Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH v1 2/5] HTTP: Remove checkprefix("GSS-Negotiate")

From: Michael Osipov <1983-01-06_at_gmx.net>
Date: Mon, 21 Jul 2014 09:53:44 +0200

That auth mech has never existed neither on MS nor on Unix side.
There is only Negotiate over SPNEGO. 

---
 lib/http.c                |  5 ++---
 lib/http_negotiate.c      | 43 ++++---------------------------------------
 lib/http_negotiate_sspi.c | 45 ++++-----------------------------------------
 lib/urldata.h             |  6 ++----
 4 files changed, 12 insertions(+), 87 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index 4931dd8..8cd15de 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -571,7 +571,7 @@ output_auth_headers(struct connectdata *conn,
   negdata->state = GSS_AUTHNONE;
   if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) &&
      negdata->context && !GSS_ERROR(negdata->status)) {
-    auth="GSS-Negotiate";
+    auth="Negotiate";
     result = Curl_output_negotiate(conn, proxy);
     if(result)
       return result;
@@ -772,8 +772,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy,
 
   while(*auth) {
 #ifdef USE_HTTP_NEGOTIATE
-    if(checkprefix("GSS-Negotiate", auth) ||
-       checkprefix("Negotiate", auth)) {
+    if(checkprefix("Negotiate", auth)) {
       int neg;
       *availp |= CURLAUTH_GSSNEGOTIATE;
       authp->avail |= CURLAUTH_GSSNEGOTIATE;
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index dc2bb38..f5e9252 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -53,19 +53,7 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)
   OM_uint32 major_status, minor_status;
   gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
   char name[2048];
-  const char* service;
-
-  /* GSSAPI implementation by Globus (known as GSI) requires the name to be
-     of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
-     of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
-     Change following lines if you want to use GSI */
-
-  /* IIS uses the <service>@<fqdn> form but uses 'http' as the service name */
-
-  if(neg_ctx->gss)
-    service = "KHTTP";
-  else
-    service = "HTTP";
+  const char* service = "HTTP";
 
   token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
                                               conn->host.name) + 1;
@@ -128,31 +116,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
   int ret;
   size_t len;
   size_t rawlen = 0;
-  bool gss;
-  const char* protocol;
   CURLcode error;
 
-  if(checkprefix("GSS-Negotiate", header)) {
-    protocol = "GSS-Negotiate";
-    gss = TRUE;
-  }
-  else if(checkprefix("Negotiate", header)) {
-    protocol = "Negotiate";
-    gss = FALSE;
-  }
-  else
-    return -1;
-
-  if(neg_ctx->context) {
-    if(neg_ctx->gss != gss) {
-      return -1;
-    }
-  }
-  else {
-    neg_ctx->protocol = protocol;
-    neg_ctx->gss = gss;
-  }
-
   if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) {
     /* We finished successfully our part of authentication, but server
      * rejected it (since we're again here). Exit with an error since we
@@ -165,7 +130,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
       (ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
     return ret;
 
-  header += strlen(neg_ctx->protocol);
+  header += strlen("Negotiate");
   while(*header && ISSPACE(*header))
     header++;
 
@@ -238,8 +203,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
     return CURLE_REMOTE_ACCESS_DENIED;
   }
 
-  userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
-                  neg_ctx->protocol, encoded);
+  userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
+                  encoded);
   if(proxy) {
     Curl_safefree(conn->allocptr.proxyuserpwd);
     conn->allocptr.proxyuserpwd = userp;
diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c
index 236766b..2bf131f 100644
--- a/lib/http_negotiate_sspi.c
+++ b/lib/http_negotiate_sspi.c
@@ -45,27 +45,13 @@ static int
 get_gss_name(struct connectdata *conn, bool proxy,
              struct negotiatedata *neg_ctx)
 {
-  const char* service;
+  const char* service = "HTTP";
   size_t length;
 
   if(proxy && !conn->proxy.name)
     /* proxy auth requested but no given proxy name, error out! */
     return -1;
 
-  /* GSSAPI implementation by Globus (known as GSI) requires the name to be
-     of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
-     of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
-     Change following lines if you want to use GSI */
-
-  /* IIS uses the <service>@<fqdn> form but uses 'http' as the service name,
-     and SSPI then generates an NTLM token. When using <service>/<fqdn> a
-     Kerberos token is generated. */
-
-  if(neg_ctx->gss)
-    service = "KHTTP";
-  else
-    service = "HTTP";
-
   length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
                                         conn->host.name) + 1;
   if(length + 1 > sizeof(neg_ctx->server_name))
@@ -94,31 +80,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
   TCHAR             *sname;
   int ret;
   size_t len = 0, input_token_len = 0;
-  bool gss = FALSE;
-  const char* protocol;
   CURLcode error;
 
-  if(checkprefix("GSS-Negotiate", header)) {
-    protocol = "GSS-Negotiate";
-    gss = TRUE;
-  }
-  else if(checkprefix("Negotiate", header)) {
-    protocol = "Negotiate";
-    gss = FALSE;
-  }
-  else
-    return -1;
-
-  if(neg_ctx->context) {
-    if(neg_ctx->gss != gss) {
-      return -1;
-    }
-  }
-  else {
-    neg_ctx->protocol = protocol;
-    neg_ctx->gss = gss;
-  }
-
   if(neg_ctx->context && neg_ctx->status == SEC_E_OK) {
     /* We finished successfully our part of authentication, but server
      * rejected it (since we're again here). Exit with an error since we
@@ -148,7 +111,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
   }
 
   /* Obtain the input token, if any */
-  header += strlen(neg_ctx->protocol);
+  header += strlen("Negotiate");
   while(*header && ISSPACE(*header))
     header++;
 
@@ -260,8 +223,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
   if(len == 0)
     return CURLE_REMOTE_ACCESS_DENIED;
 
-  userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
-                  neg_ctx->protocol, encoded);
+  userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
+                  encoded);
 
   if(proxy)
     conn->allocptr.proxyuserpwd = userp;
diff --git a/lib/urldata.h b/lib/urldata.h
index ebdad80..3ed7292 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -446,11 +446,9 @@ struct ntlmdata {
 
 #ifdef USE_HTTP_NEGOTIATE
 struct negotiatedata {
-  /* when doing Negotiate we first need to receive an auth token and then we
-     need to send our header */
+  /* When doing Negotiate (SPNEGO) auth, we first need to send a token
+     and then validate the received one. */
   enum { GSS_AUTHNONE, GSS_AUTHRECV, GSS_AUTHSENT } state;
-  bool gss; /* Whether we're processing GSS-Negotiate or Negotiate */
-  const char* protocol; /* "GSS-Negotiate" or "Negotiate" */
 #ifdef HAVE_GSSAPI
   OM_uint32 status;
   gss_ctx_id_t context;
-- 
2.0.1
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-21