|
|
d004d8 |
From 5285b2518773185c049b0c2af980654a0b1c6871 Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Wed, 8 Mar 2017 12:21:09 +0100
|
|
|
d004d8 |
Subject: [PATCH 1/4] socks: use proxy_user instead of proxy_name
|
|
|
d004d8 |
|
|
|
d004d8 |
... to make it obvious what the data is used for
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: 641072b919b1a52c58664cd18619f8dd1c4c0cee
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
lib/socks.c | 30 +++++++++++++++---------------
|
|
|
d004d8 |
1 file changed, 15 insertions(+), 15 deletions(-)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/lib/socks.c b/lib/socks.c
|
|
|
d004d8 |
index 0cf397c..9aac9ca 100644
|
|
|
d004d8 |
--- a/lib/socks.c
|
|
|
d004d8 |
+++ b/lib/socks.c
|
|
|
d004d8 |
@@ -106,7 +106,7 @@ int Curl_blockread_all(struct connectdata *conn, /* connection data */
|
|
|
d004d8 |
* Set protocol4a=true for "SOCKS 4A (Simple Extension to SOCKS 4 Protocol)"
|
|
|
d004d8 |
* Nonsupport "Identification Protocol (RFC1413)"
|
|
|
d004d8 |
*/
|
|
|
d004d8 |
-CURLcode Curl_SOCKS4(const char *proxy_name,
|
|
|
d004d8 |
+CURLcode Curl_SOCKS4(const char *proxy_user,
|
|
|
d004d8 |
const char *hostname,
|
|
|
d004d8 |
int remote_port,
|
|
|
d004d8 |
int sockindex,
|
|
|
d004d8 |
@@ -200,8 +200,8 @@ CURLcode Curl_SOCKS4(const char *proxy_name,
|
|
|
d004d8 |
* This is currently not supporting "Identification Protocol (RFC1413)".
|
|
|
d004d8 |
*/
|
|
|
d004d8 |
socksreq[8] = 0; /* ensure empty userid is NUL-terminated */
|
|
|
d004d8 |
- if(proxy_name)
|
|
|
d004d8 |
- strlcat((char*)socksreq + 8, proxy_name, sizeof(socksreq) - 8);
|
|
|
d004d8 |
+ if(proxy_user)
|
|
|
d004d8 |
+ strlcat((char*)socksreq + 8, proxy_user, sizeof(socksreq) - 8);
|
|
|
d004d8 |
|
|
|
d004d8 |
/*
|
|
|
d004d8 |
* Make connection
|
|
|
d004d8 |
@@ -337,7 +337,7 @@ CURLcode Curl_SOCKS4(const char *proxy_name,
|
|
|
d004d8 |
* This function logs in to a SOCKS5 proxy and sends the specifics to the final
|
|
|
d004d8 |
* destination server.
|
|
|
d004d8 |
*/
|
|
|
d004d8 |
-CURLcode Curl_SOCKS5(const char *proxy_name,
|
|
|
d004d8 |
+CURLcode Curl_SOCKS5(const char *proxy_user,
|
|
|
d004d8 |
const char *proxy_password,
|
|
|
d004d8 |
const char *hostname,
|
|
|
d004d8 |
int remote_port,
|
|
|
d004d8 |
@@ -410,12 +410,12 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
|
|
|
d004d8 |
|
|
|
d004d8 |
socksreq[0] = 5; /* version */
|
|
|
d004d8 |
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
|
|
d004d8 |
- socksreq[1] = (char)(proxy_name ? 3 : 2); /* number of methods (below) */
|
|
|
d004d8 |
+ socksreq[1] = (char)(proxy_user ? 3 : 2); /* number of methods (below) */
|
|
|
d004d8 |
socksreq[2] = 0; /* no authentication */
|
|
|
d004d8 |
socksreq[3] = 1; /* gssapi */
|
|
|
d004d8 |
socksreq[4] = 2; /* username/password */
|
|
|
d004d8 |
#else
|
|
|
d004d8 |
- socksreq[1] = (char)(proxy_name ? 2 : 1); /* number of methods (below) */
|
|
|
d004d8 |
+ socksreq[1] = (char)(proxy_user ? 2 : 1); /* number of methods (below) */
|
|
|
d004d8 |
socksreq[2] = 0; /* no authentication */
|
|
|
d004d8 |
socksreq[3] = 2; /* username/password */
|
|
|
d004d8 |
#endif
|
|
|
d004d8 |
@@ -474,13 +474,13 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
|
|
|
d004d8 |
#endif
|
|
|
d004d8 |
else if(socksreq[1] == 2) {
|
|
|
d004d8 |
/* Needs user name and password */
|
|
|
d004d8 |
- size_t proxy_name_len, proxy_password_len;
|
|
|
d004d8 |
- if(proxy_name && proxy_password) {
|
|
|
d004d8 |
- proxy_name_len = strlen(proxy_name);
|
|
|
d004d8 |
+ size_t proxy_user_len, proxy_password_len;
|
|
|
d004d8 |
+ if(proxy_user && proxy_password) {
|
|
|
d004d8 |
+ proxy_user_len = strlen(proxy_user);
|
|
|
d004d8 |
proxy_password_len = strlen(proxy_password);
|
|
|
d004d8 |
}
|
|
|
d004d8 |
else {
|
|
|
d004d8 |
- proxy_name_len = 0;
|
|
|
d004d8 |
+ proxy_user_len = 0;
|
|
|
d004d8 |
proxy_password_len = 0;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
@@ -493,10 +493,10 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
|
|
|
d004d8 |
*/
|
|
|
d004d8 |
len = 0;
|
|
|
d004d8 |
socksreq[len++] = 1; /* username/pw subnegotiation version */
|
|
|
d004d8 |
- socksreq[len++] = (unsigned char) proxy_name_len;
|
|
|
d004d8 |
- if(proxy_name && proxy_name_len)
|
|
|
d004d8 |
- memcpy(socksreq + len, proxy_name, proxy_name_len);
|
|
|
d004d8 |
- len += proxy_name_len;
|
|
|
d004d8 |
+ socksreq[len++] = (unsigned char) proxy_user_len;
|
|
|
d004d8 |
+ if(proxy_user && proxy_user_len)
|
|
|
d004d8 |
+ memcpy(socksreq + len, proxy_user, proxy_user_len);
|
|
|
d004d8 |
+ len += proxy_user_len;
|
|
|
d004d8 |
socksreq[len++] = (unsigned char) proxy_password_len;
|
|
|
d004d8 |
if(proxy_password && proxy_password_len)
|
|
|
d004d8 |
memcpy(socksreq + len, proxy_password, proxy_password_len);
|
|
|
d004d8 |
@@ -535,7 +535,7 @@ CURLcode Curl_SOCKS5(const char *proxy_name,
|
|
|
d004d8 |
}
|
|
|
d004d8 |
else if(socksreq[1] == 255) {
|
|
|
d004d8 |
#endif
|
|
|
d004d8 |
- if(!proxy_name || !*proxy_name) {
|
|
|
d004d8 |
+ if(!proxy_user || !*proxy_user) {
|
|
|
d004d8 |
failf(data,
|
|
|
d004d8 |
"No authentication method was acceptable. (It is quite likely"
|
|
|
d004d8 |
" that the SOCKS5 server wanted a username/password, since none"
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|
|
|
d004d8 |
|
|
|
d004d8 |
From 3676c3fab628e848270e2169398f912a1449c31b Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Wed, 8 Mar 2017 12:16:01 +0100
|
|
|
d004d8 |
Subject: [PATCH 2/4] socks: deduplicate the code for auth request
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: cd1c9f08078d4a8566ed10f6df9ae9a729f3290b
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
lib/socks.c | 19 ++++++++++---------
|
|
|
d004d8 |
1 file changed, 10 insertions(+), 9 deletions(-)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/lib/socks.c b/lib/socks.c
|
|
|
d004d8 |
index 9aac9ca..398e0ac 100644
|
|
|
d004d8 |
--- a/lib/socks.c
|
|
|
d004d8 |
+++ b/lib/socks.c
|
|
|
d004d8 |
@@ -362,6 +362,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
|
|
|
d004d8 |
*/
|
|
|
d004d8 |
|
|
|
d004d8 |
unsigned char socksreq[600]; /* room for large user/pw (255 max each) */
|
|
|
d004d8 |
+ int idx;
|
|
|
d004d8 |
ssize_t actualread;
|
|
|
d004d8 |
ssize_t written;
|
|
|
d004d8 |
int result;
|
|
|
d004d8 |
@@ -408,17 +409,17 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
|
|
|
d004d8 |
return CURLE_COULDNT_CONNECT;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
- socksreq[0] = 5; /* version */
|
|
|
d004d8 |
+ idx = 0;
|
|
|
d004d8 |
+ socksreq[idx++] = 5; /* version */
|
|
|
d004d8 |
+ idx++; /* reserve for the number of authentication methods */
|
|
|
d004d8 |
+ socksreq[idx++] = 0; /* no authentication */
|
|
|
d004d8 |
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
|
|
d004d8 |
- socksreq[1] = (char)(proxy_user ? 3 : 2); /* number of methods (below) */
|
|
|
d004d8 |
- socksreq[2] = 0; /* no authentication */
|
|
|
d004d8 |
- socksreq[3] = 1; /* gssapi */
|
|
|
d004d8 |
- socksreq[4] = 2; /* username/password */
|
|
|
d004d8 |
-#else
|
|
|
d004d8 |
- socksreq[1] = (char)(proxy_user ? 2 : 1); /* number of methods (below) */
|
|
|
d004d8 |
- socksreq[2] = 0; /* no authentication */
|
|
|
d004d8 |
- socksreq[3] = 2; /* username/password */
|
|
|
d004d8 |
+ socksreq[idx++] = 1; /* GSS-API */
|
|
|
d004d8 |
#endif
|
|
|
d004d8 |
+ if(proxy_user)
|
|
|
d004d8 |
+ socksreq[idx++] = 2; /* username/password */
|
|
|
d004d8 |
+ /* write the number of authentication methods */
|
|
|
d004d8 |
+ socksreq[1] = (unsigned char) (idx - 2);
|
|
|
d004d8 |
|
|
|
d004d8 |
curlx_nonblock(sock, FALSE);
|
|
|
d004d8 |
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|
|
|
d004d8 |
|
|
|
d004d8 |
From a76468431c030fc832aed7a5fa5b4b3f9acfe2ae Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Thu, 27 Apr 2017 15:18:49 +0200
|
|
|
d004d8 |
Subject: [PATCH 3/4] CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy
|
|
|
d004d8 |
auth
|
|
|
d004d8 |
|
|
|
d004d8 |
If libcurl was built with GSS-API support, it unconditionally advertised
|
|
|
d004d8 |
GSS-API authentication while connecting to a SOCKS5 proxy. This caused
|
|
|
d004d8 |
problems in environments with improperly configured Kerberos: a stock
|
|
|
d004d8 |
libcurl failed to connect, despite libcurl built without GSS-API
|
|
|
d004d8 |
connected fine using username and password.
|
|
|
d004d8 |
|
|
|
d004d8 |
This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
|
|
|
d004d8 |
allowed methods for SOCKS5 authentication at run time.
|
|
|
d004d8 |
|
|
|
d004d8 |
Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
|
|
|
d004d8 |
for compatibility reasons because the set of authentication methods
|
|
|
d004d8 |
allowed by default was different for HTTP and SOCKS5 proxies.
|
|
|
d004d8 |
|
|
|
d004d8 |
Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
|
|
|
d004d8 |
Closes https://github.com/curl/curl/pull/1454
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: 8924f58c370afa756fc4fd13916dfdea91d21b21
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
docs/libcurl/curl_easy_setopt.3 | 8 ++++++++
|
|
|
d004d8 |
docs/libcurl/symbols-in-versions | 2 ++
|
|
|
d004d8 |
include/curl/curl.h | 6 ++++++
|
|
|
d004d8 |
lib/socks.c | 27 ++++++++++++++++++---------
|
|
|
d004d8 |
lib/url.c | 8 ++++++++
|
|
|
d004d8 |
lib/urldata.h | 1 +
|
|
|
d004d8 |
6 files changed, 43 insertions(+), 9 deletions(-)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
|
|
|
d004d8 |
index 0a9375e..4ce8207 100644
|
|
|
d004d8 |
--- a/docs/libcurl/curl_easy_setopt.3
|
|
|
d004d8 |
+++ b/docs/libcurl/curl_easy_setopt.3
|
|
|
d004d8 |
@@ -862,6 +862,14 @@ Set the parameter to 1 to make the library tunnel all operations through a
|
|
|
d004d8 |
given HTTP proxy. There is a big difference between using a proxy and to
|
|
|
d004d8 |
tunnel through it. If you don't know what this means, you probably don't want
|
|
|
d004d8 |
this tunneling option.
|
|
|
d004d8 |
+.IP CURLOPT_SOCKS5_AUTH
|
|
|
d004d8 |
+Pass a long as parameter, which is set to a bitmask, to tell libcurl which
|
|
|
d004d8 |
+authentication method(s) are allowed for SOCKS5 proxy authentication. The only
|
|
|
d004d8 |
+supported flags are \fICURLAUTH_BASIC\fP, which allows username/password
|
|
|
d004d8 |
+authentication, \fICURLAUTH_GSSAPI\fP, which allows GSS-API authentication, and
|
|
|
d004d8 |
+\fICURLAUTH_NONE\fP, which allows no authentication. Set the actual user name
|
|
|
d004d8 |
+and password with the \fICURLOPT_PROXYUSERPWD(3)\fP option. Defaults to
|
|
|
d004d8 |
+\fICURLAUTH_BASIC|CURLAUTH_GSSAPI\fP. (Added in 7.55.0)
|
|
|
d004d8 |
.IP CURLOPT_SOCKS5_GSSAPI_SERVICE
|
|
|
d004d8 |
Pass a char * as parameter to a string holding the name of the service. The
|
|
|
d004d8 |
default service name for a SOCKS5 server is rcmd/server-fqdn. This option
|
|
|
d004d8 |
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
|
|
|
d004d8 |
index 0f7469d..b0b6232 100644
|
|
|
d004d8 |
--- a/docs/libcurl/symbols-in-versions
|
|
|
d004d8 |
+++ b/docs/libcurl/symbols-in-versions
|
|
|
d004d8 |
@@ -17,6 +17,7 @@ CURLAUTH_ANYSAFE 7.10.6
|
|
|
d004d8 |
CURLAUTH_BASIC 7.10.6
|
|
|
d004d8 |
CURLAUTH_DIGEST 7.10.6
|
|
|
d004d8 |
CURLAUTH_DIGEST_IE 7.19.3
|
|
|
d004d8 |
+CURLAUTH_GSSAPI 7.55.0
|
|
|
d004d8 |
CURLAUTH_GSSNEGOTIATE 7.10.6
|
|
|
d004d8 |
CURLAUTH_NONE 7.10.6
|
|
|
d004d8 |
CURLAUTH_NTLM 7.10.6
|
|
|
d004d8 |
@@ -454,6 +455,7 @@ CURLOPT_SERVER_RESPONSE_TIMEOUT 7.20.0
|
|
|
d004d8 |
CURLOPT_SHARE 7.10
|
|
|
d004d8 |
CURLOPT_SOCKOPTDATA 7.16.0
|
|
|
d004d8 |
CURLOPT_SOCKOPTFUNCTION 7.16.0
|
|
|
d004d8 |
+CURLOPT_SOCKS5_AUTH 7.55.0
|
|
|
d004d8 |
CURLOPT_SOCKS5_GSSAPI_NEC 7.19.4
|
|
|
d004d8 |
CURLOPT_SOCKS5_GSSAPI_SERVICE 7.19.4
|
|
|
d004d8 |
CURLOPT_SOURCE_HOST 7.12.1 - 7.15.5
|
|
|
d004d8 |
diff --git a/include/curl/curl.h b/include/curl/curl.h
|
|
|
d004d8 |
index 14f6fd7..0375a64 100644
|
|
|
d004d8 |
--- a/include/curl/curl.h
|
|
|
d004d8 |
+++ b/include/curl/curl.h
|
|
|
d004d8 |
@@ -626,6 +626,9 @@ typedef enum {
|
|
|
d004d8 |
#define CURLAUTH_ANY (~CURLAUTH_DIGEST_IE)
|
|
|
d004d8 |
#define CURLAUTH_ANYSAFE (~(CURLAUTH_BASIC|CURLAUTH_DIGEST_IE))
|
|
|
d004d8 |
|
|
|
d004d8 |
+/* Used for CURLOPT_SOCKS5_AUTH to stay terminologically correct */
|
|
|
d004d8 |
+#define CURLAUTH_GSSAPI CURLAUTH_GSSNEGOTIATE
|
|
|
d004d8 |
+
|
|
|
d004d8 |
#define CURLSSH_AUTH_ANY ~0 /* all types supported by the server */
|
|
|
d004d8 |
#define CURLSSH_AUTH_NONE 0 /* none allowed, silly but complete */
|
|
|
d004d8 |
#define CURLSSH_AUTH_PUBLICKEY (1<<0) /* public/private key files */
|
|
|
d004d8 |
@@ -1539,6 +1542,9 @@ typedef enum {
|
|
|
d004d8 |
/* Path to UNIX domain socket */
|
|
|
d004d8 |
CINIT(UNIX_SOCKET_PATH, OBJECTPOINT, 231),
|
|
|
d004d8 |
|
|
|
d004d8 |
+ /* bitmask of allowed auth methods for connections to SOCKS5 proxies */
|
|
|
d004d8 |
+ CINIT(SOCKS5_AUTH, LONG, 267),
|
|
|
d004d8 |
+
|
|
|
d004d8 |
CURLOPT_LASTENTRY /* the last unused */
|
|
|
d004d8 |
} CURLoption;
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/lib/socks.c b/lib/socks.c
|
|
|
d004d8 |
index 398e0ac..5900063 100644
|
|
|
d004d8 |
--- a/lib/socks.c
|
|
|
d004d8 |
+++ b/lib/socks.c
|
|
|
d004d8 |
@@ -373,6 +373,8 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
|
|
|
d004d8 |
bool socks5_resolve_local = (conn->proxytype == CURLPROXY_SOCKS5)?TRUE:FALSE;
|
|
|
d004d8 |
const size_t hostname_len = strlen(hostname);
|
|
|
d004d8 |
ssize_t len = 0;
|
|
|
d004d8 |
+ const unsigned long auth = data->set.socks5auth;
|
|
|
d004d8 |
+ bool allow_gssapi = FALSE;
|
|
|
d004d8 |
|
|
|
d004d8 |
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
|
|
|
d004d8 |
if(!socks5_resolve_local && hostname_len > 255) {
|
|
|
d004d8 |
@@ -409,13 +411,24 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
|
|
|
d004d8 |
return CURLE_COULDNT_CONNECT;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
+ if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
|
|
|
d004d8 |
+ infof(conn->data,
|
|
|
d004d8 |
+ "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
|
|
|
d004d8 |
+ auth);
|
|
|
d004d8 |
+ if(!(auth & CURLAUTH_BASIC))
|
|
|
d004d8 |
+ /* disable username/password auth */
|
|
|
d004d8 |
+ proxy_user = NULL;
|
|
|
d004d8 |
+#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
|
|
d004d8 |
+ if(auth & CURLAUTH_GSSAPI)
|
|
|
d004d8 |
+ allow_gssapi = TRUE;
|
|
|
d004d8 |
+#endif
|
|
|
d004d8 |
+
|
|
|
d004d8 |
idx = 0;
|
|
|
d004d8 |
socksreq[idx++] = 5; /* version */
|
|
|
d004d8 |
idx++; /* reserve for the number of authentication methods */
|
|
|
d004d8 |
socksreq[idx++] = 0; /* no authentication */
|
|
|
d004d8 |
-#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
|
|
d004d8 |
- socksreq[idx++] = 1; /* GSS-API */
|
|
|
d004d8 |
-#endif
|
|
|
d004d8 |
+ if(allow_gssapi)
|
|
|
d004d8 |
+ socksreq[idx++] = 1; /* GSS-API */
|
|
|
d004d8 |
if(proxy_user)
|
|
|
d004d8 |
socksreq[idx++] = 2; /* username/password */
|
|
|
d004d8 |
/* write the number of authentication methods */
|
|
|
d004d8 |
@@ -465,7 +478,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
|
|
|
d004d8 |
;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
|
|
d004d8 |
- else if(socksreq[1] == 1) {
|
|
|
d004d8 |
+ else if(allow_gssapi && (socksreq[1] == 1)) {
|
|
|
d004d8 |
code = Curl_SOCKS5_gssapi_negotiate(sockindex, conn);
|
|
|
d004d8 |
if(code != CURLE_OK) {
|
|
|
d004d8 |
failf(data, "Unable to negotiate SOCKS5 gssapi context.");
|
|
|
d004d8 |
@@ -526,16 +539,12 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
|
|
|
d004d8 |
}
|
|
|
d004d8 |
else {
|
|
|
d004d8 |
/* error */
|
|
|
d004d8 |
-#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
|
|
d004d8 |
- if(socksreq[1] == 255) {
|
|
|
d004d8 |
-#else
|
|
|
d004d8 |
- if(socksreq[1] == 1) {
|
|
|
d004d8 |
+ if(!allow_gssapi && (socksreq[1] == 1)) {
|
|
|
d004d8 |
failf(data,
|
|
|
d004d8 |
"SOCKS5 GSSAPI per-message authentication is not supported.");
|
|
|
d004d8 |
return CURLE_COULDNT_CONNECT;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
else if(socksreq[1] == 255) {
|
|
|
d004d8 |
-#endif
|
|
|
d004d8 |
if(!proxy_user || !*proxy_user) {
|
|
|
d004d8 |
failf(data,
|
|
|
d004d8 |
"No authentication method was acceptable. (It is quite likely"
|
|
|
d004d8 |
diff --git a/lib/url.c b/lib/url.c
|
|
|
d004d8 |
index 19a40c7..d632813 100644
|
|
|
d004d8 |
--- a/lib/url.c
|
|
|
d004d8 |
+++ b/lib/url.c
|
|
|
d004d8 |
@@ -516,6 +516,9 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
|
|
|
d004d8 |
set->httpauth = CURLAUTH_BASIC; /* defaults to basic */
|
|
|
d004d8 |
set->proxyauth = CURLAUTH_BASIC; /* defaults to basic */
|
|
|
d004d8 |
|
|
|
d004d8 |
+ /* SOCKS5 proxy auth defaults to username/password + GSS-API */
|
|
|
d004d8 |
+ set->socks5auth = CURLAUTH_BASIC | CURLAUTH_GSSAPI;
|
|
|
d004d8 |
+
|
|
|
d004d8 |
/* make libcurl quiet by default: */
|
|
|
d004d8 |
set->hide_progress = TRUE; /* CURLOPT_NOPROGRESS changes these */
|
|
|
d004d8 |
|
|
|
d004d8 |
@@ -1380,6 +1383,11 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
|
|
|
d004d8 |
break;
|
|
|
d004d8 |
#endif /* CURL_DISABLE_PROXY */
|
|
|
d004d8 |
|
|
|
d004d8 |
+ case CURLOPT_SOCKS5_AUTH:
|
|
|
d004d8 |
+ data->set.socks5auth = va_arg(param, unsigned long);
|
|
|
d004d8 |
+ if(data->set.socks5auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
|
|
|
d004d8 |
+ result = CURLE_NOT_BUILT_IN;
|
|
|
d004d8 |
+ break;
|
|
|
d004d8 |
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
|
|
d004d8 |
case CURLOPT_SOCKS5_GSSAPI_SERVICE:
|
|
|
d004d8 |
/*
|
|
|
d004d8 |
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
|
d004d8 |
index f4c6222..3e6ace5 100644
|
|
|
d004d8 |
--- a/lib/urldata.h
|
|
|
d004d8 |
+++ b/lib/urldata.h
|
|
|
d004d8 |
@@ -1406,6 +1406,7 @@ struct UserDefined {
|
|
|
d004d8 |
long use_port; /* which port to use (when not using default) */
|
|
|
d004d8 |
unsigned long httpauth; /* kind of HTTP authentication to use (bitmask) */
|
|
|
d004d8 |
unsigned long proxyauth; /* kind of proxy authentication to use (bitmask) */
|
|
|
d004d8 |
+ unsigned long socks5auth;/* kind of SOCKS5 authentication to use (bitmask) */
|
|
|
d004d8 |
long followlocation; /* as in HTTP Location: */
|
|
|
d004d8 |
long maxredirs; /* maximum no. of http(s) redirects to follow, set to -1
|
|
|
d004d8 |
for infinity */
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|
|
|
d004d8 |
|
|
|
d004d8 |
From 08f6dc218afe2d7e74f87996965f0770a566f185 Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Fri, 19 May 2017 18:11:47 +0200
|
|
|
d004d8 |
Subject: [PATCH 4/4] curl --socks5-{basic,gssapi}: control socks5 auth
|
|
|
d004d8 |
|
|
|
d004d8 |
Closes https://github.com/curl/curl/pull/1454
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: ce2c3ebda20919fe636e675f219ae387e386f508
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
docs/curl.1 | 10 ++++++++++
|
|
|
d004d8 |
src/tool_cfgable.h | 1 +
|
|
|
d004d8 |
src/tool_getparam.c | 16 ++++++++++++++++
|
|
|
d004d8 |
src/tool_help.c | 2 ++
|
|
|
d004d8 |
src/tool_operate.c | 5 +++++
|
|
|
d004d8 |
src/tool_setopt.c | 1 +
|
|
|
d004d8 |
src/tool_setopt.h | 1 +
|
|
|
d004d8 |
7 files changed, 36 insertions(+)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/docs/curl.1 b/docs/curl.1
|
|
|
d004d8 |
index c9bb336..7906f1f 100644
|
|
|
d004d8 |
--- a/docs/curl.1
|
|
|
d004d8 |
+++ b/docs/curl.1
|
|
|
d004d8 |
@@ -1343,6 +1343,16 @@ Since 7.21.7, this option is superfluous since you can specify a socks4a proxy
|
|
|
d004d8 |
with \fI-x, --proxy\fP using a socks4a:// protocol prefix.
|
|
|
d004d8 |
|
|
|
d004d8 |
If this option is used several times, the last one will be used.
|
|
|
d004d8 |
+.IP "--socks5-basic"
|
|
|
d004d8 |
+Tells curl to use username/password authentication when connecting to a SOCKS5
|
|
|
d004d8 |
+proxy. The username/password authentication is enabled by default. Use
|
|
|
d004d8 |
+\fI--socks5-gssapi\fP to force GSS-API authentication to SOCKS5 proxies.
|
|
|
d004d8 |
+(Added in 7.55.0)
|
|
|
d004d8 |
+.IP "--socks5-gssapi"
|
|
|
d004d8 |
+Tells curl to use GSS-API authentication when connecting to a SOCKS5 proxy.
|
|
|
d004d8 |
+The GSS-API authentication is enabled by default (if curl is compiled with
|
|
|
d004d8 |
+GSS-API support). Use \fI--socks5-basic\fP to force username/password
|
|
|
d004d8 |
+authentication to SOCKS5 proxies. (Added in 7.55.0)
|
|
|
d004d8 |
.IP "--socks5-hostname <host[:port]>"
|
|
|
d004d8 |
Use the specified SOCKS5 proxy (and let the proxy resolve the host name). If
|
|
|
d004d8 |
the port number is not specified, it is assumed at port 1080. (Added in
|
|
|
d004d8 |
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
|
|
|
d004d8 |
index a9b033b..68d0297 100644
|
|
|
d004d8 |
--- a/src/tool_cfgable.h
|
|
|
d004d8 |
+++ b/src/tool_cfgable.h
|
|
|
d004d8 |
@@ -172,6 +172,7 @@ struct Configurable {
|
|
|
d004d8 |
* default rcmd */
|
|
|
d004d8 |
int socks5_gssapi_nec ; /* The NEC reference server does not protect
|
|
|
d004d8 |
* the encryption type exchange */
|
|
|
d004d8 |
+ unsigned long socks5_auth;/* auth bitmask for socks5 proxies */
|
|
|
d004d8 |
|
|
|
d004d8 |
bool tcp_nodelay;
|
|
|
d004d8 |
long req_retry; /* number of retries */
|
|
|
d004d8 |
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
|
|
|
d004d8 |
index 33db742..32fc68b 100644
|
|
|
d004d8 |
--- a/src/tool_getparam.c
|
|
|
d004d8 |
+++ b/src/tool_getparam.c
|
|
|
d004d8 |
@@ -210,6 +210,8 @@ static const struct LongShort aliases[]= {
|
|
|
d004d8 |
{"El", "tlspassword", TRUE},
|
|
|
d004d8 |
{"Em", "tlsauthtype", TRUE},
|
|
|
d004d8 |
{"En", "ssl-allow-beast", FALSE},
|
|
|
d004d8 |
+ {"EA", "socks5-basic", FALSE},
|
|
|
d004d8 |
+ {"EB", "socks5-gssapi", FALSE},
|
|
|
d004d8 |
{"f", "fail", FALSE},
|
|
|
d004d8 |
{"F", "form", TRUE},
|
|
|
d004d8 |
{"Fs", "form-string", TRUE},
|
|
|
d004d8 |
@@ -1324,6 +1326,20 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
|
|
|
d004d8 |
if(curlinfo->features & CURL_VERSION_SSL)
|
|
|
d004d8 |
config->ssl_allow_beast = toggle;
|
|
|
d004d8 |
break;
|
|
|
d004d8 |
+ case 'A':
|
|
|
d004d8 |
+ /* --socks5-basic */
|
|
|
d004d8 |
+ if(toggle)
|
|
|
d004d8 |
+ config->socks5_auth |= CURLAUTH_BASIC;
|
|
|
d004d8 |
+ else
|
|
|
d004d8 |
+ config->socks5_auth &= ~CURLAUTH_BASIC;
|
|
|
d004d8 |
+ break;
|
|
|
d004d8 |
+ case 'B':
|
|
|
d004d8 |
+ /* --socks5-gssapi */
|
|
|
d004d8 |
+ if(toggle)
|
|
|
d004d8 |
+ config->socks5_auth |= CURLAUTH_GSSAPI;
|
|
|
d004d8 |
+ else
|
|
|
d004d8 |
+ config->socks5_auth &= ~CURLAUTH_GSSAPI;
|
|
|
d004d8 |
+ break;
|
|
|
d004d8 |
default: /* certificate file */
|
|
|
d004d8 |
{
|
|
|
d004d8 |
char *certname, *passphrase;
|
|
|
d004d8 |
diff --git a/src/tool_help.c b/src/tool_help.c
|
|
|
d004d8 |
index 3a64e35..c2883eb 100644
|
|
|
d004d8 |
--- a/src/tool_help.c
|
|
|
d004d8 |
+++ b/src/tool_help.c
|
|
|
d004d8 |
@@ -179,6 +179,8 @@ static const char *const helptext[] = {
|
|
|
d004d8 |
" --socks4 HOST[:PORT] SOCKS4 proxy on given host + port",
|
|
|
d004d8 |
" --socks4a HOST[:PORT] SOCKS4a proxy on given host + port",
|
|
|
d004d8 |
" --socks5 HOST[:PORT] SOCKS5 proxy on given host + port",
|
|
|
d004d8 |
+ " --socks5-basic Enable username/password auth for SOCKS5 proxies",
|
|
|
d004d8 |
+ " --socks5-gssapi Enable GSS-API auth for SOCKS5 proxies",
|
|
|
d004d8 |
" --socks5-hostname HOST[:PORT] "
|
|
|
d004d8 |
"SOCKS5 proxy, pass host name to proxy",
|
|
|
d004d8 |
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
|
|
d004d8 |
diff --git a/src/tool_operate.c b/src/tool_operate.c
|
|
|
d004d8 |
index 41b0e6b..185f9c6 100644
|
|
|
d004d8 |
--- a/src/tool_operate.c
|
|
|
d004d8 |
+++ b/src/tool_operate.c
|
|
|
d004d8 |
@@ -1208,6 +1208,11 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
|
|
|
d004d8 |
if(config->socks5_gssapi_nec)
|
|
|
d004d8 |
my_setopt_str(curl, CURLOPT_SOCKS5_GSSAPI_NEC,
|
|
|
d004d8 |
config->socks5_gssapi_nec);
|
|
|
d004d8 |
+
|
|
|
d004d8 |
+ /* new in curl 7.55.0 */
|
|
|
d004d8 |
+ if(config->socks5_auth)
|
|
|
d004d8 |
+ my_setopt_bitmask(curl, CURLOPT_SOCKS5_AUTH,
|
|
|
d004d8 |
+ (long)config->socks5_auth);
|
|
|
d004d8 |
}
|
|
|
d004d8 |
#endif
|
|
|
d004d8 |
/* curl 7.13.0 */
|
|
|
d004d8 |
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
|
|
|
d004d8 |
index 9860117..5ae32cd 100644
|
|
|
d004d8 |
--- a/src/tool_setopt.c
|
|
|
d004d8 |
+++ b/src/tool_setopt.c
|
|
|
d004d8 |
@@ -130,6 +130,7 @@ const NameValue setopt_nv_CURLPROTO[] = {
|
|
|
d004d8 |
static const NameValue setopt_nv_CURLNONZERODEFAULTS[] = {
|
|
|
d004d8 |
NV1(CURLOPT_SSL_VERIFYPEER, 1),
|
|
|
d004d8 |
NV1(CURLOPT_SSL_VERIFYHOST, 1),
|
|
|
d004d8 |
+ NV1(CURLOPT_SOCKS5_AUTH, 1),
|
|
|
d004d8 |
NVEND
|
|
|
d004d8 |
};
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/src/tool_setopt.h b/src/tool_setopt.h
|
|
|
d004d8 |
index d107756..60e614c 100644
|
|
|
d004d8 |
--- a/src/tool_setopt.h
|
|
|
d004d8 |
+++ b/src/tool_setopt.h
|
|
|
d004d8 |
@@ -64,6 +64,7 @@ extern const NameValueUnsigned setopt_nv_CURLAUTH[];
|
|
|
d004d8 |
#define setopt_nv_CURLOPT_REDIR_PROTOCOLS setopt_nv_CURLPROTO
|
|
|
d004d8 |
#define setopt_nv_CURLOPT_PROXYTYPE setopt_nv_CURLPROXY
|
|
|
d004d8 |
#define setopt_nv_CURLOPT_PROXYAUTH setopt_nv_CURLAUTH
|
|
|
d004d8 |
+#define setopt_nv_CURLOPT_SOCKS5_AUTH setopt_nv_CURLAUTH
|
|
|
d004d8 |
|
|
|
d004d8 |
/* Intercept setopt calls for --libcurl */
|
|
|
d004d8 |
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|