curl-library
[PATCH 2/5] Use SPNEGO for HTTP Negotiate
From: David Woodhouse <dwmw2_at_infradead.org>
Date: Fri, 11 Jul 2014 12:28:47 +0100
Received on 2014-07-11
Date: Fri, 11 Jul 2014 12:28:47 +0100
From: David Woodhouse <David.Woodhouse_at_intel.com>
This is the correct way to do SPNEGO. Just ask for it
Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
isn't available. Of course, we bail out when the server responds with the
challenge packet, since we don't expect that. But I'll fix that bug next...
---
lib/curl_gssapi.c | 9 ++++++++-
lib/curl_gssapi.h | 1 +
lib/http_negotiate.c | 1 +
lib/krb5.c | 1 +
lib/socks_gssapi.c | 1 +
5 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
index fabbe35..79d09f2 100644
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@@ -27,11 +27,18 @@
#include "curl_gssapi.h"
#include "sendf.h"
+static const char spnego_OID[] = "\x2b\x06\x01\x05\x05\x02";
+static const gss_OID_desc gss_mech_spnego = {
+ 6,
+ &spnego_OID
+};
+
OM_uint32 Curl_gss_init_sec_context(
struct SessionHandle *data,
OM_uint32 * minor_status,
gss_ctx_id_t * context,
gss_name_t target_name,
+ bool use_spnego,
gss_channel_bindings_t input_chan_bindings,
gss_buffer_t input_token,
gss_buffer_t output_token,
@@ -55,7 +62,7 @@ OM_uint32 Curl_gss_init_sec_context(
GSS_C_NO_CREDENTIAL, /* cred_handle */
context,
target_name,
- GSS_C_NO_OID, /* mech_type */
+ use_spnego ? &gss_mech_spnego : GSS_C_NO_OID,
req_flags,
0, /* time_req */
input_chan_bindings,
diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h
index ed33b51..5af7a02 100644
--- a/lib/curl_gssapi.h
+++ b/lib/curl_gssapi.h
@@ -47,6 +47,7 @@ OM_uint32 Curl_gss_init_sec_context(
OM_uint32 * minor_status,
gss_ctx_id_t * context,
gss_name_t target_name,
+ bool use_spnego,
gss_channel_bindings_t input_chan_bindings,
gss_buffer_t input_token,
gss_buffer_t output_token,
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index ccd005b..9b01e0a 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -184,6 +184,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
&minor_status,
&neg_ctx->context,
neg_ctx->server_name,
+ TRUE,
GSS_C_NO_CHANNEL_BINDINGS,
&input_token,
&output_token,
diff --git a/lib/krb5.c b/lib/krb5.c
index 1643f11..9a36af1 100644
--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -236,6 +236,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
&min,
context,
gssname,
+ FALSE,
&chan,
gssresp,
&output_buffer,
diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
index 1f840bd..0a35dfa 100644
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@@ -181,6 +181,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
&gss_minor_status,
&gss_context,
server,
+ FALSE,
NULL,
gss_token,
&gss_send_token,
--
1.9.3
--
David Woodhouse Open Source Technology Centre
David.Woodhouse_at_intel.com Intel Corporation
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/x-pkcs7-signature attachment: smime.p7s