cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] Negotiate: custom service names for SPNEGO.

From: Linus Nielsen <linus_at_haxx.se>
Date: Sun, 29 Mar 2015 14:52:31 +0200

* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
* Add new curl options, --proxy-service-name and --service-name.

---
 docs/curl.1                                    | 10 ++++++
 docs/libcurl/curl_easy_setopt.3                |  4 +++
 docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 | 46 ++++++++++++++++++++++++++
 docs/libcurl/opts/CURLOPT_SERVICE_NAME.3       | 46 ++++++++++++++++++++++++++
 docs/libcurl/symbols-in-versions               |  2 ++
 include/curl/curl.h                            |  6 ++++
 include/curl/typecheck-gcc.h                   |  2 ++
 lib/http_negotiate.c                           |  6 ++--
 lib/http_negotiate_sspi.c                      |  7 ++--
 lib/url.c                                      | 29 ++++++++++++++++
 lib/url.h                                      |  3 ++
 lib/urldata.h                                  |  2 ++
 packages/OS400/ccsidcurl.c                     |  2 ++
 src/tool_cfgable.c                             |  2 ++
 src/tool_cfgable.h                             |  4 +++
 src/tool_getparam.c                            |  8 +++++
 src/tool_operate.c                             | 11 ++++++
 17 files changed, 185 insertions(+), 5 deletions(-)
 create mode 100644 docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3
 create mode 100644 docs/libcurl/opts/CURLOPT_SERVICE_NAME.3
diff --git a/docs/curl.1 b/docs/curl.1
index 7b988d0..c8d9baf 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1332,6 +1332,11 @@ with a remote host. (Added in 7.17.1)
 .IP "--proxy-ntlm"
 Tells curl to use HTTP NTLM authentication when communicating with the given
 proxy. Use \fI--ntlm\fP for enabling NTLM with a remote host.
+.IP "--proxy-service-name <servicename>"
+This option allows you to change the service name for proxy negotiation.
+
+Examples: --proxy-negotiate proxy-name \fI--proxy-service-name\fP sockd would use
+sockd/proxy-name.  (Added in 7.43.0).
 .IP "--proxy1.0 <proxyhost[:port]>"
 Use the specified HTTP 1.0 proxy. If the port number is not specified, it is
 assumed at port 1080.
@@ -1513,6 +1518,11 @@ terminal/stdout unless you redirect it.
 .IP "--sasl-ir"
 Enable initial response in SASL authentication.
 (Added in 7.31.0)
+.IP "--service-name <servicename>"
+This option allows you to change the service name for SPNEGO.
+
+Examples: --negotiate \fI--service-name\fP sockd would use
+sockd/server-name.  (Added in 7.43.0).
 .IP "-S, --show-error"
 When used with \fI-s\fP it makes curl show an error message if it fails.
 .IP "--ssl"
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 712dae9..4e5b8de 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -165,6 +165,10 @@ Tunnel through the HTTP proxy. \fICURLOPT_HTTPPROXYTUNNEL(3)\fP
 Socks5 GSSAPI service name. \fICURLOPT_SOCKS5_GSSAPI_SERVICE(3)\fP
 .IP CURLOPT_SOCKS5_GSSAPI_NEC
 Socks5 GSSAPI NEC mode. See \fICURLOPT_SOCKS5_GSSAPI_NEC(3)\fP
+.IP CURLOPT_PROXY_SERVICE_NAME
+Proxy service name. \fICURLOPT_PROXY_SERVICE_NAME(3)\fP
+.IP CURLOPT_SERVICE_NAME
+SPNEGO service name. \fICURLOPT_SERVICE_NAME(3)\fP
 .IP CURLOPT_INTERFACE
 Bind connection locally to this. See \fICURLOPT_INTERFACE(3)\fP
 .IP CURLOPT_LOCALPORT
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3 b/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3
new file mode 100644
index 0000000..824fedf
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SERVICE_NAME.3
@@ -0,0 +1,46 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel_at_haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at http://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_PROXY_SERVICE_NAME 3 "17 Jun 2015" "libcurl 7.43.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_PROXY_SERVICE_NAME \- proxy service name
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_SERVICE_NAME, char *name);
+.SH DESCRIPTION
+Pass a char * as parameter to a string holding the \fIname\fP of the
+service. The default service name is "rcmd" (for a SOCKS5 server). This option
+allows you to change it.
+..SH DEFAULT
+See above
+.SH PROTOCOLS
+Most
+.SH EXAMPLE
+TODO
+.SH AVAILABILITY
+Added in 7.43.0
+.SH RETURN VALUE
+Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
+CURLE_OUT_OF_MEMORY if there was insufficient heap space.
+.SH "SEE ALSO"
+.BR CURLOPT_PROXY "(3), " CURLOPT_PROXYTYPE "(3), "
diff --git a/docs/libcurl/opts/CURLOPT_SERVICE_NAME.3 b/docs/libcurl/opts/CURLOPT_SERVICE_NAME.3
new file mode 100644
index 0000000..116fdbe
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_SERVICE_NAME.3
@@ -0,0 +1,46 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel_at_haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at http://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_SERVICE_NAME 3 "17 Jun 2015" "libcurl 7.43.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_SERVICE_NAME \- SPNEGO service name
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SERVICE_NAME, char *name);
+.SH DESCRIPTION
+Pass a char * as parameter to a string holding the \fIname\fP of the
+service. The default service name is "HTTP". This option allows you to
+change it.
+..SH DEFAULT
+See above
+.SH PROTOCOLS
+Most
+.SH EXAMPLE
+TODO
+.SH AVAILABILITY
+Added in 7.43.0
+.SH RETURN VALUE
+Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
+CURLE_OUT_OF_MEMORY if there was insufficient heap space.
+.SH "SEE ALSO"
+.BR CURLOPT_PROXY "(3), " CURLOPT_PROXYTYPE "(3), "
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 1ed3c21..18dc1be 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -454,6 +454,7 @@ CURLOPT_PROXYPORT               7.1
 CURLOPT_PROXYTYPE               7.10
 CURLOPT_PROXYUSERNAME           7.19.1
 CURLOPT_PROXYUSERPWD            7.1
+CURLOPT_PROXY_SERVICE_NAME      7.43.0
 CURLOPT_PROXY_TRANSFER_MODE     7.18.0
 CURLOPT_PUT                     7.1
 CURLOPT_QUOTE                   7.1
@@ -477,6 +478,7 @@ CURLOPT_SASL_IR                 7.31.0
 CURLOPT_SEEKDATA                7.18.0
 CURLOPT_SEEKFUNCTION            7.18.0
 CURLOPT_SERVER_RESPONSE_TIMEOUT 7.20.0
+CURLOPT_SERVICE_NAME            7.43.0
 CURLOPT_SHARE                   7.10
 CURLOPT_SOCKOPTDATA             7.16.0
 CURLOPT_SOCKOPTFUNCTION         7.16.0
diff --git a/include/curl/curl.h b/include/curl/curl.h
index ae1b0e4..9ef7531 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1632,6 +1632,12 @@ typedef enum {
   /* Do not squash dot-dot sequences */
   CINIT(PATH_AS_IS, LONG, 234),
 
+  /* Proxy Service Name */
+  CINIT(PROXY_SERVICE_NAME, OBJECTPOINT, 235),
+
+  /* Service Name */
+  CINIT(SERVICE_NAME, OBJECTPOINT, 236),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h
index 69d41a2..13fb0fa 100644
--- a/include/curl/typecheck-gcc.h
+++ b/include/curl/typecheck-gcc.h
@@ -270,6 +270,8 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist,
    (option) == CURLOPT_DNS_LOCAL_IP4 ||                                       \
    (option) == CURLOPT_DNS_LOCAL_IP6 ||                                       \
    (option) == CURLOPT_LOGIN_OPTIONS ||                                       \
+   (option) == CURLOPT_PROXY_SERVICE_NAME ||                                  \
+   (option) == CURLOPT_SERVICE_NAME ||                                        \
    0)
 
 /* evaluates to true if option takes a curl_write_callback argument */
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 21658cf..a1baf29 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -62,8 +62,10 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
 
   if(!neg_ctx->server_name) {
     /* Generate our SPN */
-    char *spn = Curl_sasl_build_gssapi_spn("HTTP", proxy ? conn->proxy.name :
-                                                           conn->host.name);
+    char *spn = Curl_sasl_build_gssapi_spn(
+      proxy ? data->set.str[STRING_PROXY_SERVICE_NAME] :
+      data->set.str[STRING_SERVICE_NAME],
+      proxy ? conn->proxy.name : conn->host.name);
     if(!spn)
       return CURLE_OUT_OF_MEMORY;
 
diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c
index 20f8d64..2c10759 100644
--- a/lib/http_negotiate_sspi.c
+++ b/lib/http_negotiate_sspi.c
@@ -93,9 +93,10 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
       return CURLE_BAD_FUNCTION_ARGUMENT;
 
     /* Generate our SPN */
-    neg_ctx->server_name = Curl_sasl_build_spn("HTTP",
-                                                proxy ? conn->proxy.name :
-                                                        conn->host.name);
+    neg_ctx->server_name = Curl_sasl_build_spn(
+      proxy ? data->set.str[STRING_PROXY_SERVICE_NAME] :
+      data->set.str[STRING_SERVICE_NAME],
+      proxy ? conn->proxy.name : conn->host.name);
     if(!neg_ctx->server_name)
       return CURLE_OUT_OF_MEMORY;
   }
diff --git a/lib/url.c b/lib/url.c
index 7dc5c45..bfe5a6c 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -576,6 +576,18 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
                      (char *) CURL_DEFAULT_SOCKS5_GSSAPI_SERVICE);
   if(result)
     return result;
+
+  /* set default negotiate proxy service name */
+  result = setstropt(&set->str[STRING_PROXY_SERVICE_NAME],
+                     (char *) CURL_DEFAULT_PROXY_SERVICE_NAME);
+  if(result)
+    return result;
+
+  /* set default negotiate service name */
+  result = setstropt(&set->str[STRING_SERVICE_NAME],
+                     (char *) CURL_DEFAULT_SERVICE_NAME);
+  if(result)
+    return result;
 #endif
 
   /* This is our preferred CA cert bundle/path since install time */
@@ -1472,12 +1484,29 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
                        va_arg(param, char *));
     break;
 
+  case CURLOPT_PROXY_SERVICE_NAME:
+    /*
+     * Set negotiate proxy service name
+     */
+    result = setstropt(&data->set.str[STRING_PROXY_SERVICE_NAME],
+                       va_arg(param, char *));
+    break;
+
   case CURLOPT_SOCKS5_GSSAPI_NEC:
     /*
      * set flag for nec socks5 support
      */
     data->set.socks5_gssapi_nec = (0 != va_arg(param, long))?TRUE:FALSE;
     break;
+
+  case CURLOPT_SERVICE_NAME:
+    /*
+     * Set negotiate service identity
+     */
+    result = setstropt(&data->set.str[STRING_SERVICE_NAME],
+                       va_arg(param, char *));
+    break;
+
 #endif
 
   case CURLOPT_HEADERDATA:
diff --git a/lib/url.h b/lib/url.h
index cd46a92..e49b772 100644
--- a/lib/url.h
+++ b/lib/url.h
@@ -69,6 +69,9 @@ void Curl_close_connections(struct SessionHandle *data);
 #define CURL_DEFAULT_PROXY_PORT 1080 /* default proxy port unless specified */
 #define CURL_DEFAULT_SOCKS5_GSSAPI_SERVICE "rcmd" /* default socks5 gssapi
                                                      service */
+#define CURL_DEFAULT_PROXY_SERVICE_NAME "HTTP" /* default negotiate proxy
+                                                  service */
+#define CURL_DEFAULT_SERVICE_NAME "HTTP"  /* default negotiate service */
 
 CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex);
 
diff --git a/lib/urldata.h b/lib/urldata.h
index b1b1a67..db8b1e7 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1389,6 +1389,8 @@ enum dupstring {
 #endif
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
   STRING_SOCKS5_GSSAPI_SERVICE, /* GSSAPI service name */
+  STRING_PROXY_SERVICE_NAME, /* Proxy service name */
+  STRING_SERVICE_NAME,    /* Service name */
 #endif
   STRING_MAIL_FROM,
   STRING_MAIL_AUTH,
diff --git a/packages/OS400/ccsidcurl.c b/packages/OS400/ccsidcurl.c
index 8ac6ed3..ca3b0f1 100644
--- a/packages/OS400/ccsidcurl.c
+++ b/packages/OS400/ccsidcurl.c
@@ -1180,6 +1180,8 @@ curl_easy_setopt_ccsid(CURL * curl, CURLoption tag, ...)
   case CURLOPT_USERNAME:
   case CURLOPT_USERPWD:
   case CURLOPT_XOAUTH2_BEARER:
+  case CURLOPT_PROXY_SERVICE_NAME:
+  case CURLOPT_SERVICE_NAME:
     s = va_arg(arg, char *);
     ccsid = va_arg(arg, unsigned int);
 
diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
index c78c896..ba6c468 100644
--- a/src/tool_cfgable.c
+++ b/src/tool_cfgable.c
@@ -136,6 +136,8 @@ static void free_config_fields(struct OperationConfig *config)
 
   Curl_safefree(config->socksproxy);
   Curl_safefree(config->socks5_gssapi_service);
+  Curl_safefree(config->proxy_service_name);
+  Curl_safefree(config->service_name);
 
   Curl_safefree(config->ftp_account);
   Curl_safefree(config->ftp_alternative_to_user);
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index d1f2238..048eb4f 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -166,8 +166,12 @@ struct OperationConfig {
   int socksver;             /* set to CURLPROXY_SOCKS* define */
   char *socks5_gssapi_service;  /* set service name for gssapi principal
                                  * default rcmd */
+  char *proxy_service_name; /* set service name for proxy negotiation
+                             * default HTTP */
   int socks5_gssapi_nec ;   /* The NEC reference server does not protect
                              * the encryption type exchange */
+  char *service_name;       /* set negotiation service name
+                             * default HTTP */
 
   bool tcp_nodelay;
   long req_retry;           /* number of retries */
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 1b5d6d2..62283a5 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -161,6 +161,8 @@ static const struct LongShort aliases[]= {
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
   {"$6", "socks5-gssapi-service",    TRUE},
   {"$7", "socks5-gssapi-nec",        FALSE},
+  {"$O", "proxy-service-name",       TRUE},
+  {"$P", "service-name",             TRUE},
 #endif
   {"$8", "proxy1.0",                 TRUE},
   {"$9", "tftp-blksize",             TRUE},
@@ -903,6 +905,12 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
       case '7': /* --socks5-gssapi-nec*/
         config->socks5_gssapi_nec = toggle;
         break;
+      case 'O': /* --proxy-service-name */
+        GetStr(&config->proxy_service_name, nextarg);
+        break;
+      case 'P': /* --service-name */
+        GetStr(&config->service_name, nextarg);
+        break;
 #endif
       case '8': /* --proxy1.0 */
         /* http 1.0 proxy */
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 74e4002..5f7b792 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1217,6 +1217,17 @@ static CURLcode operate_do(struct GlobalConfig *global,
           if(config->socks5_gssapi_nec)
             my_setopt_str(curl, CURLOPT_SOCKS5_GSSAPI_NEC,
                           config->socks5_gssapi_nec);
+
+          /* new in curl 7.43.0 */
+          if(config->proxy_service_name)
+            my_setopt_str(curl, CURLOPT_PROXY_SERVICE_NAME,
+                          config->proxy_service_name);
+
+          /* new in curl 7.43.0 */
+          if(config->service_name)
+            my_setopt_str(curl, CURLOPT_SERVICE_NAME,
+                          config->service_name);
+
         }
 #endif
         /* curl 7.13.0 */
-- 
2.1.1
--------------060802000909000501020003
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLQpMaXN0IGFkbWluOiBodHRwOi8vY29vbC5oYXh4LnNlL2xpc3QvbGlzdGluZm8v
Y3VybC1saWJyYXJ5CkV0aXF1ZXR0ZTogIGh0dHA6Ly9jdXJsLmhheHguc2UvbWFpbC9ldGlxdWV0
dGUuaHRtbA==
--------------060802000909000501020003--
Received on 2001-09-17