proxy: Support HTTPS proxy and SOCKS+HTTP(s)

* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is est

proxy: Support HTTPS proxy and SOCKS+HTTP(s)

* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

--proxy-cacert FILE CA certificate to verify peer against
--proxy-capath DIR CA directory to verify peer against
--proxy-cert CERT[:PASSWD] Client certificate file and password
--proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
--proxy-ciphers LIST SSL ciphers to use
--proxy-crlfile FILE Get a CRL list in PEM format from the file
--proxy-insecure Allow connections to proxies with bad certs
--proxy-key KEY Private key file name
--proxy-key-type TYPE Private key file type (DER/PEM/ENG)
--proxy-pass PASS Pass phrase for the private key
--proxy-ssl-allow-beast Allow security flaw to improve interop
--proxy-sslv2 Use SSLv2
--proxy-sslv3 Use SSLv3
--proxy-tlsv1 Use TLSv1
--proxy-tlsuser USER TLS username
--proxy-tlspassword STRING TLS password
--proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.

show more ...

SPNEGO: Fix memory leak when authentication fails

If SPNEGO fails, cleanup the negotiate handle right away.

Fixes #1115

Signed-off-by: Isaac Boukris <iboukris@gmail.com>

SPNEGO: Fix memory leak when authentication fails

If SPNEGO fails, cleanup the negotiate handle right away.

Fixes #1115

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reported-by: ashman-p

show more ...

strcasecompare: all case insensitive string compares ignore locale now

We had some confusions on when each function was used. We should not act
differently on different locales anyway.

internals: rename the SessionHandle struct to Curl_easy

lib: include curl_printf.h as one of the last headers

curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((fo

lib: include curl_printf.h as one of the last headers

curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((format(printf, ...))) markers etc.

To avoid that they cause problems with system includes, we include
curl_printf.h after any system headers. That makes the three last
headers to always be, and we keep them in this order:

curl_printf.h
curl_memory.h
memdebug.h

None of them include system headers, they all do funny #defines.

Reported-by: David Benjamin

Fixes #743

show more ...

http_negotiate: Calculate service name and proxy service name locally

Calculate the service name and proxy service names locally, rather than
in url.c which will allow for us to support

http_negotiate: Calculate service name and proxy service name locally

Calculate the service name and proxy service names locally, rather than
in url.c which will allow for us to support overriding the service name
for other protocols such as FTP, IMAP, POP3 and SMTP.

show more ...

http_negotiate: Corrected host and proxy host name being wrong way round

I had accidentally used the proxy server name for the host and the host
server name for the proxy in commit ad5e9

http_negotiate: Corrected host and proxy host name being wrong way round

I had accidentally used the proxy server name for the host and the host
server name for the proxy in commit ad5e9bfd5d and 6d6f9ca1d9. Whilst
Windows SSPI was quite happy with this, GSS-API wasn't.

Thanks-to: Michael Osipov

show more ...

http_negotiate: Combine GSS-API and SSPI source files

As the GSS-API and SSPI based source files are no longer library/API
specific, following the extraction of that authentication code

http_negotiate: Combine GSS-API and SSPI source files

As the GSS-API and SSPI based source files are no longer library/API
specific, following the extraction of that authentication code to the
vauth directory, combine these files rather than maintain two separate
versions.

show more ...

vauth: Moved the Negotiate authentication code to the new vauth directory

Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.

vauth: Refactored function names after move to new vauth directory

Renamed all the SASL functions that moved to the new vauth directory to
include the correct module name.

vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files

URLs: change all http:// URLs to https://

Negotiate: custom service names for SPNEGO.

* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
* Add new curl options, --proxy-service-name and --service-name.

curl_memory: make curl_memory.h the second-last header file loaded

This header file must be included after all header files except
memdebug.h, as it does similar memory function redefini

curl_memory: make curl_memory.h the second-last header file loaded

This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.

show more ...

free: instead of Curl_safefree()

Since we just started make use of free(NULL) in order to simplify code,
this change takes it a step further and:

- converts lots of Curl_safefre

free: instead of Curl_safefree()

Since we just started make use of free(NULL) in order to simplify code,
this change takes it a step further and:

- converts lots of Curl_safefree() calls to good old free()
- makes Curl_safefree() not check the pointer before free()

The (new) rule of thumb is: if you really want a function call that
frees a pointer and then assigns it to NULL, then use Curl_safefree().
But we will prefer just using free() from now on.

show more ...

mprintf.h: remove #ifdef CURLDEBUG

... and as a consequence, introduce curl_printf.h with that re-define
magic instead and make all libcurl code use that instead.

http_negotiate: Use dynamic buffer for SPN generation

Use a dynamicly allocated buffer for the temporary SPN variable similar
to how the SASL GSS-API code does, rather than using a fixed

http_negotiate: Use dynamic buffer for SPN generation

Use a dynamicly allocated buffer for the temporary SPN variable similar
to how the SASL GSS-API code does, rather than using a fixed buffer of
2048 characters.

show more ...

http_negotiate.c: unused variable 'ret'

http_negotiate: Added empty decoded challenge message info text

http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int

gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions

Better code reuse and consistency in calls to gss_import_name().

sasl_gssapi: Fixed honouring of no mutual authentication

sasl_gssapi: Made log_gss_error() a common GSS-API function

Made log_gss_error() a common function so that it can be used in both
the http_negotiate code as well as the curl_sasl_gssapi

sasl_gssapi: Made log_gss_error() a common GSS-API function

Made log_gss_error() a common function so that it can be used in both
the http_negotiate code as well as the curl_sasl_gssapi code.

show more ...

http_negotiate: We prefer 'CURLcode result'

Continuing commit 0eb3d15ccb more return code variable name changes.

http_negotiate: Fixed missing check for USE_SPNEGO