cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH 2/5] Use SPNEGO for HTTP Negotiate

From: David Woodhouse <dwmw2_at_infradead.org>
Date: Sat, 12 Jul 2014 01:34:05 +0100

On Fri, 2014-07-11 at 20:15 +0200, Michael Osipov wrote:
> Am 2014-07-11 13:28, schrieb David Woodhouse:
> > From: David Woodhouse <David.Woodhouse_at_intel.com>
> >
>
> You can safely remove this from http_negotiate.c because the caller
> already checks that:
>
> if(checkprefix("GSS-Negotiate", header)) {
> protocol = "GSS-Negotiate";
> gss = TRUE;
> }
> else if(checkprefix("Negotiate", header)) {
> protocol = "Negotiate";
> gss = FALSE;
> }

Yes, and I agree that 'GSS-Negotiate' should die.

We'll end up wanting to add very similar logic to differentiate between
Negotiate and Kerberos though, and it'll be 'use_spnego' that gets set
or cleared depending on which one we see.

> I don't like that code change. It can be done better.
>
> In curl_gssapi.h you should do:
>
> #ifdef HAVE_GSSAPI
> #ifndef SPNEGO_MECHANISM
> static gss_OID_desc spnego_mech_oid = { 6, "\x2b\x06\x01\x05\x05\x02" };
> #define SPNEGO_MECHANISM &spnego_mech_oid
> #endif
> #ifndef KRB5_MECHANISM
> static gss_OID_desc krb5_mech_oid = { 6, ... };
> #define KRB5_MECHANISM &krb5_mech_oid
> #endif

Now you've defined a separate copy of spnego_mech_oid in every C file
that includes curl_gssapi.h. Potentially unused.

Surely you'd want it to be defined *once* in curl_gssapi.c and then
exported?

Doing something like this was my first inclination, to keep the
signature of Curl_gss_init_sec_context() closer to that of the real
gss_init_sec_context(), but I figured that a simple 'use_spnego' was
probably cleaner in the end.

That said, I don't care too much. If you want to do it your way then
please go ahead and I'll insert your patch in my sequence instead.

> This gives you the ability to use any mech and clearly indicate which is
> used, for FTP and SOCKS GSS_KRB5_MECHANISM and for HTTP
> GSS_SPNEGO_MECHANISM. You mave even define NTLM_MECHISM for your custom
> GSS NTLMSSP.

I don't think we'll be implementing an alternative to ntlm_wb using
gssapi+gss-ntlmssp any time soon. The boolean for SPNEGO or not ought to
be fine.

-- 
dwmw2

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/x-pkcs7-signature attachment: smime.p7s

Received on 2014-07-12

This message: [ Message body ]
Next message: Dan Fandrich: "Re: [PATCH 2/2] ntlm_wb: Avoid invoking ntlm_auth helper with empty username"
Previous message: David Woodhouse: "[PATCH 1/2 v2] ntlm_wb: Fix hard-coded limit on NTLM auth packet size"
In reply to: Michael Osipov: "Re: [PATCH 2/5] Use SPNEGO for HTTP Negotiate"
Next in thread: Michael Osipov: "Re: [PATCH 2/5] Use SPNEGO for HTTP Negotiate"
Reply: Michael Osipov: "Re: [PATCH 2/5] Use SPNEGO for HTTP Negotiate"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]