cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

From: David Woodhouse <dwmw2_at_infradead.org>
Date: Sat, 12 Jul 2014 16:58:44 +0100

On Fri, 2014-07-11 at 22:47 +0200, Michael Osipov wrote:
> Am 2014-07-11 20:41, schrieb David Woodhouse:
> > On Fri, 2014-07-11 at 20:09 +0200, Michael Osipov wrote:
> >> Am 2014-07-11 19:41, schrieb David Woodhouse:
> >>> On Fri, 2014-07-11 at 19:17 +0200, Michael Osipov wrote:
> >>>> I would implement a fallback but provide two options where one should be
> >>>> picked sticked to it:
> >>>>
> >>>> 1. Discover SPNEGO capability at compile time with autoconf. GSS-API
> >>>> provides this option:
> >>>>
> >>>> OM_uint32 major, minor;
> >>>> gss_OID_set mech_set;
> >>>> major = gss_indicate_mechs(&minor, &mech_set);
> >>>>
> >>>> and then you can test the for set members with a default function.
> >>>
> >>> That doesn't work if you're cross-compiling. It's best to avoid tests
> >>> that you have to *run* at configure time, if we can
> >>
> >> hmm...configure.ac *does* already some compile checks. E.g.,
> >> "[if you have an old MIT Kerberos version, lacking
> >> GSS_C_NT_HOSTBASED_SERVICE])"
> >>
> >> But if this is a problem, we can omit this compile time check.
> >
> > Compile checks are fine. It's AC_TRY_RUN which is an abomination and
> > should be avoided at all costs. Unless I misunderstood, your suggestion
> > was that we not only *compile* something for the target, but also try to
> > *run* it. Which isn't possible if we're cross-compiling.
>
> Can you explain why AC_TRY_RUN is bad? I haven't never written a
> complete configure.ac script but only using it.

Because if you're cross-compiling, you probably *can't* run anything
that you've compiled for the target.

When I spent my entire life working on embedded Linux, AC_TRY_RUN was
the bane of my existence.

> > So what *do* we want to do on top of the patch set I posted? Just add
> > support for '{Proxy,WWW}-Authenticate: Kerberos'?
>
> I would rather do that after this patch has been tested, approved and
> committed. This is the safest way to implement that improvement on top.
> I don't like to fix two things in one big patch. It ends up in a mess.

Pfft. It's a set of 7 patches in my tree already; what's wrong with
making it 8? :)

-- 
dwmw2

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/x-pkcs7-signature attachment: smime.p7s

Received on 2014-07-12

This message: [ Message body ]
Next message: David Woodhouse: "Re: problem using NTLM authentication with default OS credentials"
Previous message: Steve Holme: "RE: [PATCH 1/2 v2] ntlm_wb: Fix hard-coded limit on NTLM auth packet size"
In reply to: Michael Osipov: "Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token"
Next in thread: Michael Osipov: "Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token"
Reply: Michael Osipov: "Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]