cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: how to use --proxy-negotiate, exactly?

From: Brian J. Murrell <brian_at_interlinx.bc.ca>
Date: Tue, 14 Apr 2009 07:56:28 -0400

On Mon, 2009-03-02 at 14:02 +0100, Daniel Stenberg wrote:
>
> Are you up to provide an patch based on what we've discussed so far?

My apologies for taking so long to respond, but the free time I can use
for such hacking activity has been sucked up by real life.

I didn't want to lose what effort we had expended so far though, so
here's the patch (against cvs) that I have so far:

Index: lib/http.c
===================================================================
RCS file: /cvsroot/curl/curl/lib/http.c,v
retrieving revision 1.412
diff -u -r1.412 http.c
--- lib/http.c 24 Feb 2009 08:30:09 -0000 1.412
+++ lib/http.c 14 Apr 2009 11:38:00 -0000
@@ -528,9 +528,20 @@

#ifdef HAVE_GSSAPI
   if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) &&
- negdata->context && !GSS_ERROR(negdata->status)) {
+ !GSS_ERROR(negdata->status)) {
+ int ret = 0;
     auth="GSS-Negotiate";
- result = Curl_output_negotiate(conn, proxy);
+ if(!negdata->context)
+ /* if explicitly selected it isn't inited at this point */
+ if ((ret = Curl_input_negotiate(conn, proxy, auth)) < 0) {
+ auth = "Negotiate";
+ ret = Curl_input_negotiate(conn, proxy, auth);
+ }
+
+ if(ret)
+ result = CURLE_REMOTE_ACCESS_DENIED;
+ else
+ result = Curl_output_negotiate(conn, proxy);
     if(result)
       return result;
     authstatus->done = TRUE;
Index: lib/http_negotiate.c
===================================================================
RCS file: /cvsroot/curl/curl/lib/http_negotiate.c,v
retrieving revision 1.34
diff -u -r1.34 http_negotiate.c
--- lib/http_negotiate.c 13 Apr 2009 07:18:39 -0000 1.34
+++ lib/http_negotiate.c 14 Apr 2009 11:38:00 -0000
@@ -256,6 +256,7 @@
   neg_ctx->status = major_status;
   if(GSS_ERROR(major_status)) {
     /* Curl_cleanup_negotiate(conn->data) ??? */
+ neg_ctx->server_name = NULL;
     log_gss_error(conn, minor_status,
                   "gss_init_sec_context() failed: ");
     return -1;

Which works for the following use case:

$ http_proxy=http://brian@proxy:3128/ ./src/curl -D - --proxy-negotiate -o /dev/null http://www.sun.com/
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
HTTP/1.0 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Tue, 14 Apr 2009 11:54:54 GMT
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
Cache-Control: public
Proxy-agent: Sun-Java-System-Web-Server/7.0
X-powered-by: Servlet/2.4
X-powered-by: JSP/2.0
Set-Cookie: JSESSIONID=a47ad57153db312f5abf196b219ee; Path=/
Content-Type: text/html;charset=UTF-8
Set-Cookie: JROUTE=vqO1ZdA6pjKFtjrs; Path=/
Proxy-Authentication-Info: Negotiate AA==
X-Cache: MISS from linux
X-Cache-Lookup: MISS from linux:3128
Via: 1.1 https-www, 1.0 linux (squid/3.1.0.6)
Proxy-Connection: close

100 28706 0 28706 0 0 46623 0 --:--:-- --:--:-- --:--:-- 54470

It does not however work when one does not specifically request
"--proxy-negotiate":

$ http_proxy=http://brian@proxy:3128/ ./src/curl -D - -o /dev/null http://www.sun.com/
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.0.6
Mime-Version: 1.0
Date: Tue, 14 Apr 2009 11:51:04 GMT
Content-Type: text/html
Content-Length: 3258
Expires: Tue, 14 Apr 2009 11:51:04 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
X-Cache: MISS from linux
X-Cache-Lookup: NONE from linux:3128
Via: 1.0 linux (squid/3.1.0.6)
Proxy-Connection: close

0 3258 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.0.6
Mime-Version: 1.0
Date: Tue, 14 Apr 2009 11:51:04 GMT
Content-Type: text/html
Content-Length: 3258
Expires: Tue, 14 Apr 2009 11:51:04 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
X-Cache: MISS from linux
X-Cache-Lookup: NONE from linux:3128
Via: 1.0 linux (squid/3.1.0.6)
Proxy-Connection: close

101 3258 101 3258 0 0 46127 0 --:--:-- --:--:-- --:--:-- 46127

But I don't think I have any confidence that this worked (i.e. a first
round trip to get the "Proxy-Authenticate: Negotiate" requirement,
followed by a second round trip with the credentials) prior to my
hacking.

Cheers,
b.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/pgp-signature attachment: This is a digitally signed message part

Received on 2009-04-14

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: how to use --proxy-negotiate, exactly?"
Previous message: Daniel Stenberg: "Re: Private key authentication problem"
Next in thread: Daniel Stenberg: "Re: how to use --proxy-negotiate, exactly?"
Reply: Daniel Stenberg: "Re: how to use --proxy-negotiate, exactly?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]