Blame SOURCES/0054-curl-7.29.0-ce2c3ebd.patch

d004d8
From 5285b2518773185c049b0c2af980654a0b1c6871 Mon Sep 17 00:00:00 2001
d004d8
From: Kamil Dudka <kdudka@redhat.com>
d004d8
Date: Wed, 8 Mar 2017 12:21:09 +0100
d004d8
Subject: [PATCH 1/4] socks: use proxy_user instead of proxy_name
d004d8
d004d8
... to make it obvious what the data is used for
d004d8
d004d8
Upstream-commit: 641072b919b1a52c58664cd18619f8dd1c4c0cee
d004d8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
d004d8
---
d004d8
 lib/socks.c | 30 +++++++++++++++---------------
d004d8
 1 file changed, 15 insertions(+), 15 deletions(-)
d004d8
d004d8
diff --git a/lib/socks.c b/lib/socks.c
d004d8
index 0cf397c..9aac9ca 100644
d004d8
--- a/lib/socks.c
d004d8
+++ b/lib/socks.c
d004d8
@@ -106,7 +106,7 @@ int Curl_blockread_all(struct connectdata *conn, /* connection data */
d004d8
 *   Set protocol4a=true for  "SOCKS 4A (Simple Extension to SOCKS 4 Protocol)"
d004d8
 *   Nonsupport "Identification Protocol (RFC1413)"
d004d8
 */
d004d8
-CURLcode Curl_SOCKS4(const char *proxy_name,
d004d8
+CURLcode Curl_SOCKS4(const char *proxy_user,
d004d8
                      const char *hostname,
d004d8
                      int remote_port,
d004d8
                      int sockindex,
d004d8
@@ -200,8 +200,8 @@ CURLcode Curl_SOCKS4(const char *proxy_name,
d004d8
    * This is currently not supporting "Identification Protocol (RFC1413)".
d004d8
    */
d004d8
   socksreq[8] = 0; /* ensure empty userid is NUL-terminated */
d004d8
-  if(proxy_name)
d004d8
-    strlcat((char*)socksreq + 8, proxy_name, sizeof(socksreq) - 8);
d004d8
+  if(proxy_user)
d004d8
+    strlcat((char*)socksreq + 8, proxy_user, sizeof(socksreq) - 8);
d004d8
 
d004d8
   /*
d004d8
    * Make connection
d004d8
@@ -337,7 +337,7 @@ CURLcode Curl_SOCKS4(const char *proxy_name,
d004d8
  * This function logs in to a SOCKS5 proxy and sends the specifics to the final
d004d8
  * destination server.
d004d8
  */
d004d8
-CURLcode Curl_SOCKS5(const char *proxy_name,
d004d8
+CURLcode Curl_SOCKS5(const char *proxy_user,
d004d8
                      const char *proxy_password,
d004d8
                      const char *hostname,
d004d8
                      int remote_port,
d004d8
@@ -410,12 +410,12 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
d004d8
 
d004d8
   socksreq[0] = 5; /* version */
d004d8
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
d004d8
-  socksreq[1] = (char)(proxy_name ? 3 : 2); /* number of methods (below) */
d004d8
+  socksreq[1] = (char)(proxy_user ? 3 : 2); /* number of methods (below) */
d004d8
   socksreq[2] = 0; /* no authentication */
d004d8
   socksreq[3] = 1; /* gssapi */
d004d8
   socksreq[4] = 2; /* username/password */
d004d8
 #else
d004d8
-  socksreq[1] = (char)(proxy_name ? 2 : 1); /* number of methods (below) */
d004d8
+  socksreq[1] = (char)(proxy_user ? 2 : 1); /* number of methods (below) */
d004d8
   socksreq[2] = 0; /* no authentication */
d004d8
   socksreq[3] = 2; /* username/password */
d004d8
 #endif
d004d8
@@ -474,13 +474,13 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
d004d8
 #endif
d004d8
   else if(socksreq[1] == 2) {
d004d8
     /* Needs user name and password */
d004d8
-    size_t proxy_name_len, proxy_password_len;
d004d8
-    if(proxy_name && proxy_password) {
d004d8
-      proxy_name_len = strlen(proxy_name);
d004d8
+    size_t proxy_user_len, proxy_password_len;
d004d8
+    if(proxy_user && proxy_password) {
d004d8
+      proxy_user_len = strlen(proxy_user);
d004d8
       proxy_password_len = strlen(proxy_password);
d004d8
     }
d004d8
     else {
d004d8
-      proxy_name_len = 0;
d004d8
+      proxy_user_len = 0;
d004d8
       proxy_password_len = 0;
d004d8
     }
d004d8
 
d004d8
@@ -493,10 +493,10 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
d004d8
      */
d004d8
     len = 0;
d004d8
     socksreq[len++] = 1;    /* username/pw subnegotiation version */
d004d8
-    socksreq[len++] = (unsigned char) proxy_name_len;
d004d8
-    if(proxy_name && proxy_name_len)
d004d8
-      memcpy(socksreq + len, proxy_name, proxy_name_len);
d004d8
-    len += proxy_name_len;
d004d8
+    socksreq[len++] = (unsigned char) proxy_user_len;
d004d8
+    if(proxy_user && proxy_user_len)
d004d8
+      memcpy(socksreq + len, proxy_user, proxy_user_len);
d004d8
+    len += proxy_user_len;
d004d8
     socksreq[len++] = (unsigned char) proxy_password_len;
d004d8
     if(proxy_password && proxy_password_len)
d004d8
       memcpy(socksreq + len, proxy_password, proxy_password_len);
d004d8
@@ -535,7 +535,7 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
d004d8
     }
d004d8
     else if(socksreq[1] == 255) {
d004d8
 #endif
d004d8
-      if(!proxy_name || !*proxy_name) {
d004d8
+      if(!proxy_user || !*proxy_user) {
d004d8
         failf(data,
d004d8
               "No authentication method was acceptable. (It is quite likely"
d004d8
               " that the SOCKS5 server wanted a username/password, since none"
d004d8
-- 
d004d8
2.13.5
d004d8
d004d8
d004d8
From 3676c3fab628e848270e2169398f912a1449c31b Mon Sep 17 00:00:00 2001
d004d8
From: Kamil Dudka <kdudka@redhat.com>
d004d8
Date: Wed, 8 Mar 2017 12:16:01 +0100
d004d8
Subject: [PATCH 2/4] socks: deduplicate the code for auth request
d004d8
d004d8
Upstream-commit: cd1c9f08078d4a8566ed10f6df9ae9a729f3290b
d004d8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
d004d8
---
d004d8
 lib/socks.c | 19 ++++++++++---------
d004d8
 1 file changed, 10 insertions(+), 9 deletions(-)
d004d8
d004d8
diff --git a/lib/socks.c b/lib/socks.c
d004d8
index 9aac9ca..398e0ac 100644
d004d8
--- a/lib/socks.c
d004d8
+++ b/lib/socks.c
d004d8
@@ -362,6 +362,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
d004d8
   */
d004d8
 
d004d8
   unsigned char socksreq[600]; /* room for large user/pw (255 max each) */
d004d8
+  int idx;
d004d8
   ssize_t actualread;
d004d8
   ssize_t written;
d004d8
   int result;
d004d8
@@ -408,17 +409,17 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
d004d8
     return CURLE_COULDNT_CONNECT;
d004d8
   }
d004d8
 
d004d8
-  socksreq[0] = 5; /* version */
d004d8
+  idx = 0;
d004d8
+  socksreq[idx++] = 5;   /* version */
d004d8
+  idx++;                 /* reserve for the number of authentication methods */
d004d8
+  socksreq[idx++] = 0;   /* no authentication */
d004d8
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
d004d8
-  socksreq[1] = (char)(proxy_user ? 3 : 2); /* number of methods (below) */
d004d8
-  socksreq[2] = 0; /* no authentication */
d004d8
-  socksreq[3] = 1; /* gssapi */
d004d8
-  socksreq[4] = 2; /* username/password */
d004d8
-#else
d004d8
-  socksreq[1] = (char)(proxy_user ? 2 : 1); /* number of methods (below) */
d004d8
-  socksreq[2] = 0; /* no authentication */
d004d8
-  socksreq[3] = 2; /* username/password */
d004d8
+  socksreq[idx++] = 1;   /* GSS-API */
d004d8
 #endif
d004d8
+  if(proxy_user)
d004d8
+    socksreq[idx++] = 2; /* username/password */
d004d8
+  /* write the number of authentication methods */
d004d8
+  socksreq[1] = (unsigned char) (idx - 2);
d004d8
 
d004d8
   curlx_nonblock(sock, FALSE);
d004d8
 
d004d8
-- 
d004d8
2.13.5
d004d8
d004d8
d004d8
From a76468431c030fc832aed7a5fa5b4b3f9acfe2ae Mon Sep 17 00:00:00 2001
d004d8
From: Kamil Dudka <kdudka@redhat.com>
d004d8
Date: Thu, 27 Apr 2017 15:18:49 +0200
d004d8
Subject: [PATCH 3/4] CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy
d004d8
 auth
d004d8
d004d8
If libcurl was built with GSS-API support, it unconditionally advertised
d004d8
GSS-API authentication while connecting to a SOCKS5 proxy.  This caused
d004d8
problems in environments with improperly configured Kerberos: a stock
d004d8
libcurl failed to connect, despite libcurl built without GSS-API
d004d8
connected fine using username and password.
d004d8
d004d8
This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
d004d8
allowed methods for SOCKS5 authentication at run time.
d004d8
d004d8
Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
d004d8
for compatibility reasons because the set of authentication methods
d004d8
allowed by default was different for HTTP and SOCKS5 proxies.
d004d8
d004d8
Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
d004d8
Closes https://github.com/curl/curl/pull/1454
d004d8
d004d8
Upstream-commit: 8924f58c370afa756fc4fd13916dfdea91d21b21
d004d8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
d004d8
---
d004d8
 docs/libcurl/curl_easy_setopt.3  |  8 ++++++++
d004d8
 docs/libcurl/symbols-in-versions |  2 ++
d004d8
 include/curl/curl.h              |  6 ++++++
d004d8
 lib/socks.c                      | 27 ++++++++++++++++++---------
d004d8
 lib/url.c                        |  8 ++++++++
d004d8
 lib/urldata.h                    |  1 +
d004d8
 6 files changed, 43 insertions(+), 9 deletions(-)
d004d8
d004d8
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
d004d8
index 0a9375e..4ce8207 100644
d004d8
--- a/docs/libcurl/curl_easy_setopt.3
d004d8
+++ b/docs/libcurl/curl_easy_setopt.3
d004d8
@@ -862,6 +862,14 @@ Set the parameter to 1 to make the library tunnel all operations through a
d004d8
 given HTTP proxy. There is a big difference between using a proxy and to
d004d8
 tunnel through it. If you don't know what this means, you probably don't want
d004d8
 this tunneling option.
d004d8
+.IP CURLOPT_SOCKS5_AUTH
d004d8
+Pass a long as parameter, which is set to a bitmask, to tell libcurl which
d004d8
+authentication method(s) are allowed for SOCKS5 proxy authentication.  The only
d004d8
+supported flags are \fICURLAUTH_BASIC\fP, which allows username/password
d004d8
+authentication, \fICURLAUTH_GSSAPI\fP, which allows GSS-API authentication, and
d004d8
+\fICURLAUTH_NONE\fP, which allows no authentication.  Set the actual user name
d004d8
+and password with the \fICURLOPT_PROXYUSERPWD(3)\fP option.  Defaults to
d004d8
+\fICURLAUTH_BASIC|CURLAUTH_GSSAPI\fP.  (Added in 7.55.0)
d004d8
 .IP CURLOPT_SOCKS5_GSSAPI_SERVICE
d004d8
 Pass a char * as parameter to a string holding the name of the service. The
d004d8
 default service name for a SOCKS5 server is rcmd/server-fqdn. This option
d004d8
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
d004d8
index 0f7469d..b0b6232 100644
d004d8
--- a/docs/libcurl/symbols-in-versions
d004d8
+++ b/docs/libcurl/symbols-in-versions
d004d8
@@ -17,6 +17,7 @@ CURLAUTH_ANYSAFE                7.10.6
d004d8
 CURLAUTH_BASIC                  7.10.6
d004d8
 CURLAUTH_DIGEST                 7.10.6
d004d8
 CURLAUTH_DIGEST_IE              7.19.3
d004d8
+CURLAUTH_GSSAPI                 7.55.0
d004d8
 CURLAUTH_GSSNEGOTIATE           7.10.6
d004d8
 CURLAUTH_NONE                   7.10.6
d004d8
 CURLAUTH_NTLM                   7.10.6
d004d8
@@ -454,6 +455,7 @@ CURLOPT_SERVER_RESPONSE_TIMEOUT 7.20.0
d004d8
 CURLOPT_SHARE                   7.10
d004d8
 CURLOPT_SOCKOPTDATA             7.16.0
d004d8
 CURLOPT_SOCKOPTFUNCTION         7.16.0
d004d8
+CURLOPT_SOCKS5_AUTH             7.55.0
d004d8
 CURLOPT_SOCKS5_GSSAPI_NEC       7.19.4
d004d8
 CURLOPT_SOCKS5_GSSAPI_SERVICE   7.19.4
d004d8
 CURLOPT_SOURCE_HOST             7.12.1        -           7.15.5
d004d8
diff --git a/include/curl/curl.h b/include/curl/curl.h
d004d8
index 14f6fd7..0375a64 100644
d004d8
--- a/include/curl/curl.h
d004d8
+++ b/include/curl/curl.h
d004d8
@@ -626,6 +626,9 @@ typedef enum {
d004d8
 #define CURLAUTH_ANY          (~CURLAUTH_DIGEST_IE)
d004d8
 #define CURLAUTH_ANYSAFE      (~(CURLAUTH_BASIC|CURLAUTH_DIGEST_IE))
d004d8
 
d004d8
+/* Used for CURLOPT_SOCKS5_AUTH to stay terminologically correct */
d004d8
+#define CURLAUTH_GSSAPI CURLAUTH_GSSNEGOTIATE
d004d8
+
d004d8
 #define CURLSSH_AUTH_ANY       ~0     /* all types supported by the server */
d004d8
 #define CURLSSH_AUTH_NONE      0      /* none allowed, silly but complete */
d004d8
 #define CURLSSH_AUTH_PUBLICKEY (1<<0) /* public/private key files */
d004d8
@@ -1539,6 +1542,9 @@ typedef enum {
d004d8
   /* Path to UNIX domain socket */
d004d8
   CINIT(UNIX_SOCKET_PATH, OBJECTPOINT, 231),
d004d8
 
d004d8
+  /* bitmask of allowed auth methods for connections to SOCKS5 proxies */
d004d8
+  CINIT(SOCKS5_AUTH, LONG, 267),
d004d8
+
d004d8
   CURLOPT_LASTENTRY /* the last unused */
d004d8
 } CURLoption;
d004d8
 
d004d8
diff --git a/lib/socks.c b/lib/socks.c
d004d8
index 398e0ac..5900063 100644
d004d8
--- a/lib/socks.c
d004d8
+++ b/lib/socks.c
d004d8
@@ -373,6 +373,8 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
d004d8
   bool socks5_resolve_local = (conn->proxytype == CURLPROXY_SOCKS5)?TRUE:FALSE;
d004d8
   const size_t hostname_len = strlen(hostname);
d004d8
   ssize_t len = 0;
d004d8
+  const unsigned long auth = data->set.socks5auth;
d004d8
+  bool allow_gssapi = FALSE;
d004d8
 
d004d8
   /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
d004d8
   if(!socks5_resolve_local && hostname_len > 255) {
d004d8
@@ -409,13 +411,24 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
d004d8
     return CURLE_COULDNT_CONNECT;
d004d8
   }
d004d8
 
d004d8
+  if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
d004d8
+    infof(conn->data,
d004d8
+        "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
d004d8
+        auth);
d004d8
+  if(!(auth & CURLAUTH_BASIC))
d004d8
+    /* disable username/password auth */
d004d8
+    proxy_user = NULL;
d004d8
+#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
d004d8
+  if(auth & CURLAUTH_GSSAPI)
d004d8
+    allow_gssapi = TRUE;
d004d8
+#endif
d004d8
+
d004d8
   idx = 0;
d004d8
   socksreq[idx++] = 5;   /* version */
d004d8
   idx++;                 /* reserve for the number of authentication methods */
d004d8
   socksreq[idx++] = 0;   /* no authentication */
d004d8
-#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
d004d8
-  socksreq[idx++] = 1;   /* GSS-API */
d004d8
-#endif
d004d8
+  if(allow_gssapi)
d004d8
+    socksreq[idx++] = 1; /* GSS-API */
d004d8
   if(proxy_user)
d004d8
     socksreq[idx++] = 2; /* username/password */
d004d8
   /* write the number of authentication methods */
d004d8
@@ -465,7 +478,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
d004d8
     ;
d004d8
   }
d004d8
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
d004d8
-  else if(socksreq[1] == 1) {
d004d8
+  else if(allow_gssapi && (socksreq[1] == 1)) {
d004d8
     code = Curl_SOCKS5_gssapi_negotiate(sockindex, conn);
d004d8
     if(code != CURLE_OK) {
d004d8
       failf(data, "Unable to negotiate SOCKS5 gssapi context.");
d004d8
@@ -526,16 +539,12 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
d004d8
   }
d004d8
   else {
d004d8
     /* error */
d004d8
-#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
d004d8
-    if(socksreq[1] == 255) {
d004d8
-#else
d004d8
-    if(socksreq[1] == 1) {
d004d8
+    if(!allow_gssapi && (socksreq[1] == 1)) {
d004d8
       failf(data,
d004d8
             "SOCKS5 GSSAPI per-message authentication is not supported.");
d004d8
       return CURLE_COULDNT_CONNECT;
d004d8
     }
d004d8
     else if(socksreq[1] == 255) {
d004d8
-#endif
d004d8
       if(!proxy_user || !*proxy_user) {
d004d8
         failf(data,
d004d8
               "No authentication method was acceptable. (It is quite likely"
d004d8
diff --git a/lib/url.c b/lib/url.c
d004d8
index 19a40c7..d632813 100644
d004d8
--- a/lib/url.c
d004d8
+++ b/lib/url.c
d004d8
@@ -516,6 +516,9 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
d004d8
   set->httpauth = CURLAUTH_BASIC;  /* defaults to basic */
d004d8
   set->proxyauth = CURLAUTH_BASIC; /* defaults to basic */
d004d8
 
d004d8
+  /* SOCKS5 proxy auth defaults to username/password + GSS-API */
d004d8
+  set->socks5auth = CURLAUTH_BASIC | CURLAUTH_GSSAPI;
d004d8
+
d004d8
   /* make libcurl quiet by default: */
d004d8
   set->hide_progress = TRUE;  /* CURLOPT_NOPROGRESS changes these */
d004d8
 
d004d8
@@ -1380,6 +1383,11 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
d004d8
     break;
d004d8
 #endif   /* CURL_DISABLE_PROXY */
d004d8
 
d004d8
+  case CURLOPT_SOCKS5_AUTH:
d004d8
+    data->set.socks5auth = va_arg(param, unsigned long);
d004d8
+    if(data->set.socks5auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
d004d8
+      result = CURLE_NOT_BUILT_IN;
d004d8
+    break;
d004d8
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
d004d8
   case CURLOPT_SOCKS5_GSSAPI_SERVICE:
d004d8
     /*
d004d8
diff --git a/lib/urldata.h b/lib/urldata.h
d004d8
index f4c6222..3e6ace5 100644
d004d8
--- a/lib/urldata.h
d004d8
+++ b/lib/urldata.h
d004d8
@@ -1406,6 +1406,7 @@ struct UserDefined {
d004d8
   long use_port;     /* which port to use (when not using default) */
d004d8
   unsigned long httpauth;  /* kind of HTTP authentication to use (bitmask) */
d004d8
   unsigned long proxyauth; /* kind of proxy authentication to use (bitmask) */
d004d8
+  unsigned long socks5auth;/* kind of SOCKS5 authentication to use (bitmask) */
d004d8
   long followlocation; /* as in HTTP Location: */
d004d8
   long maxredirs;    /* maximum no. of http(s) redirects to follow, set to -1
d004d8
                         for infinity */
d004d8
-- 
d004d8
2.13.5
d004d8
d004d8
d004d8
From 08f6dc218afe2d7e74f87996965f0770a566f185 Mon Sep 17 00:00:00 2001
d004d8
From: Kamil Dudka <kdudka@redhat.com>
d004d8
Date: Fri, 19 May 2017 18:11:47 +0200
d004d8
Subject: [PATCH 4/4] curl --socks5-{basic,gssapi}: control socks5 auth
d004d8
d004d8
Closes https://github.com/curl/curl/pull/1454
d004d8
d004d8
Upstream-commit: ce2c3ebda20919fe636e675f219ae387e386f508
d004d8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
d004d8
---
d004d8
 docs/curl.1         | 10 ++++++++++
d004d8
 src/tool_cfgable.h  |  1 +
d004d8
 src/tool_getparam.c | 16 ++++++++++++++++
d004d8
 src/tool_help.c     |  2 ++
d004d8
 src/tool_operate.c  |  5 +++++
d004d8
 src/tool_setopt.c   |  1 +
d004d8
 src/tool_setopt.h   |  1 +
d004d8
 7 files changed, 36 insertions(+)
d004d8
d004d8
diff --git a/docs/curl.1 b/docs/curl.1
d004d8
index c9bb336..7906f1f 100644
d004d8
--- a/docs/curl.1
d004d8
+++ b/docs/curl.1
d004d8
@@ -1343,6 +1343,16 @@ Since 7.21.7, this option is superfluous since you can specify a socks4a proxy
d004d8
 with \fI-x, --proxy\fP using a socks4a:// protocol prefix.
d004d8
 
d004d8
 If this option is used several times, the last one will be used.
d004d8
+.IP "--socks5-basic"
d004d8
+Tells curl to use username/password authentication when connecting to a SOCKS5
d004d8
+proxy.  The username/password authentication is enabled by default.  Use
d004d8
+\fI--socks5-gssapi\fP to force GSS-API authentication to SOCKS5 proxies.
d004d8
+(Added in 7.55.0)
d004d8
+.IP "--socks5-gssapi"
d004d8
+Tells curl to use GSS-API authentication when connecting to a SOCKS5 proxy.
d004d8
+The GSS-API authentication is enabled by default (if curl is compiled with
d004d8
+GSS-API support).  Use \fI--socks5-basic\fP to force username/password
d004d8
+authentication to SOCKS5 proxies.  (Added in 7.55.0)
d004d8
 .IP "--socks5-hostname <host[:port]>"
d004d8
 Use the specified SOCKS5 proxy (and let the proxy resolve the host name). If
d004d8
 the port number is not specified, it is assumed at port 1080. (Added in
d004d8
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
d004d8
index a9b033b..68d0297 100644
d004d8
--- a/src/tool_cfgable.h
d004d8
+++ b/src/tool_cfgable.h
d004d8
@@ -172,6 +172,7 @@ struct Configurable {
d004d8
                                  * default rcmd */
d004d8
   int socks5_gssapi_nec ;   /* The NEC reference server does not protect
d004d8
                              * the encryption type exchange */
d004d8
+  unsigned long socks5_auth;/* auth bitmask for socks5 proxies */
d004d8
 
d004d8
   bool tcp_nodelay;
d004d8
   long req_retry;           /* number of retries */
d004d8
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
d004d8
index 33db742..32fc68b 100644
d004d8
--- a/src/tool_getparam.c
d004d8
+++ b/src/tool_getparam.c
d004d8
@@ -210,6 +210,8 @@ static const struct LongShort aliases[]= {
d004d8
   {"El", "tlspassword",              TRUE},
d004d8
   {"Em", "tlsauthtype",              TRUE},
d004d8
   {"En", "ssl-allow-beast",          FALSE},
d004d8
+  {"EA", "socks5-basic",             FALSE},
d004d8
+  {"EB", "socks5-gssapi",            FALSE},
d004d8
   {"f",  "fail",                     FALSE},
d004d8
   {"F",  "form",                     TRUE},
d004d8
   {"Fs", "form-string",              TRUE},
d004d8
@@ -1324,6 +1326,20 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
d004d8
         if(curlinfo->features & CURL_VERSION_SSL)
d004d8
           config->ssl_allow_beast = toggle;
d004d8
         break;
d004d8
+      case 'A':
d004d8
+        /* --socks5-basic */
d004d8
+        if(toggle)
d004d8
+          config->socks5_auth |= CURLAUTH_BASIC;
d004d8
+        else
d004d8
+          config->socks5_auth &= ~CURLAUTH_BASIC;
d004d8
+        break;
d004d8
+      case 'B':
d004d8
+        /* --socks5-gssapi */
d004d8
+        if(toggle)
d004d8
+          config->socks5_auth |= CURLAUTH_GSSAPI;
d004d8
+        else
d004d8
+          config->socks5_auth &= ~CURLAUTH_GSSAPI;
d004d8
+        break;
d004d8
       default: /* certificate file */
d004d8
       {
d004d8
         char *certname, *passphrase;
d004d8
diff --git a/src/tool_help.c b/src/tool_help.c
d004d8
index 3a64e35..c2883eb 100644
d004d8
--- a/src/tool_help.c
d004d8
+++ b/src/tool_help.c
d004d8
@@ -179,6 +179,8 @@ static const char *const helptext[] = {
d004d8
   "     --socks4 HOST[:PORT]  SOCKS4 proxy on given host + port",
d004d8
   "     --socks4a HOST[:PORT]  SOCKS4a proxy on given host + port",
d004d8
   "     --socks5 HOST[:PORT]  SOCKS5 proxy on given host + port",
d004d8
+  "     --socks5-basic  Enable username/password auth for SOCKS5 proxies",
d004d8
+  "     --socks5-gssapi Enable GSS-API auth for SOCKS5 proxies",
d004d8
   "     --socks5-hostname HOST[:PORT] "
d004d8
   "SOCKS5 proxy, pass host name to proxy",
d004d8
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
d004d8
diff --git a/src/tool_operate.c b/src/tool_operate.c
d004d8
index 41b0e6b..185f9c6 100644
d004d8
--- a/src/tool_operate.c
d004d8
+++ b/src/tool_operate.c
d004d8
@@ -1208,6 +1208,11 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
d004d8
           if(config->socks5_gssapi_nec)
d004d8
             my_setopt_str(curl, CURLOPT_SOCKS5_GSSAPI_NEC,
d004d8
                           config->socks5_gssapi_nec);
d004d8
+
d004d8
+          /* new in curl 7.55.0 */
d004d8
+          if(config->socks5_auth)
d004d8
+            my_setopt_bitmask(curl, CURLOPT_SOCKS5_AUTH,
d004d8
+                              (long)config->socks5_auth);
d004d8
         }
d004d8
 #endif
d004d8
         /* curl 7.13.0 */
d004d8
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
d004d8
index 9860117..5ae32cd 100644
d004d8
--- a/src/tool_setopt.c
d004d8
+++ b/src/tool_setopt.c
d004d8
@@ -130,6 +130,7 @@ const NameValue setopt_nv_CURLPROTO[] = {
d004d8
 static const NameValue setopt_nv_CURLNONZERODEFAULTS[] = {
d004d8
   NV1(CURLOPT_SSL_VERIFYPEER, 1),
d004d8
   NV1(CURLOPT_SSL_VERIFYHOST, 1),
d004d8
+  NV1(CURLOPT_SOCKS5_AUTH, 1),
d004d8
   NVEND
d004d8
 };
d004d8
 
d004d8
diff --git a/src/tool_setopt.h b/src/tool_setopt.h
d004d8
index d107756..60e614c 100644
d004d8
--- a/src/tool_setopt.h
d004d8
+++ b/src/tool_setopt.h
d004d8
@@ -64,6 +64,7 @@ extern const NameValueUnsigned setopt_nv_CURLAUTH[];
d004d8
 #define setopt_nv_CURLOPT_REDIR_PROTOCOLS setopt_nv_CURLPROTO
d004d8
 #define setopt_nv_CURLOPT_PROXYTYPE setopt_nv_CURLPROXY
d004d8
 #define setopt_nv_CURLOPT_PROXYAUTH setopt_nv_CURLAUTH
d004d8
+#define setopt_nv_CURLOPT_SOCKS5_AUTH setopt_nv_CURLAUTH
d004d8
 
d004d8
 /* Intercept setopt calls for --libcurl */
d004d8
 
d004d8
-- 
d004d8
2.13.5
d004d8