cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: David Woodhouse <>
Date: Tue, 15 Jul 2014 13:19:55 +0100

On Tue, 2014-07-15 at 13:18 +0200, Michael Osipov wrote:
> Am 2014-07-13 22:22, schrieb David Woodhouse:
> > On Sun, 2014-07-13 at 11:31 +0200, Michael Osipov wrote:
> >>
> >> Please have a look:
> >>
> >>
> >> Work is based on top of your patches.
> >
> > That really wants splitting into individual patches to make it readable.
> David,
> I have split the patch apart and added some more bugfixes I did not
> notice before.
> Please have a look again:
> I'll test that by the end of the week and make a complete patch proposal
> if everything is fine.

> Michael Osipov (7):
> Added missing ifdef to Curl_http_done if GSS-API or SSPI is not available

I've merged that fix into the patch which introduced that bug now; thanks.

> Add macros for the most common GSS-API mechs and pass them to

That commit subject is truncated (you can't wrap lines there). And I
don't like the patch either. I think this wants to be an enum, as
discussed. That way we can end up presenting the same API for our GSSAPI
and SSPI implementations, and the code which *uses* them can be the

> Remove checkprefix("GSS-Negotiate")

OK... but you're about to add half of this back again to handle
'WWW-Authenticate: Kerberos'. You'll need the 'protocol' member of
negotiatedata back again then, and the 'gss' member becomes 'spnego',
right? So perhaps it makes sense to remove GSS-Negotiate and add
Kerberos in the *same* patch, rather than in separate patches? Or at
least do them in consecutive patches.

> Add feature and version info for GSS-API (like with SSPI)
> Deprecate GSS-Negotiate related macros due to bad naming

These two look sane enough; not my area of expertise.

> Make Negotiate (SPNEGO) auth CLI options and help available only if

Truncated again. But also looks sane apart from that.

> Improve inline GSS-API naming in code documentation

Not so keen on this one either. I think 'GSSAPI' was better than 'GSS-API'.

> @Steve Holme, can you kindly take a look at the changes SSPI code. That
> was necessary to unify stuff and make it compile on Windows too.

FWIW the SSPI code can be tested under Linux, at least for NTLM — Wine
implements SSPI single-sign-on using the same Samba ntlm_auth helper
that the ntlm_wb authentication method does.

So I can build with mingw32 (cursing the AC_TRY_RUN things in which cause it to invoke wine during the *build* process),
and then do something like:

wine src/curl.exe --ntlm -u : -v $URL

... and see it automatically authenticate using my credentials from

I note that '--anyauth' doesn't work. And neither does '-u dwoodhou:'
despite the username being *required* for the Linux build when using
--ntlm-wb (before my patches to fix that, of course).

David Woodhouse                            Open Source Technology Centre                              Intel Corporation

List admin:

  • application/x-pkcs7-signature attachment: smime.p7s
Received on 2014-07-15