From 97c272e5d173ad5f706443e2477f0a84f0044edd Mon Sep 17 00:00:00 2001 From: Linus Nielsen Date: Sun, 29 Mar 2015 14:52:31 +0200 Subject: [PATCH] Negotiate: custom service names for SPNEGO. * Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME. * Add new curl options, --proxy-service-name and --service-name. --- docs/curl.1 | 10 ++++ docs/libcurl/curl_easy_setopt.3 | 4 ++ .../libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 | 46 +++++++++++++++++++ docs/libcurl/opts/CURLOPT_SERVICE_NAME.3 | 46 +++++++++++++++++++ docs/libcurl/symbols-in-versions | 2 + include/curl/curl.h | 6 +++ include/curl/typecheck-gcc.h | 2 + lib/http_negotiate.c | 6 ++- lib/http_negotiate_sspi.c | 7 +-- lib/url.c | 29 ++++++++++++ lib/url.h | 3 ++ lib/urldata.h | 2 + packages/OS400/ccsidcurl.c | 2 + src/tool_cfgable.c | 2 + src/tool_cfgable.h | 4 ++ src/tool_getparam.c | 8 ++++ src/tool_operate.c | 11 +++++ 17 files changed, 185 insertions(+), 5 deletions(-) create mode 100644 docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 create mode 100644 docs/libcurl/opts/CURLOPT_SERVICE_NAME.3 diff --git a/docs/curl.1 b/docs/curl.1 index 7b988d043..c8d9baf11 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -1332,6 +1332,11 @@ with a remote host. (Added in 7.17.1) .IP "--proxy-ntlm" Tells curl to use HTTP NTLM authentication when communicating with the given proxy. Use \fI--ntlm\fP for enabling NTLM with a remote host. +.IP "--proxy-service-name " +This option allows you to change the service name for proxy negotiation. + +Examples: --proxy-negotiate proxy-name \fI--proxy-service-name\fP sockd would use +sockd/proxy-name. (Added in 7.43.0). .IP "--proxy1.0 " Use the specified HTTP 1.0 proxy. If the port number is not specified, it is assumed at port 1080. @@ -1513,6 +1518,11 @@ terminal/stdout unless you redirect it. .IP "--sasl-ir" Enable initial response in SASL authentication. (Added in 7.31.0) +.IP "--service-name " +This option allows you to change the service name for SPNEGO. + +Examples: --negotiate \fI--service-name\fP sockd would use +sockd/server-name. (Added in 7.43.0). .IP "-S, --show-error" When used with \fI-s\fP it makes curl show an error message if it fails. .IP "--ssl" diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 712dae90c..4e5b8dec1 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -165,6 +165,10 @@ Tunnel through the HTTP proxy. \fICURLOPT_HTTPPROXYTUNNEL(3)\fP Socks5 GSSAPI service name. \fICURLOPT_SOCKS5_GSSAPI_SERVICE(3)\fP .IP CURLOPT_SOCKS5_GSSAPI_NEC Socks5 GSSAPI NEC mode. See \fICURLOPT_SOCKS5_GSSAPI_NEC(3)\fP +.IP CURLOPT_PROXY_SERVICE_NAME +Proxy service name. \fICURLOPT_PROXY_SERVICE_NAME(3)\fP +.IP CURLOPT_SERVICE_NAME +SPNEGO service name. \fICURLOPT_SERVICE_NAME(3)\fP .IP CURLOPT_INTERFACE Bind connection locally to this. See \fICURLOPT_INTERFACE(3)\fP .IP CURLOPT_LOCALPORT diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 b/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 new file mode 100644 index 000000000..824fedf8a --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 @@ -0,0 +1,46 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at http://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_PROXY_SERVICE_NAME 3 "17 Jun 2015" "libcurl 7.43.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_PROXY_SERVICE_NAME \- proxy service name +.SH SYNOPSIS +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_SERVICE_NAME, char *name); +.SH DESCRIPTION +Pass a char * as parameter to a string holding the \fIname\fP of the +service. The default service name is "rcmd" (for a SOCKS5 server). This option +allows you to change it. +..SH DEFAULT +See above +.SH PROTOCOLS +Most +.SH EXAMPLE +TODO +.SH AVAILABILITY +Added in 7.43.0 +.SH RETURN VALUE +Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or +CURLE_OUT_OF_MEMORY if there was insufficient heap space. +.SH "SEE ALSO" +.BR CURLOPT_PROXY "(3), " CURLOPT_PROXYTYPE "(3), " diff --git a/docs/libcurl/opts/CURLOPT_SERVICE_NAME.3 b/docs/libcurl/opts/CURLOPT_SERVICE_NAME.3 new file mode 100644 index 000000000..116fdbe76 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_SERVICE_NAME.3 @@ -0,0 +1,46 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at http://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_SERVICE_NAME 3 "17 Jun 2015" "libcurl 7.43.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_SERVICE_NAME \- SPNEGO service name +.SH SYNOPSIS +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SERVICE_NAME, char *name); +.SH DESCRIPTION +Pass a char * as parameter to a string holding the \fIname\fP of the +service. The default service name is "HTTP". This option allows you to +change it. +..SH DEFAULT +See above +.SH PROTOCOLS +Most +.SH EXAMPLE +TODO +.SH AVAILABILITY +Added in 7.43.0 +.SH RETURN VALUE +Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or +CURLE_OUT_OF_MEMORY if there was insufficient heap space. +.SH "SEE ALSO" +.BR CURLOPT_PROXY "(3), " CURLOPT_PROXYTYPE "(3), " diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index 1ed3c212f..18dc1beda 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -454,6 +454,7 @@ CURLOPT_PROXYPORT 7.1 CURLOPT_PROXYTYPE 7.10 CURLOPT_PROXYUSERNAME 7.19.1 CURLOPT_PROXYUSERPWD 7.1 +CURLOPT_PROXY_SERVICE_NAME 7.43.0 CURLOPT_PROXY_TRANSFER_MODE 7.18.0 CURLOPT_PUT 7.1 CURLOPT_QUOTE 7.1 @@ -477,6 +478,7 @@ CURLOPT_SASL_IR 7.31.0 CURLOPT_SEEKDATA 7.18.0 CURLOPT_SEEKFUNCTION 7.18.0 CURLOPT_SERVER_RESPONSE_TIMEOUT 7.20.0 +CURLOPT_SERVICE_NAME 7.43.0 CURLOPT_SHARE 7.10 CURLOPT_SOCKOPTDATA 7.16.0 CURLOPT_SOCKOPTFUNCTION 7.16.0 diff --git a/include/curl/curl.h b/include/curl/curl.h index ae1b0e4db..9ef753140 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1632,6 +1632,12 @@ typedef enum { /* Do not squash dot-dot sequences */ CINIT(PATH_AS_IS, LONG, 234), + /* Proxy Service Name */ + CINIT(PROXY_SERVICE_NAME, OBJECTPOINT, 235), + + /* Service Name */ + CINIT(SERVICE_NAME, OBJECTPOINT, 236), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h index 69d41a20d..13fb0fa9e 100644 --- a/include/curl/typecheck-gcc.h +++ b/include/curl/typecheck-gcc.h @@ -270,6 +270,8 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, (option) == CURLOPT_DNS_LOCAL_IP4 || \ (option) == CURLOPT_DNS_LOCAL_IP6 || \ (option) == CURLOPT_LOGIN_OPTIONS || \ + (option) == CURLOPT_PROXY_SERVICE_NAME || \ + (option) == CURLOPT_SERVICE_NAME || \ 0) /* evaluates to true if option takes a curl_write_callback argument */ diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 21658cf7a..a1baf29c3 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -62,8 +62,10 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, if(!neg_ctx->server_name) { /* Generate our SPN */ - char *spn = Curl_sasl_build_gssapi_spn("HTTP", proxy ? conn->proxy.name : - conn->host.name); + char *spn = Curl_sasl_build_gssapi_spn( + proxy ? data->set.str[STRING_PROXY_SERVICE_NAME] : + data->set.str[STRING_SERVICE_NAME], + proxy ? conn->proxy.name : conn->host.name); if(!spn) return CURLE_OUT_OF_MEMORY; diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c index 20f8d643c..2c1075954 100644 --- a/lib/http_negotiate_sspi.c +++ b/lib/http_negotiate_sspi.c @@ -93,9 +93,10 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, return CURLE_BAD_FUNCTION_ARGUMENT; /* Generate our SPN */ - neg_ctx->server_name = Curl_sasl_build_spn("HTTP", - proxy ? conn->proxy.name : - conn->host.name); + neg_ctx->server_name = Curl_sasl_build_spn( + proxy ? data->set.str[STRING_PROXY_SERVICE_NAME] : + data->set.str[STRING_SERVICE_NAME], + proxy ? conn->proxy.name : conn->host.name); if(!neg_ctx->server_name) return CURLE_OUT_OF_MEMORY; } diff --git a/lib/url.c b/lib/url.c index e49d5507a..dfd2ff4c5 100644 --- a/lib/url.c +++ b/lib/url.c @@ -576,6 +576,18 @@ CURLcode Curl_init_userdefined(struct UserDefined *set) (char *) CURL_DEFAULT_SOCKS5_GSSAPI_SERVICE); if(result) return result; + + /* set default negotiate proxy service name */ + result = setstropt(&set->str[STRING_PROXY_SERVICE_NAME], + (char *) CURL_DEFAULT_PROXY_SERVICE_NAME); + if(result) + return result; + + /* set default negotiate service name */ + result = setstropt(&set->str[STRING_SERVICE_NAME], + (char *) CURL_DEFAULT_SERVICE_NAME); + if(result) + return result; #endif /* This is our preferred CA cert bundle/path since install time */ @@ -1472,12 +1484,29 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, va_arg(param, char *)); break; + case CURLOPT_PROXY_SERVICE_NAME: + /* + * Set negotiate proxy service name + */ + result = setstropt(&data->set.str[STRING_PROXY_SERVICE_NAME], + va_arg(param, char *)); + break; + case CURLOPT_SOCKS5_GSSAPI_NEC: /* * set flag for nec socks5 support */ data->set.socks5_gssapi_nec = (0 != va_arg(param, long))?TRUE:FALSE; break; + + case CURLOPT_SERVICE_NAME: + /* + * Set negotiate service identity + */ + result = setstropt(&data->set.str[STRING_SERVICE_NAME], + va_arg(param, char *)); + break; + #endif case CURLOPT_HEADERDATA: diff --git a/lib/url.h b/lib/url.h index cd46a92c3..e49b7724d 100644 --- a/lib/url.h +++ b/lib/url.h @@ -69,6 +69,9 @@ void Curl_close_connections(struct SessionHandle *data); #define CURL_DEFAULT_PROXY_PORT 1080 /* default proxy port unless specified */ #define CURL_DEFAULT_SOCKS5_GSSAPI_SERVICE "rcmd" /* default socks5 gssapi service */ +#define CURL_DEFAULT_PROXY_SERVICE_NAME "HTTP" /* default negotiate proxy + service */ +#define CURL_DEFAULT_SERVICE_NAME "HTTP" /* default negotiate service */ CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex); diff --git a/lib/urldata.h b/lib/urldata.h index b1b1a678e..db8b1e732 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1389,6 +1389,8 @@ enum dupstring { #endif #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) STRING_SOCKS5_GSSAPI_SERVICE, /* GSSAPI service name */ + STRING_PROXY_SERVICE_NAME, /* Proxy service name */ + STRING_SERVICE_NAME, /* Service name */ #endif STRING_MAIL_FROM, STRING_MAIL_AUTH, diff --git a/packages/OS400/ccsidcurl.c b/packages/OS400/ccsidcurl.c index 8ac6ed377..ca3b0f1ad 100644 --- a/packages/OS400/ccsidcurl.c +++ b/packages/OS400/ccsidcurl.c @@ -1180,6 +1180,8 @@ curl_easy_setopt_ccsid(CURL * curl, CURLoption tag, ...) case CURLOPT_USERNAME: case CURLOPT_USERPWD: case CURLOPT_XOAUTH2_BEARER: + case CURLOPT_PROXY_SERVICE_NAME: + case CURLOPT_SERVICE_NAME: s = va_arg(arg, char *); ccsid = va_arg(arg, unsigned int); diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c index c78c89613..ba6c468c5 100644 --- a/src/tool_cfgable.c +++ b/src/tool_cfgable.c @@ -136,6 +136,8 @@ static void free_config_fields(struct OperationConfig *config) Curl_safefree(config->socksproxy); Curl_safefree(config->socks5_gssapi_service); + Curl_safefree(config->proxy_service_name); + Curl_safefree(config->service_name); Curl_safefree(config->ftp_account); Curl_safefree(config->ftp_alternative_to_user); diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index d1f223871..048eb4ffe 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -166,8 +166,12 @@ struct OperationConfig { int socksver; /* set to CURLPROXY_SOCKS* define */ char *socks5_gssapi_service; /* set service name for gssapi principal * default rcmd */ + char *proxy_service_name; /* set service name for proxy negotiation + * default HTTP */ int socks5_gssapi_nec ; /* The NEC reference server does not protect * the encryption type exchange */ + char *service_name; /* set negotiation service name + * default HTTP */ bool tcp_nodelay; long req_retry; /* number of retries */ diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 1b5d6d2b0..62283a5dd 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -161,6 +161,8 @@ static const struct LongShort aliases[]= { #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) {"$6", "socks5-gssapi-service", TRUE}, {"$7", "socks5-gssapi-nec", FALSE}, + {"$O", "proxy-service-name", TRUE}, + {"$P", "service-name", TRUE}, #endif {"$8", "proxy1.0", TRUE}, {"$9", "tftp-blksize", TRUE}, @@ -903,6 +905,12 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ case '7': /* --socks5-gssapi-nec*/ config->socks5_gssapi_nec = toggle; break; + case 'O': /* --proxy-service-name */ + GetStr(&config->proxy_service_name, nextarg); + break; + case 'P': /* --service-name */ + GetStr(&config->service_name, nextarg); + break; #endif case '8': /* --proxy1.0 */ /* http 1.0 proxy */ diff --git a/src/tool_operate.c b/src/tool_operate.c index 74e4002b1..5f7b79211 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1217,6 +1217,17 @@ static CURLcode operate_do(struct GlobalConfig *global, if(config->socks5_gssapi_nec) my_setopt_str(curl, CURLOPT_SOCKS5_GSSAPI_NEC, config->socks5_gssapi_nec); + + /* new in curl 7.43.0 */ + if(config->proxy_service_name) + my_setopt_str(curl, CURLOPT_PROXY_SERVICE_NAME, + config->proxy_service_name); + + /* new in curl 7.43.0 */ + if(config->service_name) + my_setopt_str(curl, CURLOPT_SERVICE_NAME, + config->service_name); + } #endif /* curl 7.13.0 */