cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH 2/5] Use SPNEGO for HTTP Negotiate

From: Michael Osipov <1983-01-06_at_gmx.net>
Date: Fri, 11 Jul 2014 20:15:29 +0200

Am 2014-07-11 13:28, schrieb David Woodhouse:
> From: David Woodhouse <David.Woodhouse_at_intel.com>
>

You can safely remove this from http_negotiate.c because the caller
already checks that:

  if(checkprefix("GSS-Negotiate", header)) {
     protocol = "GSS-Negotiate";
     gss = TRUE;
   }
   else if(checkprefix("Negotiate", header)) {
     protocol = "Negotiate";
     gss = FALSE;
   }
   else
     return -1;

   if(neg_ctx->context) {
     if(neg_ctx->gss != gss) {
       return -1;
     }
   }

In http.c, that is absolutely useless
     if(checkprefix("GSS-Negotiate", auth) ||

because there is not such auth type.

I would even deprecate the option CURLAUTH_GSSNEGOTIATE and make it an
alias for CURLAUTH_NEGOTIATE for two reaons:

1. CURLAUTH_GSSNEGOTIATE: Not nice on Windows and the user should not
care what is beneath.
2. There is simply not mech called GSS-Negotiate.

> ---
> lib/curl_gssapi.c | 9 ++++++++-
> lib/curl_gssapi.h | 1 +
> lib/http_negotiate.c | 1 +
> lib/krb5.c | 1 +
> lib/socks_gssapi.c | 1 +
> 5 files changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
> index fabbe35..79d09f2 100644
> --- a/lib/curl_gssapi.c
> +++ b/lib/curl_gssapi.c
> @@ -27,11 +27,18 @@
> #include "curl_gssapi.h"
> #include "sendf.h"
>
> +static const char spnego_OID[] = "\x2b\x06\x01\x05\x05\x02";
> +static const gss_OID_desc gss_mech_spnego = {
> + 6,
> + &spnego_OID
> +};
> +
> OM_uint32 Curl_gss_init_sec_context(
> struct SessionHandle *data,
> OM_uint32 * minor_status,
> gss_ctx_id_t * context,
> gss_name_t target_name,
> + bool use_spnego,
> gss_channel_bindings_t input_chan_bindings,
> gss_buffer_t input_token,
> gss_buffer_t output_token,
> @@ -55,7 +62,7 @@ OM_uint32 Curl_gss_init_sec_context(
> GSS_C_NO_CREDENTIAL, /* cred_handle */
> context,
> target_name,
> - GSS_C_NO_OID, /* mech_type */
> + use_spnego ? &gss_mech_spnego : GSS_C_NO_OID,
> req_flags,
> 0, /* time_req */
> input_chan_bindings,
> diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h
> index ed33b51..5af7a02 100644
> --- a/lib/curl_gssapi.h
> +++ b/lib/curl_gssapi.h
> @@ -47,6 +47,7 @@ OM_uint32 Curl_gss_init_sec_context(
> OM_uint32 * minor_status,
> gss_ctx_id_t * context,
> gss_name_t target_name,
> + bool use_spnego,
> gss_channel_bindings_t input_chan_bindings,
> gss_buffer_t input_token,
> gss_buffer_t output_token,
> diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
> index ccd005b..9b01e0a 100644
> --- a/lib/http_negotiate.c
> +++ b/lib/http_negotiate.c
> @@ -184,6 +184,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
> &minor_status,
> &neg_ctx->context,
> neg_ctx->server_name,
> + TRUE,
> GSS_C_NO_CHANNEL_BINDINGS,
> &input_token,
> &output_token,
> diff --git a/lib/krb5.c b/lib/krb5.c
> index 1643f11..9a36af1 100644
> --- a/lib/krb5.c
> +++ b/lib/krb5.c
> @@ -236,6 +236,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
> &min,
> context,
> gssname,
> + FALSE,
> &chan,
> gssresp,
> &output_buffer,
> diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
> index 1f840bd..0a35dfa 100644
> --- a/lib/socks_gssapi.c
> +++ b/lib/socks_gssapi.c
> @@ -181,6 +181,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
> &gss_minor_status,
> &gss_context,
> server,
> + FALSE,
> NULL,
> gss_token,
> &gss_send_token,
>

I don't like that code change. It can be done better.

In curl_gssapi.h you should do:

#ifdef HAVE_GSSAPI
#ifndef SPNEGO_MECHANISM
static gss_OID_desc spnego_mech_oid = { 6, "\x2b\x06\x01\x05\x05\x02" };
#define SPNEGO_MECHANISM &spnego_mech_oid
#endif
#ifndef KRB5_MECHANISM
static gss_OID_desc krb5_mech_oid = { 6, ... };
#define KRB5_MECHANISM &krb5_mech_oid
#endif

/* now the signature of Curl_gss_init_sec_context */

OM_uint32 Curl_gss_init_sec_context(
     struct SessionHandle *data,
     OM_uint32 * minor_status,
     gss_ctx_id_t * context,
     gss_name_t target_name,
     gss_OID mech_type,
     gss_channel_bindings_t input_chan_bindings,
     gss_buffer_t input_token,
     gss_buffer_t output_token,
     OM_uint32 * ret_flags);

#endif

This gives you the ability to use any mech and clearly indicate which is
used, for FTP and SOCKS GSS_KRB5_MECHANISM and for HTTP
GSS_SPNEGO_MECHANISM. You mave even define NTLM_MECHISM for your custom
GSS NTLMSSP.

What do you think?

Michael
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-11