cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: State of NTLM test cases on Windows

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Sun, 7 Apr 2013 11:35:28 +0100

Hi Marc,

On Sun, 7 Apr 2013, Marc Hoersken wrote:

> I would like to note that the majority of NTLM test case failures
> on Windows are caused by the fact that the Negotiate Security
> Support Provider creates NTLM tokens that are a little different
> than these created by the GSSAPI.

I would like to clarify something...

Is this when you're using SSPI to perform the security context generation or
when you are using the internal message generation functions?

If you're using SSPI have you tried building curl on Windows without SSPI so
it would then use the built in routines and I would then expect those NTLM
test cases to succeed?

> The issue about different flags could be solved by duplicating the
> test cases and switching between them depending on the OS, but
> that would obviously result in code / test duplication.

Given that someone could compile curl under Windows without SSPI would it be
better to switch on test server "feature" rather than switching test cases
dependent on the OS?
 
So for example could we extend the NTLM flag that not only tells the test
server this test case requires NTLM and the test server, when it runs, knows
it's NTLM capable but on *nix and non SSPI Windows builds it could be NTLM
or NTLM_BUILT_IN to indicate security contexts are generated using the
built-in functions and on SSPI Windows builds it would use NTLM_SSPI or
something similar? This could then be extended for OS/X etc... if need be.

The draw back then, like you have already mentioned it we end up duplicating
the NTLM tests, so we would have two or three test150's, for example, one
for each possibly NTLM message variation.

Alternatively:

1) We have multiple <datacheck> sections and <protocol> sections within the
<verify> but that might get a little complex and confusing.
1) We look at extracting the authentication text from the test cases with
some kind of token that tells the server what type of authentication message
it was. For example: Test150 might contain: "Authorization: NTLM
<NTLM_MSG_TYPE1>" rather than "Authorization: NTLM
TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=" but that could get messy from
an escaping point of view if we actually wanted that raw text instead of the
NTLM message.

I am looking forward to the work you are doing with getting the test suite
running properly under Windows - it will assist me greatly with the POP3 and
IMAP test suite so I hope my ramblings might help.

Kind Regards

Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-04-07