cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH 2/5] Use SPNEGO for HTTP Negotiate

From: David Woodhouse <>
Date: Sat, 12 Jul 2014 01:34:05 +0100

On Fri, 2014-07-11 at 20:15 +0200, Michael Osipov wrote:
> Am 2014-07-11 13:28, schrieb David Woodhouse:
> > From: David Woodhouse <>
> >
> You can safely remove this from http_negotiate.c because the caller
> already checks that:
> if(checkprefix("GSS-Negotiate", header)) {
> protocol = "GSS-Negotiate";
> gss = TRUE;
> }
> else if(checkprefix("Negotiate", header)) {
> protocol = "Negotiate";
> gss = FALSE;
> }

Yes, and I agree that 'GSS-Negotiate' should die.

We'll end up wanting to add very similar logic to differentiate between
Negotiate and Kerberos though, and it'll be 'use_spnego' that gets set
or cleared depending on which one we see.

> I don't like that code change. It can be done better.
> In curl_gssapi.h you should do:
> #ifdef HAVE_GSSAPI
> static gss_OID_desc spnego_mech_oid = { 6, "\x2b\x06\x01\x05\x05\x02" };
> #define SPNEGO_MECHANISM &spnego_mech_oid
> #endif
> #ifndef KRB5_MECHANISM
> static gss_OID_desc krb5_mech_oid = { 6, ... };
> #define KRB5_MECHANISM &krb5_mech_oid
> #endif

Now you've defined a separate copy of spnego_mech_oid in every C file
that includes curl_gssapi.h. Potentially unused.

Surely you'd want it to be defined *once* in curl_gssapi.c and then

Doing something like this was my first inclination, to keep the
signature of Curl_gss_init_sec_context() closer to that of the real
gss_init_sec_context(), but I figured that a simple 'use_spnego' was
probably cleaner in the end.

That said, I don't care too much. If you want to do it your way then
please go ahead and I'll insert your patch in my sequence instead.

> This gives you the ability to use any mech and clearly indicate which is
> used, for FTP and SOCKS GSS_KRB5_MECHANISM and for HTTP
> GSS_SPNEGO_MECHANISM. You mave even define NTLM_MECHISM for your custom

I don't think we'll be implementing an alternative to ntlm_wb using
gssapi+gss-ntlmssp any time soon. The boolean for SPNEGO or not ought to
be fine.


List admin:

  • application/x-pkcs7-signature attachment: smime.p7s
Received on 2014-07-12