cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: Michael Osipov <>
Date: Mon, 14 Jul 2014 10:22:43 +0200

Am 2014-07-13 22:22, schrieb David Woodhouse:
> On Sun, 2014-07-13 at 11:31 +0200, Michael Osipov wrote:
>> Please have a look:
>> Work is based on top of your patches.
> That really wants splitting into individual patches to make it readable.

That should not be a big problem with Git, I need to figure out how ;-)
Just realized that the SSPI code is broken now as it uses the same
structs. Need to fix that first.

> You can't put the OID bytes into the definition as you have; you'll get
> complaints about const pointers in some implementations. There was a
> reason I had them separate.

I wasn't aware of that nuances across implementations. So you
improvement looks like:

static const char[] spengo_oid_bytes = "\x2b\x06\x01\x05\x05\x02";
gss_OID_desc spnego_mech_oid = { 6, &spengo_oid_bytes };
static const char[] krb5_oid_bytes = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02";
gss_OID_desc krb5_mech_oid = { 9, &krb5_oid_bytes };

> And in fact I think you don't need to export them. Just make an enum for
> SPNEGO/NTLM/KRB5 and let the caller pass that in, and then you use it to
> select the appropriate OID within curl_gssapi.c. And in the SSPI
> version, which we want to be called identically, that same enum actually
> translates into an appropriate *string* argument to
> AcquireCredentalsHandle().

Like enum gss_mech { SPNEGO, KRB5, NTLM }?

Did you get a chance to thing about the context looping improvements,
because the SSPI implementation looks somewhat different?

List admin:
Received on 2014-07-14