-oriented stuff in the SessionHandle so that callbacks and callback data work fine even when many easy handles share the same physical connection.
2015-03-17checksrc: use space after commaDaniel Stenberg
2015-03-16free: instead of Curl_safefree()Daniel Stenberg
Since we just started make use of free(NULL) in order to simplify code, this change takes it a step further and: - converts lots of Curl_safefree() calls to good old free() - makes Curl_safefree() not check the pointer before free() The (new) rule of thumb is: if you really want a function call that frees a pointer and then assigns it to NULL, then use Curl_safefree(). But we will prefer just using free() from now on.
2015-03-03mprintf.h: remove #ifdef CURLDEBUGDaniel Stenberg
... and as a consequence, introduce curl_printf.h with that re-define magic instead and make all libcurl code use that instead.
2014-12-16SFTP: work-around servers that return zero size on STATDaniel Stenberg
Bug: http://curl.haxx.se/mail/lib-2014-12/0103.html Pathed-by: Marc Renault
2014-11-09libssh2: detect features based on version, not configure checksDaniel Stenberg
... so that non-configure builds get the correct functions too based on the libssh2 version used.
2014-11-09SSH: use the port number as well for known_known checksNobuhiro Ban
... if the libssh2 version is new enough. Bug: http://curl.haxx.se/bug/view.cgi?id=1448
2014-11-05ssh: Fixed build on platforms where R_OK is not definedGisle Vanem
Bug: http://curl.haxx.se/mail/lib-2014-11/0035.html Reported-by: Jan Ehrhardt
2014-10-24code cleanup: we prefer 'CURLcode result'Daniel Stenberg
... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-06ssh_statemach_act: split out assignment from checkDaniel Stenberg
just a minor code style thing to make the code clearer
2014-10-03ssh: comment "fallthrough" in switch statementDaniel Stenberg
2014-10-03ssh: improve key file searchJeremy Lin
For private keys, use the first match from: user-specified key file (if provided), ~/.ssh/id_rsa, ~/.ssh/id_dsa, ./id_rsa, ./id_dsa Note that the previous code only looked for id_dsa files. id_rsa is now generally preferred, as it supports larger key sizes. For public keys, use the user-specified key file, if provided. Otherwise, try to extract the public key from the private key file. This means that passing --pubkey is typically no longer required, and makes the key-handling behavior more like OpenSSH.
2014-09-07Ensure progress.size_dl/progress.size_ul are always >= 0Brandon Casey
Historically the default "unknown" value for progress.size_dl and progress.size_ul has been zero, since these values are initialized implicitly by the calloc that allocates the curl handle that these variables are a part of. Users of curl that install progress callbacks may expect these values to always be >= 0. Currently it is possible for progress.size_dl and progress.size_ul to by set to a value of -1, if Curl_pgrsSetDownloadSize() or Curl_pgrsSetUploadSize() are passed a "size" of -1 (which a few places currently do, and a following patch will add more). So lets update Curl_pgrsSetDownloadSize() and Curl_pgrsSetUploadSize() so they make sure that these variables always contain a value that is >= 0. Updates test579 and test599. Signed-off-by: Brandon Casey <drafnel@gmail.com>
2014-05-22bits.close: introduce connection close trackingDaniel Stenberg
Make all code use connclose() and connkeep() when changing the "close state" for a connection. These two macros take a string argument with an explanation, and debug builds of curl will include that in the debug output. Helps tracking connection re-use/close issues.
2014-04-26INFILESIZE: fields in UserDefined must not be changed run-timeDaniel Stenberg
set.infilesize in this case was modified in several places, which could lead to repeated requests using the same handle to get unintendent/wrong consequences based on what the previous request did!
2014-03-15ssh: prevent a logic error that could result in an infinite loopDan Fandrich
2014-03-14ssh: removed a redundant close state transitionDan Fandrich
2014-03-14ssh: abort immediately on a header callback errorDan Fandrich
2014-03-06ssh: fix compiler warning converting ssize_t to intDaniel Stenberg
2014-03-06ssh: Fixed a style warningDan Fandrich
Also, combined a couple of #ifdef sections
2014-03-06ssh: Pass errors from libssh2_sftp_read up the stackDan Fandrich