2 .\" Copyright (c) 1998-2013 Dag-Erling Smørgrav
3 .\" Copyright (c) 2013-2016 Michael Gmelin <freebsd@grem.de>
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61 .Nd file transfer functions
69 .Fn fetchMakeURL "const char *scheme" "const char *host" "int port" "const char *doc" "const char *user" "const char *pwd"
71 .Fn fetchParseURL "const char *URL"
73 .Fn fetchFreeURL "struct url *u"
75 .Fn fetchXGetURL "const char *URL" "struct url_stat *us" "const char *flags"
77 .Fn fetchGetURL "const char *URL" "const char *flags"
79 .Fn fetchPutURL "const char *URL" "const char *flags"
81 .Fn fetchStatURL "const char *URL" "struct url_stat *us" "const char *flags"
83 .Fn fetchListURL "const char *URL" "const char *flags"
85 .Fn fetchXGet "struct url *u" "struct url_stat *us" "const char *flags"
87 .Fn fetchGet "struct url *u" "const char *flags"
89 .Fn fetchPut "struct url *u" "const char *flags"
91 .Fn fetchStat "struct url *u" "struct url_stat *us" "const char *flags"
93 .Fn fetchList "struct url *u" "const char *flags"
95 .Fn fetchXGetFile "struct url *u" "struct url_stat *us" "const char *flags"
97 .Fn fetchGetFile "struct url *u" "const char *flags"
99 .Fn fetchPutFile "struct url *u" "const char *flags"
101 .Fn fetchStatFile "struct url *u" "struct url_stat *us" "const char *flags"
103 .Fn fetchListFile "struct url *u" "const char *flags"
105 .Fn fetchXGetHTTP "struct url *u" "struct url_stat *us" "const char *flags"
107 .Fn fetchGetHTTP "struct url *u" "const char *flags"
109 .Fn fetchPutHTTP "struct url *u" "const char *flags"
111 .Fn fetchStatHTTP "struct url *u" "struct url_stat *us" "const char *flags"
113 .Fn fetchListHTTP "struct url *u" "const char *flags"
115 .Fn fetchXGetFTP "struct url *u" "struct url_stat *us" "const char *flags"
117 .Fn fetchGetFTP "struct url *u" "const char *flags"
119 .Fn fetchPutFTP "struct url *u" "const char *flags"
121 .Fn fetchStatFTP "struct url *u" "struct url_stat *us" "const char *flags"
123 .Fn fetchListFTP "struct url *u" "const char *flags"
125 These functions implement a high-level library for retrieving and
126 uploading files using Uniform Resource Locators (URLs).
129 takes a URL in the form of a null-terminated string and splits it into
130 its components function according to the Common Internet Scheme Syntax
132 A regular expression which produces this syntax is:
134 <scheme>:(//(<user>(:<pwd>)?@)?<host>(:<port>)?)?/(<document>)?
137 If the URL does not seem to begin with a scheme name, the following
140 ((<user>(:<pwd>)?@)?<host>(:<port>)?)?/(<document>)?
143 Note that some components of the URL are not necessarily relevant to
145 For instance, the file scheme only needs the <scheme> and <document>
151 return a pointer to a
153 structure, which is defined as follows in
156 #define URL_SCHEMELEN 16
157 #define URL_USERLEN 256
158 #define URL_PWDLEN 256
161 char scheme[URL_SCHEMELEN+1];
162 char user[URL_USERLEN+1];
163 char pwd[URL_PWDLEN+1];
164 char host[MAXHOSTNAMELEN+1];
175 field stores the time value for
176 .Li If-Modified-Since
179 The pointer returned by
183 should be freed using
190 constitute the recommended interface to the
193 They examine the URL passed to them to determine the transfer
194 method, and call the appropriate lower-level functions to perform the
197 also returns the remote document's metadata in the
199 structure pointed to by the
205 argument is a string of characters which specify transfer options.
207 meaning of the individual flags is scheme-dependent, and is detailed
208 in the appropriate section below.
211 attempts to obtain the requested document's metadata and fill in the
212 structure pointed to by its second argument.
215 structure is defined as follows in
225 If the size could not be obtained from the server, the
228 If the modification time could not be obtained from the server, the
230 field is set to the epoch.
231 If the access time could not be obtained from the server, the
233 field is set to the modification time.
236 attempts to list the contents of the directory pointed to by the URL
238 If successful, it returns a malloced array of
243 structure is defined as follows in
248 struct url_stat stat;
252 The list is terminated by an entry with an empty name.
254 The pointer returned by
256 should be freed using
270 except that they expect a pre-parsed URL in the form of a pointer to
273 rather than a string.
280 functions return a pointer to a stream which can be used to read or
281 write data from or to the requested document, respectively.
283 although the implementation details of the individual access methods
284 vary, it can generally be assumed that a stream returned by one of the
288 functions is read-only, and that a stream returned by one of the
290 functions is write-only.
296 provide access to documents which are files in a locally mounted file
298 Only the <document> component of the URL is used.
303 do not accept any flags.
308 (append to file) flag.
309 If that flag is specified, the data written to
310 the stream returned by
312 will be appended to the previous contents of the file, instead of
319 implement the FTP protocol as described in RFC959.
323 (not passive) flag is specified, an active (rather than passive)
324 connection will be attempted.
328 flag is supported for compatibility with earlier versions where active
329 connections were the default.
330 It has precedence over the
332 flag, so if both are specified,
334 will use a passive connection.
338 (low) flag is specified, data sockets will be allocated in the low (or
339 default) port range instead of the high port range (see
344 (direct) flag is specified,
349 will use a direct connection even if a proxy server is defined.
351 If no user name or password is given, the
353 library will attempt an anonymous login, with user name "anonymous"
354 and password "anonymous@<hostname>".
361 functions implement the HTTP/1.1 protocol.
362 With a little luck, there is
363 even a chance that they comply with RFC2616 and RFC2617.
367 (direct) flag is specified,
372 will use a direct connection even if a proxy server is defined.
376 (if-modified-since) flag is specified, and
385 will send a conditional
386 .Li If-Modified-Since
387 HTTP header to only fetch the content if it is newer than
390 Since there seems to be no good way of implementing the HTTP PUT
391 method in a manner consistent with the rest of the
395 is currently unimplemented.
397 Based on HTTP SCHEME.
398 By default the peer is verified using the CA bundle located in
399 .Pa /usr/local/etc/ssl/cert.pem .
400 If this file does not exist,
401 .Pa /etc/ssl/cert.pem
403 If neither file exists, and
406 OpenSSL's default CA cert and path settings apply.
407 The certificate bundle can contain multiple CA certificates.
408 A common source of a current CA bundle is
409 .Pa \%security/ca_root_nss .
411 The CA bundle used for peer verification can be changed by setting the
412 environment variables
414 to point to a concatenated bundle of trusted certificates and
416 to point to a directory containing hashes of trusted CAs (see
419 A certificate revocation list (CRL) can be used by setting the
425 Peer verification can be disabled by setting the environment variable
426 .Ev SSL_NO_VERIFY_PEER .
427 Note that this also disables CRL checking.
429 By default the service identity is verified according to the rules
430 detailed in RFC6125 (also known as hostname verification).
431 This feature can be disabled by setting the environment variable
432 .Ev SSL_NO_VERIFY_HOSTNAME .
434 Client certificate based authentication is supported.
435 The environment variable
436 .Ev SSL_CLIENT_CERT_FILE
437 should be set to point to a file containing key and client certificate
438 to be used in PEM format.
439 When a PEM-format key is in a separate file from the client certificate,
440 the environment variable
441 .Ev SSL_CLIENT_KEY_FILE
442 can be set to point to the key file.
443 In case the key uses a password, the user will be prompted on standard
449 allows TLSv1 and newer when negotiating the connecting with the remote
451 You can change this behavior by setting the
453 environment variable to allow SSLv3 and
455 .Ev SSL_NO_TLS1_1 and
457 to disable TLS 1.0, 1.1 and 1.2 respectively.
459 Apart from setting the appropriate environment variables and
460 specifying the user name and password in the URL or the
462 the calling program has the option of defining an authentication
463 function with the following prototype:
466 .Fn myAuthMethod "struct url *u"
468 The callback function should fill in the
472 fields in the provided
474 and return 0 on success, or any other value to indicate failure.
476 To register the authentication callback, simply set
479 The callback will be used whenever a site requires authentication and
480 the appropriate environment variables are not set.
482 This interface is experimental and may be subject to change.
485 returns a pointer to a
487 containing the individual components of the URL.
489 unable to allocate memory, or the URL is syntactically incorrect,
491 returns a NULL pointer.
495 functions return 0 on success and -1 on failure.
497 All other functions return a stream pointer which may be used to
498 access the requested document, or NULL if an error occurred.
500 The following error codes are defined in
503 .It Bq Er FETCH_ABORT
506 Authentication failed
509 .It Bq Er FETCH_EXISTS
514 Informational response
515 .It Bq Er FETCH_MEMORY
517 .It Bq Er FETCH_MOVED
519 .It Bq Er FETCH_NETWORK
523 .It Bq Er FETCH_PROTO
525 .It Bq Er FETCH_RESOLV
527 .It Bq Er FETCH_SERVER
531 .It Bq Er FETCH_TIMEOUT
533 .It Bq Er FETCH_UNAVAIL
534 File is not available
535 .It Bq Er FETCH_UNKNOWN
541 The accompanying error message includes a protocol-specific error code
542 and message, like "File is not available (404 Not Found)"
544 .Bl -tag -width ".Ev FETCH_BIND_ADDRESS"
545 .It Ev FETCH_BIND_ADDRESS
546 Specifies a hostname or IP address to which sockets used for outgoing
547 connections will be bound.
549 Default FTP login if none was provided in the URL.
550 .It Ev FTP_PASSIVE_MODE
553 forces the FTP code to use active mode.
554 If set to any other value, forces passive mode even if the application
555 requested active mode.
557 Default FTP password if the remote server requests one and none was
560 URL of the proxy to use for FTP requests.
561 The document part is ignored.
562 FTP and HTTP proxies are supported; if no scheme is specified, FTP is
564 If the proxy is an FTP proxy,
568 as user name to the proxy, where
570 is the real user name, and
572 is the name of the FTP server.
574 If this variable is set to an empty string, no proxy will be used for
575 FTP requests, even if the
583 Specifies the value of the
585 header for HTTP requests.
592 Specifies HTTP authorization parameters as a colon-separated list of
594 The first and second item are the authorization scheme and realm
595 respectively; further items are scheme-dependent.
600 authorization methods are supported.
602 Both methods require two parameters: the user name and
603 password, in that order.
605 This variable is only used if the server requires authorization and
606 no user name or password was specified in the URL.
608 URL of the proxy to use for HTTP requests.
609 The document part is ignored.
610 Only HTTP proxies are supported for HTTP requests.
611 If no port number is specified, the default is 3128.
613 Note that this proxy will also be used for FTP documents, unless the
620 .It Ev HTTP_PROXY_AUTH
621 Specifies authorization parameters for the HTTP proxy in the same
626 This variable is used if and only if connected to an HTTP proxy, and
627 is ignored if a user and/or a password were specified in the proxy
630 Specifies the referrer URL to use for HTTP requests.
633 the document URL will be used as referrer URL.
634 .It Ev HTTP_USER_AGENT
635 Specifies the User-Agent string to use for HTTP requests.
636 This can be useful when working with HTTP origin or proxy servers that
637 differentiate between user agents.
638 If defined but empty, no User-Agent header is sent.
640 Specifies a file to use instead of
642 to look up login names and passwords for FTP and HTTP sites as well as
646 for a description of the file format.
648 Either a single asterisk, which disables the use of proxies
649 altogether, or a comma- or whitespace-separated list of hosts for
650 which proxies should not be used.
655 .It Ev SSL_ALLOW_SSL3
656 Allow SSL version 3 when negotiating the connection (not recommended).
657 .It Ev SSL_CA_CERT_FILE
658 CA certificate bundle containing trusted CA certificates.
659 Default value: See HTTPS SCHEME above.
660 .It Ev SSL_CA_CERT_PATH
661 Path containing trusted CA hashes.
662 .It Ev SSL_CLIENT_CERT_FILE
663 PEM encoded client certificate/key which will be used in
664 client certificate authentication.
665 .It Ev SSL_CLIENT_KEY_FILE
666 PEM encoded client key in case key and client certificate
667 are stored separately.
669 File containing certificate revocation list.
671 Do not allow TLS version 1.0 when negotiating the connection.
673 Do not allow TLS version 1.1 when negotiating the connection.
675 Do not allow TLS version 1.2 when negotiating the connection.
676 .It Ev SSL_NO_VERIFY_HOSTNAME
677 If set, do not verify that the hostname matches the subject of the
678 certificate presented by the server.
679 .It Ev SSL_NO_VERIFY_PEER
680 If set, do not verify the peer certificate against trusted CAs.
683 To access a proxy server on
684 .Pa proxy.example.com
687 environment variable in a manner similar to this:
689 .Dl HTTP_PROXY=http://proxy.example.com:8080
691 If the proxy server requires authentication, there are
692 two options available for passing the authentication data.
693 The first method is by using the proxy URL:
695 .Dl HTTP_PROXY=http://<user>:<pwd>@proxy.example.com:8080
697 The second method is by using the
699 environment variable:
700 .Bd -literal -offset indent
701 HTTP_PROXY=http://proxy.example.com:8080
702 HTTP_PROXY_AUTH=basic:*:<user>:<pwd>
705 To disable the use of a proxy for an HTTP server running on the local
709 .Bd -literal -offset indent
710 NO_PROXY=localhost,127.0.0.1
713 Access HTTPS website without any certificate verification whatsoever:
714 .Bd -literal -offset indent
716 SSL_NO_VERIFY_HOSTNAME=1
719 Access HTTPS website using client certificate based authentication
721 .Bd -literal -offset indent
722 SSL_CLIENT_CERT_FILE=/path/to/client.pem
723 SSL_CA_CERT_FILE=/path/to/myca.pem
732 .%B File Transfer Protocol
740 .%T How to Use Anonymous FTP
748 .%T Uniform Resource Locators (URL)
760 .%B Hypertext Transfer Protocol -- HTTP/1.1
772 .%B HTTP Authentication: Basic and Digest Access Authentication
778 library first appeared in
784 library was mostly written by
785 .An Dag-Erling Sm\(/orgrav Aq Mt des@FreeBSD.org
786 with numerous suggestions and contributions from
787 .An Jordan K. Hubbard Aq Mt jkh@FreeBSD.org ,
788 .An Eugene Skepner Aq Mt eu@qub.com ,
789 .An Hajimu Umemoto Aq Mt ume@FreeBSD.org ,
790 .An Henry Whincup Aq Mt henry@techiebod.com ,
791 .An Jukka A. Ukkonen Aq Mt jau@iki.fi ,
792 .An Jean-Fran\(,cois Dockes Aq Mt jf@dockes.org ,
793 .An Michael Gmelin Aq Mt freebsd@grem.de
795 It replaces the older
798 .An Poul-Henning Kamp Aq Mt phk@FreeBSD.org
800 .An Jordan K. Hubbard Aq Mt jkh@FreeBSD.org .
802 This manual page was written by
803 .An Dag-Erling Sm\(/orgrav Aq Mt des@FreeBSD.org
805 .An Michael Gmelin Aq Mt freebsd@grem.de .
807 Some parts of the library are not yet implemented.
813 and FTP proxy support.
815 There is no way to select a proxy at run-time other than setting the
819 environment variables as appropriate.
822 does not understand or obey 305 (Use Proxy) replies.
824 Error numbers are unique only within a certain context; the error
825 codes used for FTP and HTTP overlap, as do those used for resolver and
827 For instance, error code 202 means "Command not
828 implemented, superfluous at this site" in an FTP context and
829 "Accepted" in an HTTP context.
832 does not check that the result of an MDTM command is a valid date.
834 In case password protected keys are used for client certificate based
835 authentication the user is prompted for the password on each and every
838 The man page is incomplete, poorly written and produces badly
841 The error reporting mechanism is unsatisfactory.
843 Some parts of the code are not fully reentrant.