On Wed, Jan 19, 2011 at 11:24:23PM +0100, Daniel Stenberg wrote:
> I've now committed and pushed this.
Great, thanks!
> - We now lack documentation in docs/curl.1 for the three new command
> line options and in docs/libcurl/curl_easy_setopt.3 for the three
> new options
I've attached a patch with some basic docs for these.
> and in docs/libcurl/libcurl-errors.3 for the new error code.
On second thought, I think CURLE_TLSAUTH_FAILED should be eliminated. It was
only
being raised when an internal error occurred while allocating or setting the
GnuTLS
SRP client credentials struct. For TLS authentication failures, the general
CURLE_SSL_CONNECT_ERROR seems appropriate; its error string already includes
"passwords" as a possible cause. Having a separate TLS auth error code might
also
cause people to think that a TLS auth failure means the wrong username or
password was
entered, when it could also be a sign of a man-in-the-middle attack. Patch
attached to
eliminate CURLE_TLSAUTH_FAILED.
diff --git a/docs/curl.1 b/docs/curl.1
index 33b5e02..e2e5dcd 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1269,6 +1269,19 @@ default 512 bytes will be used.
If this option is used several times, the last one will be used.
(Added in 7.20.0)
+.IP "--tlsauthtype <authtype>"
+Set TLS authentication type. Currently, the only supported option is "SRP", for
+TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are specified
+but \fI--tlsauthtype\fP is not, then this option defaults to "SRP".
+(Added in 7.21.4)
+.IP "--tlsuser <user>"
+Set username for use with the TLS authentication method specified with
+\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set.
+(Added in 7.21.4)
+.IP "--tlspassword <password>"
+Set password for use with the TLS authentication method specified with
+\fI--tlsauthtype\fP. Requires that \fI--tlsuser\fP also be set.
+(Added in 7.21.4)
.IP "-T/--upload-file <file>"
This transfers the specified local file to the remote URL. If there is no file
part in the specified URL, Curl will append the local file name. NOTE that you
@@ -1395,6 +1408,8 @@ This curl supports IDN - international domain names.
.IP "SSPI"
SSPI is supported. If you use NTLM and set a blank user name, curl will
authenticate with your current user and password.
+.IP "TLS-SRP"
+SRP (Secure Remote Password) authentication is supported for TLS.
.RE
.IP "-w/--write-out <format>"
Defines what to display on stdout after a completed and successful
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 95772d2..a009d0c 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -870,6 +870,29 @@ This is a meta symbol. Or this value together with a single specific auth
value to force libcurl to probe for un-restricted auth and if not, only that
single auth algorithm is acceptable. (Added in 7.21.3)
.RE
+.IP CURLOPT_TLSAUTH_TYPE
+Pass a long as parameter, which is set to a bitmask, to tell libcurl which
+authentication method(s) you want it to use for TLS authentication.
+.RS
+.IP CURLOPT_TLSAUTH_SRP
+TLS-SRP authentication. Secure Remote Password authentication for TLS is
+defined in RFC 5054 and provides mutual authentication if both sides have a
+shared secret. To use TLS-SRP, you must also set the
+\fICURLOPT_TLSAUTH_USERNAME\fP and \fICURLOPT_TLSAUTH_PASSWORD\fP options.
+
+You need to build libcurl with GnuTLS and with TLS-SRP support for this to
+work. (Added in 7.21.4)
+.RE
+.IP CURLOPT_TLSAUTH_USERNAME
+Pass a char * as parameter, which should point to the zero-terminated username
+to use for the TLS authentication method specified with the
+\fICURLOPT_TLSAUTH_TYPE\fP option. Requires that the \fICURLOPT_TLS_PASSWORD\fP
+option also be set. (Added in 7.21.4)
+.IP CURLOPT_TLSAUTH_PASSWORD
+Pass a char * as parameter, which should point to the zero-terminated password
+to use for the TLS authentication method specified with the
+\fICURLOPT_TLSAUTH_TYPE\fP option. Requires that the \fICURLOPT_TLS_USERNAME\fP
+option also be set. (Added in 7.21.4)
.IP CURLOPT_PROXYAUTH
Pass a long as parameter, which is set to a bitmask, to tell libcurl which
authentication method(s) you want it to use for your proxy authentication. If
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index bbd629d..bacf527 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -123,7 +123,6 @@ CURLE_TFTP_NOSUCHUSER 7.15.0
CURLE_TFTP_NOTFOUND 7.15.0
CURLE_TFTP_PERM 7.15.0
CURLE_TFTP_UNKNOWNID 7.15.0
-CURLE_TLSAUTH_FAILED 7.21.4
CURLE_TOO_MANY_REDIRECTS 7.5
CURLE_UNKNOWN_TELNET_OPTION 7.7
CURLE_UNSUPPORTED_PROTOCOL 7.1
diff --git a/include/curl/curl.h b/include/curl/curl.h
index bf65420..4744f48 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -502,7 +502,6 @@ typedef enum {
CURLE_RTSP_SESSION_ERROR, /* 86 - mismatch of RTSP Session Identifiers */
CURLE_FTP_BAD_FILE_LIST, /* 87 - unable to parse FTP file list */
CURLE_CHUNK_FAILED, /* 88 - chunk callback reported error */
- CURLE_TLSAUTH_FAILED, /* 89 - Failed TLS authentication */
CURL_LAST /* never use! */
} CURLcode;
diff --git a/lib/gtls.c b/lib/gtls.c
index b5ef8fb..a60e717 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -355,7 +355,7 @@ gtls_connect_step1(struct connectdata *conn,
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
gnutls_strerror(rc));
- return CURLE_TLSAUTH_FAILED;
+ return CURLE_OUT_OF_MEMORY;
}
rc = gnutls_srp_set_client_credentials(conn->ssl[sockindex].srp_client_cred,
@@ -364,7 +364,7 @@ gtls_connect_step1(struct connectdata *conn,
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_set_client_cred() failed: %s",
gnutls_strerror(rc));
- return CURLE_TLSAUTH_FAILED;
+ return CURLE_BAD_FUNCTION_ARGUMENT;
}
}
#endif
diff --git a/lib/strerror.c b/lib/strerror.c
index 6b67a87..a88cdc4 100644
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -281,9 +281,6 @@ curl_easy_strerror(CURLcode error)
case CURLE_CHUNK_FAILED:
return "Chunk callback failed";
- case CURLE_TLSAUTH_FAILED:
- return "TLS Authentication failed";
-
/* error codes not used by current libcurl */
case CURLE_OBSOLETE4:
case CURLE_OBSOLETE10:
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
