2 .\" Copyright (c) 1998-2013 Dag-Erling Smørgrav
3 .\" Copyright (c) 2013-2016 Michael Gmelin <freebsd@grem.de>
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62 .Nd file transfer functions
70 .Fn fetchMakeURL "const char *scheme" "const char *host" "int port" "const char *doc" "const char *user" "const char *pwd"
72 .Fn fetchParseURL "const char *URL"
74 .Fn fetchFreeURL "struct url *u"
76 .Fn fetchXGetURL "const char *URL" "struct url_stat *us" "const char *flags"
78 .Fn fetchGetURL "const char *URL" "const char *flags"
80 .Fn fetchPutURL "const char *URL" "const char *flags"
82 .Fn fetchStatURL "const char *URL" "struct url_stat *us" "const char *flags"
84 .Fn fetchListURL "const char *URL" "const char *flags"
86 .Fn fetchXGet "struct url *u" "struct url_stat *us" "const char *flags"
88 .Fn fetchGet "struct url *u" "const char *flags"
90 .Fn fetchPut "struct url *u" "const char *flags"
92 .Fn fetchStat "struct url *u" "struct url_stat *us" "const char *flags"
94 .Fn fetchList "struct url *u" "const char *flags"
96 .Fn fetchXGetFile "struct url *u" "struct url_stat *us" "const char *flags"
98 .Fn fetchGetFile "struct url *u" "const char *flags"
100 .Fn fetchPutFile "struct url *u" "const char *flags"
102 .Fn fetchStatFile "struct url *u" "struct url_stat *us" "const char *flags"
104 .Fn fetchListFile "struct url *u" "const char *flags"
106 .Fn fetchXGetHTTP "struct url *u" "struct url_stat *us" "const char *flags"
108 .Fn fetchGetHTTP "struct url *u" "const char *flags"
110 .Fn fetchPutHTTP "struct url *u" "const char *flags"
112 .Fn fetchStatHTTP "struct url *u" "struct url_stat *us" "const char *flags"
114 .Fn fetchListHTTP "struct url *u" "const char *flags"
116 .Fn fetchReqHTTP "struct url *u" "const char *method" "const char *flags" "const char *content_type" "const char *body"
118 .Fn fetchXGetFTP "struct url *u" "struct url_stat *us" "const char *flags"
120 .Fn fetchGetFTP "struct url *u" "const char *flags"
122 .Fn fetchPutFTP "struct url *u" "const char *flags"
124 .Fn fetchStatFTP "struct url *u" "struct url_stat *us" "const char *flags"
126 .Fn fetchListFTP "struct url *u" "const char *flags"
128 These functions implement a high-level library for retrieving and
129 uploading files using Uniform Resource Locators (URLs).
132 takes a URL in the form of a null-terminated string and splits it into
133 its components function according to the Common Internet Scheme Syntax
135 A regular expression which produces this syntax is:
137 <scheme>:(//(<user>(:<pwd>)?@)?<host>(:<port>)?)?/(<document>)?
140 If the URL does not seem to begin with a scheme name, the following
143 ((<user>(:<pwd>)?@)?<host>(:<port>)?)?/(<document>)?
146 Note that some components of the URL are not necessarily relevant to
148 For instance, the file scheme only needs the <scheme> and <document>
154 return a pointer to a
156 structure, which is defined as follows in
159 #define URL_SCHEMELEN 16
160 #define URL_USERLEN 256
161 #define URL_PWDLEN 256
164 char scheme[URL_SCHEMELEN+1];
165 char user[URL_USERLEN+1];
166 char pwd[URL_PWDLEN+1];
167 char host[MAXHOSTNAMELEN+1];
178 field stores the time value for
179 .Li If-Modified-Since
182 The pointer returned by
186 should be freed using
193 constitute the recommended interface to the
196 They examine the URL passed to them to determine the transfer
197 method, and call the appropriate lower-level functions to perform the
200 also returns the remote document's metadata in the
202 structure pointed to by the
208 argument is a string of characters which specify transfer options.
210 meaning of the individual flags is scheme-dependent, and is detailed
211 in the appropriate section below.
214 attempts to obtain the requested document's metadata and fill in the
215 structure pointed to by its second argument.
218 structure is defined as follows in
228 If the size could not be obtained from the server, the
231 If the modification time could not be obtained from the server, the
233 field is set to the epoch.
234 If the access time could not be obtained from the server, the
236 field is set to the modification time.
239 attempts to list the contents of the directory pointed to by the URL
241 If successful, it returns a malloced array of
246 structure is defined as follows in
251 struct url_stat stat;
255 The list is terminated by an entry with an empty name.
257 The pointer returned by
259 should be freed using
273 except that they expect a pre-parsed URL in the form of a pointer to
276 rather than a string.
283 functions return a pointer to a stream which can be used to read or
284 write data from or to the requested document, respectively.
286 although the implementation details of the individual access methods
287 vary, it can generally be assumed that a stream returned by one of the
291 functions is read-only, and that a stream returned by one of the
293 functions is write-only.
299 provide access to documents which are files in a locally mounted file
301 Only the <document> component of the URL is used.
306 do not accept any flags.
311 (append to file) flag.
312 If that flag is specified, the data written to
313 the stream returned by
315 will be appended to the previous contents of the file, instead of
322 implement the FTP protocol as described in RFC959.
326 (not passive) flag is specified, an active (rather than passive)
327 connection will be attempted.
331 flag is supported for compatibility with earlier versions where active
332 connections were the default.
333 It has precedence over the
335 flag, so if both are specified,
337 will use a passive connection.
341 (low) flag is specified, data sockets will be allocated in the low (or
342 default) port range instead of the high port range (see
347 (direct) flag is specified,
352 will use a direct connection even if a proxy server is defined.
354 If no user name or password is given, the
356 library will attempt an anonymous login, with user name "anonymous"
357 and password "anonymous@<hostname>".
365 functions implement the HTTP/1.1 protocol.
366 With a little luck, there is
367 even a chance that they comply with RFC2616 and RFC2617.
371 (direct) flag is specified,
376 will use a direct connection even if a proxy server is defined.
380 (if-modified-since) flag is specified, and
389 will send a conditional
390 .Li If-Modified-Since
391 HTTP header to only fetch the content if it is newer than
396 can be used to make requests with an arbitrary HTTP verb,
397 including POST, DELETE, CONNECT, OPTIONS, TRACE or PATCH.
398 This can be done by setting the argument
400 to the intended verb, such as
406 Since there seems to be no good way of implementing the HTTP PUT
407 method in a manner consistent with the rest of the
411 is currently unimplemented.
413 Based on HTTP SCHEME.
414 By default the peer is verified using the CA bundle located in
415 .Pa /usr/local/etc/ssl/cert.pem .
416 If this file does not exist,
417 .Pa /etc/ssl/cert.pem
419 If neither file exists, and
422 OpenSSL's default CA cert and path settings apply.
423 The certificate bundle can contain multiple CA certificates.
424 A common source of a current CA bundle is
425 .Pa \%security/ca_root_nss .
427 The CA bundle used for peer verification can be changed by setting the
428 environment variables
430 to point to a concatenated bundle of trusted certificates and
432 to point to a directory containing hashes of trusted CAs (see
435 A certificate revocation list (CRL) can be used by setting the
441 Peer verification can be disabled by setting the environment variable
442 .Ev SSL_NO_VERIFY_PEER .
443 Note that this also disables CRL checking.
445 By default the service identity is verified according to the rules
446 detailed in RFC6125 (also known as hostname verification).
447 This feature can be disabled by setting the environment variable
448 .Ev SSL_NO_VERIFY_HOSTNAME .
450 Client certificate based authentication is supported.
451 The environment variable
452 .Ev SSL_CLIENT_CERT_FILE
453 should be set to point to a file containing key and client certificate
454 to be used in PEM format.
455 When a PEM-format key is in a separate file from the client certificate,
456 the environment variable
457 .Ev SSL_CLIENT_KEY_FILE
458 can be set to point to the key file.
459 In case the key uses a password, the user will be prompted on standard
465 allows TLSv1 and newer when negotiating the connecting with the remote
467 You can change this behavior by setting the
469 environment variable to allow SSLv3 and
471 .Ev SSL_NO_TLS1_1 and
473 to disable TLS 1.0, 1.1 and 1.2 respectively.
475 Apart from setting the appropriate environment variables and
476 specifying the user name and password in the URL or the
478 the calling program has the option of defining an authentication
479 function with the following prototype:
482 .Fn myAuthMethod "struct url *u"
484 The callback function should fill in the
488 fields in the provided
490 and return 0 on success, or any other value to indicate failure.
492 To register the authentication callback, simply set
495 The callback will be used whenever a site requires authentication and
496 the appropriate environment variables are not set.
498 This interface is experimental and may be subject to change.
501 returns a pointer to a
503 containing the individual components of the URL.
505 unable to allocate memory, or the URL is syntactically incorrect,
507 returns a NULL pointer.
511 functions return 0 on success and -1 on failure.
513 All other functions return a stream pointer which may be used to
514 access the requested document, or NULL if an error occurred.
516 The following error codes are defined in
519 .It Bq Er FETCH_ABORT
522 Authentication failed
525 .It Bq Er FETCH_EXISTS
530 Informational response
531 .It Bq Er FETCH_MEMORY
533 .It Bq Er FETCH_MOVED
535 .It Bq Er FETCH_NETWORK
539 .It Bq Er FETCH_PROTO
541 .It Bq Er FETCH_RESOLV
543 .It Bq Er FETCH_SERVER
547 .It Bq Er FETCH_TIMEOUT
549 .It Bq Er FETCH_UNAVAIL
550 File is not available
551 .It Bq Er FETCH_UNKNOWN
557 The accompanying error message includes a protocol-specific error code
558 and message, like "File is not available (404 Not Found)"
560 .Bl -tag -width ".Ev FETCH_BIND_ADDRESS"
561 .It Ev FETCH_BIND_ADDRESS
562 Specifies a hostname or IP address to which sockets used for outgoing
563 connections will be bound.
565 Default FTP login if none was provided in the URL.
566 .It Ev FTP_PASSIVE_MODE
569 forces the FTP code to use active mode.
570 If set to any other value, forces passive mode even if the application
571 requested active mode.
573 Default FTP password if the remote server requests one and none was
576 URL of the proxy to use for FTP requests.
577 The document part is ignored.
578 FTP and HTTP proxies are supported; if no scheme is specified, FTP is
580 If the proxy is an FTP proxy,
584 as user name to the proxy, where
586 is the real user name, and
588 is the name of the FTP server.
590 If this variable is set to an empty string, no proxy will be used for
591 FTP requests, even if the
599 Specifies the value of the
601 header for HTTP requests.
608 Specifies HTTP authorization parameters as a colon-separated list of
610 The first and second item are the authorization scheme and realm
611 respectively; further items are scheme-dependent.
616 authorization methods are supported.
618 Both methods require two parameters: the user name and
619 password, in that order.
621 This variable is only used if the server requires authorization and
622 no user name or password was specified in the URL.
624 URL of the proxy to use for HTTP requests.
625 The document part is ignored.
626 Only HTTP proxies are supported for HTTP requests.
627 If no port number is specified, the default is 3128.
629 Note that this proxy will also be used for FTP documents, unless the
636 .It Ev HTTP_PROXY_AUTH
637 Specifies authorization parameters for the HTTP proxy in the same
642 This variable is used if and only if connected to an HTTP proxy, and
643 is ignored if a user and/or a password were specified in the proxy
646 Specifies the referrer URL to use for HTTP requests.
649 the document URL will be used as referrer URL.
650 .It Ev HTTP_USER_AGENT
651 Specifies the User-Agent string to use for HTTP requests.
652 This can be useful when working with HTTP origin or proxy servers that
653 differentiate between user agents.
654 If defined but empty, no User-Agent header is sent.
656 Specifies a file to use instead of
658 to look up login names and passwords for FTP and HTTP sites as well as
662 for a description of the file format.
664 Either a single asterisk, which disables the use of proxies
665 altogether, or a comma- or whitespace-separated list of hosts for
666 which proxies should not be used.
672 Uses SOCKS version 5 to make connection.
673 The format must be the IP or hostname followed by a colon for the port.
674 IPv6 addresses must enclose the address in brackets.
675 If no port is specified, the default is 1080.
676 This setting will supercede a connection to an
678 .It Ev SSL_ALLOW_SSL3
679 Allow SSL version 3 when negotiating the connection (not recommended).
680 .It Ev SSL_CA_CERT_FILE
681 CA certificate bundle containing trusted CA certificates.
682 Default value: See HTTPS SCHEME above.
683 .It Ev SSL_CA_CERT_PATH
684 Path containing trusted CA hashes.
685 .It Ev SSL_CLIENT_CERT_FILE
686 PEM encoded client certificate/key which will be used in
687 client certificate authentication.
688 .It Ev SSL_CLIENT_KEY_FILE
689 PEM encoded client key in case key and client certificate
690 are stored separately.
692 File containing certificate revocation list.
694 Do not allow TLS version 1.0 when negotiating the connection.
696 Do not allow TLS version 1.1 when negotiating the connection.
698 Do not allow TLS version 1.2 when negotiating the connection.
699 .It Ev SSL_NO_VERIFY_HOSTNAME
700 If set, do not verify that the hostname matches the subject of the
701 certificate presented by the server.
702 .It Ev SSL_NO_VERIFY_PEER
703 If set, do not verify the peer certificate against trusted CAs.
706 To access a proxy server on
707 .Pa proxy.example.com
710 environment variable in a manner similar to this:
712 .Dl HTTP_PROXY=http://proxy.example.com:8080
714 If the proxy server requires authentication, there are
715 two options available for passing the authentication data.
716 The first method is by using the proxy URL:
718 .Dl HTTP_PROXY=http://<user>:<pwd>@proxy.example.com:8080
720 The second method is by using the
722 environment variable:
723 .Bd -literal -offset indent
724 HTTP_PROXY=http://proxy.example.com:8080
725 HTTP_PROXY_AUTH=basic:*:<user>:<pwd>
728 To disable the use of a proxy for an HTTP server running on the local
732 .Bd -literal -offset indent
733 NO_PROXY=localhost,127.0.0.1
736 To use a SOCKS5 proxy, set the
738 environment variable to a
739 valid host or IP followed by an optional colon and the port.
740 IPv6 addresses must be enclosed in brackets.
741 The following are examples of valid settings:
742 .Bd -literal -offset indent
743 SOCKS5_PROXY=proxy.example.com
744 SOCKS5_PROXY=proxy.example.com:1080
745 SOCKS5_PROXY=192.0.2.0
746 SOCKS5_PROXY=198.51.100.0:1080
747 SOCKS5_PROXY=[2001:db8::1]
748 SOCKS5_PROXY=[2001:db8::2]:1080
751 Access HTTPS website without any certificate verification whatsoever:
752 .Bd -literal -offset indent
754 SSL_NO_VERIFY_HOSTNAME=1
757 Access HTTPS website using client certificate based authentication
759 .Bd -literal -offset indent
760 SSL_CLIENT_CERT_FILE=/path/to/client.pem
761 SSL_CA_CERT_FILE=/path/to/myca.pem
770 .%B File Transfer Protocol
778 .%T How to Use Anonymous FTP
786 .%T Uniform Resource Locators (URL)
798 .%B Hypertext Transfer Protocol -- HTTP/1.1
810 .%B HTTP Authentication: Basic and Digest Access Authentication
816 library first appeared in
822 library was mostly written by
823 .An Dag-Erling Sm\(/orgrav Aq Mt des@FreeBSD.org
824 with numerous suggestions and contributions from
825 .An Jordan K. Hubbard Aq Mt jkh@FreeBSD.org ,
826 .An Eugene Skepner Aq Mt eu@qub.com ,
827 .An Hajimu Umemoto Aq Mt ume@FreeBSD.org ,
828 .An Henry Whincup Aq Mt henry@techiebod.com ,
829 .An Jukka A. Ukkonen Aq Mt jau@iki.fi ,
830 .An Jean-Fran\(,cois Dockes Aq Mt jf@dockes.org ,
831 .An Michael Gmelin Aq Mt freebsd@grem.de
833 It replaces the older
836 .An Poul-Henning Kamp Aq Mt phk@FreeBSD.org
838 .An Jordan K. Hubbard Aq Mt jkh@FreeBSD.org .
840 This manual page was written by
841 .An Dag-Erling Sm\(/orgrav Aq Mt des@FreeBSD.org
843 .An Michael Gmelin Aq Mt freebsd@grem.de .
845 Some parts of the library are not yet implemented.
851 and FTP proxy support.
853 There is no way to select a proxy at run-time other than setting the
857 environment variables as appropriate.
860 does not understand or obey 305 (Use Proxy) replies.
862 Error numbers are unique only within a certain context; the error
863 codes used for FTP and HTTP overlap, as do those used for resolver and
865 For instance, error code 202 means "Command not
866 implemented, superfluous at this site" in an FTP context and
867 "Accepted" in an HTTP context.
870 does not check that the result of an MDTM command is a valid date.
872 In case password protected keys are used for client certificate based
873 authentication the user is prompted for the password on each and every
876 The man page is incomplete, poorly written and produces badly
879 The error reporting mechanism is unsatisfactory.
881 Some parts of the code are not fully reentrant.