cURL / Mailing Lists / curl-library / Single Mail


RE: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to pass user/password

From: Steve Holme <>
Date: Thu, 10 Jul 2014 20:59:23 +0100

On Thu, 10 Jul 2014, Leonardo Rosati wrote:

> Correct, in my opinion, by design, with SSP1 the intention is to be
> authenticated with user name and password if passed, if not, by
> the system account.

Basically yes - my understanding is if it can work the same as the SSPI implementation of NTLM then it should. Whilst I know both the our native and SSPI implementations of NTLM as well some of the other SSPI code such as the recent SSPI SASL digest work I did I don't know the HTTP negotiate code that well (although have taken a look at it a few times for reference) so I'm pretty certain your summary is correct.

> My intention was to submit a change to have negotiate to work like NTLM.

If you submit your change here as a patch (ideally a git format patch) then Daniel, Mark, Michael and myself (who have experience in this area) and anyone else on the list with an interest should be able to take a look at it ;-)

> Does anyone have any suggestion looking at the code?

You mentioned in your original post that you had already performed some change in your own codebase. Was that in your own copy of the curl source code or your own application's code?

Also, you mention in the subject line about this being a problem in Curl 7.21.7 - Please note that, that version is now 3 years old and prior to the NTLM Winbind development of July/August 2011 and my own refactoring of the NTLM code in September to November 2011. I guess what I'm trying to ask there is, does this problem still exist in 7.37.0?

If so, and you're working with the latest code, then I would say that you need to make a call to Curl_create_sspi_identity() that I added in the last release of curl which will populate your SEC_WINNT_AUTH_IDENTITY structure. This can then be passed to AcquireCredentialsHandle() instread of NULL just like curl_ntlm_msgs.c does - see the code at line 425 onwards and it should be a fairly simple change ;-)

I hope this helps - however, if you are trying to patch an older version then you will probably end up duplicating the code in Curl_create_sspi_identity() and adding that to the code in http_negotiate_sspi.c::Curl_input_negotiate(). However, any patches for inclusion in future versions of curl should be with the latest codebase.

Kind Regards


List admin:
Received on 2014-07-10