1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 15:05:02 -05:00
Commit Graph

141 Commits

Author SHA1 Message Date
Michael Osipov
a4b7f716d3 tool: Use Kerberos for supported features 2014-11-15 14:43:35 +00:00
Steve Holme
e7bcfb368c curl_tool: Added krb5 to the supported features 2014-11-07 10:57:23 +00:00
93e450793c SSL: implement public key pinning
Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).

Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().

Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der
2014-10-07 14:44:19 +02:00
Daniel Stenberg
f854130b7b help output: minor whitespace edits
Should've been amended in the previous commit but wasn't due to a
mistake.
2014-08-19 23:45:34 +02:00
Zearin
2f2d84033b help output: use ≥2 spaces between option and description
... and some other cleanups
2014-08-19 23:38:02 +02:00
Michael Osipov
eed1c63c70 docs: Improve inline GSS-API naming in code documentation 2014-07-23 00:01:39 +02:00
Michael Osipov
e38ba43014 curl.h/features: Deprecate GSS-Negotiate macros due to bad naming
- Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE
- CURL_VERSION_GSSNEGOTIATE is deprecated which
  is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and
  CURUL_VERSION_SPNEGO now.
- Remove display of feature 'GSS-Negotiate'
2014-07-23 00:01:39 +02:00
Michael Osipov
46750c39bd configure/features: Add feature and version info for GSS-API and SPNEGO 2014-07-23 00:01:39 +02:00
David Woodhouse
9ad282b1ae Remove all traces of FBOpenSSL SPNEGO support
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things. And to complicate matters, there are various
different OIDs which can be used to specify the Kerberos mechanism too.

A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
and will exchange GSSAPI tokens which are appropriate for that mechanism.

But this SPNEGO implementation just strips the incoming SPNEGO packet
and extracts the token, if any. And completely discards the information
about *which* mechanism is being used. Then we *assume* it was Kerberos,
and feed the token into gss_init_sec_context() with the default
mechanism (GSS_S_NO_OID for the mech_type argument).

Furthermore... broken as this code is, it was never even *used* for input
tokens anyway, because higher layers of curl would just bail out if the
server actually said anything *back* to us in the negotiation. We assume
that we send a single token to the server, and it accepts it. If the server
wants to continue the exchange (as is required for NTLM and for SPNEGO
to do anything useful), then curl was broken anyway.

So the only bit which actually did anything was the bit in
Curl_output_negotiate(), which always generates an *initial* SPNEGO
token saying "Hey, I support only the Kerberos mechanism and this is its
token".

You could have done that by manually just prefixing the Kerberos token
with the appropriate bytes, if you weren't going to do any proper SPNEGO
handling. There's no need for the FBOpenSSL library at all.

The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
is for. And then it should all Just Work™.

That 'sane way' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
2014-07-16 17:26:08 +02:00
Steve Holme
5f68fa4897 tool_help: Fixed missing --login-options option
...and removed ;OPTIONS from --user as that functionality was removed
in 7.34.0.
2014-05-07 17:27:47 +01:00
Steve Holme
1a9b58fcb2 tool_getparam: Added initial support for --next/-:
Added initial support for --next/-: which will be used to replace the
rather confusing : command line operation what was used for the URL
specific options prototype.
2014-02-26 20:42:30 +00:00
Steve Holme
70052836d1 tool_help: Moved --no-alpn and --no-npn to be listed alphabetically
...and added the HTTP suffix as these options are only used for HTTP2
based connections.
2014-02-25 21:38:36 +00:00
Steve Holme
dcbae71812 tool_getparam: Moved version information into separate function in tool_help 2014-02-22 17:47:13 +00:00
Steve Holme
b98c74b67e tool_operhlp: Consolidated engine output code into tool_help 2014-02-22 16:50:29 +00:00
Steve Holme
6969e24aee tool_operate: Moved list engines into separate function in tool_help 2014-02-22 16:47:59 +00:00
Fabian Frank
909a68c121 NPN/ALPN: allow disabling via command line
when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.

TODO: honor this option with GnuTLS and OpenSSL
2014-02-10 13:06:17 +01:00
Daniel Stenberg
67d14ab98f --help: add missing --tlsv1.x options 2014-02-07 20:29:13 +01:00
Daniel Stenberg
0952c9abcc http2: call it "HTTP 2" and not 2.0
The minor version will be dropped for HTTP 2 so it will make sense to
avoid using it in option names etc.
2014-01-30 16:59:35 +01:00
Steve Holme
732d10ed6c tool_help: Updated --list-only description to include POP3 2013-11-03 13:55:22 +00:00
Steve Holme
469b423350 tool_help: Added login options to --user description 2013-10-26 20:11:48 +01:00
Steve Holme
1f0e50f2b9 tool_help: Added clarity to the --oauth2-bearer option
...as XOAUTH2 is the extended (or non-standard) SASL identifier and
OAuth 2 is the protocol name (and version).
2013-10-26 13:01:33 +01:00
Daniel Stenberg
92cf6141ed curl: fix --oauth2-bearer in the --help output
After the option rename in 5df04bfafd
2013-10-13 23:21:12 +02:00
Steve Holme
18db743851 pop3: Added basic SASL XOAUTH2 support
Added the ability to use an XOAUTH2 bearer token [RFC6750] with POP3 for
authentication using RFC6749 "OAuth 2.0 Authorization Framework".

The bearer token is expected to be valid for the user specified in
conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has
an advertised auth mechanism of "XOAUTH2", the user and access token are
formatted as a base64 encoded string and sent to the server as
"AUTH XOAUTH2 <bearer token>".
2013-09-20 21:56:30 +01:00
Steve Holme
0e188e2dc3 curl: Added clarification to the --mail options in the --help output
... that these options apply to SMTP only.
2013-09-20 21:35:44 +01:00
Ben Greear
32352ed6ad curl: Add support for various DNS binding options.
(Passed on to c-ares.)

Allows something like this:

curl --dns-interface sta8 --dns-ipv4-addr 8.8.1.111 --interface sta8 \
--localaddr 8.8.1.111 --dns-servers 8.8.8.1 www.google.com

Signed-off-by: Ben Greear <greearb@candelatech.com>
2013-09-12 21:11:47 +02:00
Daniel Stenberg
2eabb7d590 curl: add --http1.1 and --http2.0 options 2013-09-04 22:29:38 +02:00
Kyle L. Huff
acf59be7f0 curl: added --bearer option to help
Added the --bearer option to the help output
2013-08-26 20:44:05 +01:00
Daniel Stenberg
f34b5fb4d8 --help: fix the --sasl-ir in the help output 2013-08-14 22:39:58 +02:00
Steve Holme
5d3a031ca7 sasl-ir: Added --sasl-ir option to curl command line tool 2013-04-27 10:03:10 +01:00
Daniel Stenberg
07cca0dc7c --engine: spellfix the help message
Reported by: Fredrik Thulin
2013-04-04 16:25:10 +02:00
Yang Tse
4a5aa6682d Revert changes relative to lib/*.[ch] recent renaming
This reverts renaming and usage of lib/*.h header files done
28-12-2012, reverting 2 commits:

  f871de0... build: make use of 76 lib/*.h renamed files
  ffd8e12... build: rename 76 lib/*.h files

This also reverts removal of redundant include guard (redundant thanks
to changes in above commits) done 2-12-2013, reverting 1 commit:

  c087374... curl_setup.h: remove redundant include guard

This also reverts renaming and usage of lib/*.c source files done
3-12-2013, reverting 3 commits:

  13606bb... build: make use of 93 lib/*.c renamed files
  5b6e792... build: rename 93 lib/*.c files
  7d83dff... build: commit 13606bbfde follow-up 1

Start of related discussion thread:

  http://curl.haxx.se/mail/lib-2013-01/0012.html

Asking for confirmation on pushing this revertion commit:

  http://curl.haxx.se/mail/lib-2013-01/0048.html

Confirmation summary:

  http://curl.haxx.se/mail/lib-2013-01/0079.html

NOTICE: The list of 2 files that have been modified by other
intermixed commits, while renamed, and also by at least one
of the 6 commits this one reverts follows below. These 2 files
will exhibit a hole in history unless git's '--follow' option
is used when viewing logs.

  lib/curl_imap.h
  lib/curl_smtp.h
2013-01-06 18:20:27 +01:00
Yang Tse
f871de0064 build: make use of 76 lib/*.h renamed files
76 private header files renamed to use our standard naming scheme.

This change affects 322 files in libcurl's source tree.
2012-12-28 19:37:11 +01:00
Tatsuhiro Tsujikawa
196c8242ca curl: Made --metalink option toggle Metalink functionality
In this change, --metalink option no longer takes argument.  If
it is specified, given URIs are processed as Metalink XML file.
If given URIs are remote (e.g., http URI), curl downloads it
first. Regardless URI is local file (e.g., file URI scheme) or
remote, Metalink XML file is not written to local file system and
the received data is fed into Metalink XML parser directly.  This
means with --metalink option, filename related options like -O
and -o are ignored.

Usage examples:

$ curl --metalink http://example.org/foo.metalink

This will download foo.metalink and parse it and then download
the URI described there.

$ curl --metalink file://foo.metalink

This will parse local file foo.metalink and then download the URI
described there.
2012-06-21 03:35:23 +02:00
ant
89747794fe Add --metalink to --help 2012-05-26 23:10:53 +02:00
Yang Tse
919c97fa65 curl tool: use configuration files from lib directory
Configuration files such as curl_config.h and all config-*.h no longer exist
nor are generated/copied into 'src' directory, now these only exist in 'lib'
directory from where curl tool sources uses them.

Additionally old src/setup.h has been refactored into src/tool_setup.h which
now pulls lib/setup.h

The possibility of a makefile needing an include path adjustment exists.
2012-04-06 23:37:05 +02:00
Daniel Stenberg
29e68b200c curl: add --post303 to set the CURL_REDIR_POST_303 option 2012-04-05 23:34:12 +02:00
Steve Holme
a053560cfa curl: Added support for --mail-auth
Added an extra command-line argument to support the optional AUTH
parameter in SMTPs MAIL FROM command.
2012-02-16 13:19:47 +01:00
Colin Hogben
2b26eb9857 configure: add option disable --libcurl output 2012-02-13 22:36:10 +01:00
Kamil Dudka
ebf3138992 nss: add support for the CURLSSLOPT_ALLOW_BEAST option
... and fix some typos from the 62d15f1 commit.
2012-02-09 23:25:55 +01:00
Daniel Stenberg
62d15f159e --ssl-allow-beast added
This new option tells curl to not work around a security flaw in the
SSL3 and TLS1.0 protocols. It uses the new libcurl option
CURLOPT_SSL_OPTIONS with the CURLSSLOPT_ALLOW_BEAST bit set.
2012-02-09 22:28:58 +01:00
Yang Tse
49b79b7631 curl tool: code moved to tool_*.[ch] files 2011-10-05 00:03:58 +02:00