cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to pass user/password

From: Leonardo Rosati <geppio1975_at_gmail.com>
Date: Wed, 9 Jul 2014 17:21:47 +0200

In http_ntlm.c, line 713, user and password are taken from the proxy and
used even if USE_WINDOWS_SSPI is defined. Code from line 748 to line 832
used them and in particular AcquireCredentialsHandleA is invoked with a
ntlm->identity struct filled with these user and password

This is not done in http_negotiate_sspi.c. where AcquireCredentialsHandle
is called passing NULL (from this, the fact that negotiate is done
authenticating the machine, not the user passed in the curl parameters)

2014-07-03 21:24 GMT+02:00 Michael-O <1983-01-06_at_gmx.net>:

> Am 2014-07-03 17:47, schrieb Leonardo Rosati:
>
> Actually, http_ntlm.c, which uses SSPI, also uses passed username and
>> password. So again my point is that these two SSPI based implementations
>> are different. My opinion is that negotiate should pass user/password. in
>> case I'm wrong then ntlm is wrong because accepts and passes
>> user/passwords
>>
>
> Again,
>
> curl on Windows does not accept any credentials. Default credentials are
> obtained. The separate NTLM implementation in curl used on non-Windows
> only. If you want AcquireCredHandle to use non-default creds, provide a
> quality patch with fixes known bug #10 and implements your improvement.
>
> M
>
>
> 2014-07-03 15:00 GMT+02:00 Michael-O <1983-01-06_at_gmx.net>:
>>
>> Refer to known bug #10: http://curl.haxx.se/docs/knownbugs.html
>>>
>>> If this is fixed, you need to do this only:
>>> $ curl --(negotiate|ntlm) <url>
>>>
>>> on Windows, credentials are obtained by SSPI and SSPI only. No manual
>>> passing. This is default on Windows with every implemenation on top of
>>> SSPI.
>>>
>>> *Gesendet:* Donnerstag, 03. Juli 2014 um 13:46 Uhr
>>>
>>> *Von:* "Leonardo Rosati" <geppio1975_at_gmail.com>
>>> *An:* "libcurl development" <curl-library_at_cool.haxx.se>
>>> *Betreff:* Re: Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to
>>>
>>> pass user/password
>>> What behavior is correct? the one in negotiate http_negotiate-sspi.c
>>> which doesn't use the credentials? if so, why is it correct? and why it's
>>> different from ntlm method?
>>>
>>> 2014-07-03 12:40 GMT+02:00 Michael-O <1983-01-06_at_gmx.net>:
>>>
>>>>
>>>> That behavior is correct.
>>>>
>>>>
>>>>
>>>> Gesendet: Donnerstag, 03. Juli 2014 um 12:31 Uhr
>>>> Von: "Leonardo Rosati" <geppio1975_at_gmail.com>
>>>> An: "libcurl development" <curl-library_at_cool.haxx.se>
>>>> Betreff: Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to pass
>>>> user/password
>>>>
>>>> I've tried debugging with WireShark with a proxy with negotiation (ISA
>>>> Server) and CURL does not pass user/password to the proxy even if
>>>> specified. The machine is authenticated just in case it is part of the
>>>> domain.
>>>> Code in http_negotiate-sspi.c is different from the http_ntlm.c, which,
>>>> correctly, passes username/password
>>>> Anyone has verified negotiation passes credentials?
>>>> leonardo
>>>>
>>>> 2014-06-27 22:27 GMT+02:00 Michael Osipov <1983-01-06_at_gmx.net>:Am
>>>> 2014-06-27 11:11, schrieb Leonardo Rosati:
>>>> hi,
>>>>
>>>> looking at the source code of http_negotiate-sspi.c the code doesn't use
>>>> the user/password in case they are passed by the user, in practice
>>>> assuming
>>>> the proxy to authenticate the connection based on if the machine is in
>>>> the
>>>> domain or not.
>>>> instead the code for ntlm is different: it passes user/password in case
>>>> they are not empty and so user/password are used for authentication
>>>> purposes.
>>>>
>>>> I think the correct behavior is the one for ntlm and therefore the
>>>> negotiate method should be changed.I don't think so. The intention in
>>>> both is to have credentials already present at/after login time. At
>>>> least
>>>> for NTLM on Windows and SPNEGO on all platforms.
>>>>
>>>> Michael
>>>>
>>>> -------------------------------------------------------------------
>>>> List admin:
>>>> http://cool.haxx.se/list/listinfo/curl-library[http://
>>>> cool.haxx.se/list/listinfo/curl-library]
>>>> Etiquette:
>>>> http://curl.haxx.se/mail/etiquette.html[http://curl.
>>>> haxx.se/mail/etiquette.html]--------------------------------
>>>> -----------------------------------
>>>> List admin:
>>>> http://cool.haxx.se/list/listinfo/curl-library[http://
>>>> cool.haxx.se/list/listinfo/curl-library]
>>>> Etiquette:
>>>> http://curl.haxx.se/mail/etiquette.html[http://curl.
>>>> haxx.se/mail/etiquette.html]
>>>>
>>>> -------------------------------------------------------------------
>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>>
>>>> -------------------------------------------------------------------
>>> List
>>> admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette:
>>> http://curl.haxx.se/mail/etiquette.html
>>>
>>> -------------------------------------------------------------------
>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>
>>>
>>
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-09