cURL / Mailing Lists / curl-library / Single Mail


[Patch] Negotiate - avoid empty request if CURLAUTH_NEGOTIATE is explicitly picked.

From: Isaac Boukris <>
Date: Sun, 8 Feb 2015 04:04:02 +0200

Hi all,

When the app sets CURLOPT_HTTPAUTH to CURLAUTH_NEGOTIATE (e.g. using curl
--negotiate) it first sends an empty request and receives a 401
unauthorized before invoking GSS-API to the 'Negotiate Authorization'

This is different from the behavior of NTLM and Basic and seem unnecessary
unless one set CURLAUTH_ANY (curl --anyauth) or any other 'set' of auth
Also, it doesn't seem to have been the initial intention - see this quote
from the comment in the source (http.c):
"Then we set the picked one to the want one, and if this is one single bit
it'll be used instantly."

In fact, this causes a funny bug when using CURLAUTH_ANY and the server
sends 'Negotiate' there would be two 401 response before it starts to send
the 'Negotiate Authorization' header.

I've been working this weekend on the attached patch, with these changes
most of the logic is done at 'Curl_output_negotiate' instead of
'Curl_input_negotiate' which only takes server's answer.
It saves the extra round trip when using Negotiate (either explicitly or in
CURLAUTH_ANY flow) and aligns the behavior with other protocols.

I've run quite several tests (with valgrind) of NTLM and Kerberos with
Heimdal Kerberos GSSAPI library (also tested NTLM inside Negotiate with
Heimdal's NTLMSSP).

Note, I noticed some recent changes in 'http_negotiate.c', so I've updated
my source and adapted my changes but I encounter some errors which I could
not reproduce later.
When investigating, I noticed the new code seem not to add '+1' to
'spn_token.length' compare to the old code.
I am not sure it is related to the errors I saw and what's more correct but
I found this example which does add 1 to strlen:

I'd be happy to get feedback such as comments and corrections and to
eventually get this fix integrated into libcurl project.
Note, just before sending I noticed these changes would probably impact on
'http_negotiate_sspi.c' as well... I'll look at it if necessary.

Thanks a lot for the great and open software.

Kind Regards,
Isaac B.

List admin:

Received on 2015-02-08