From 5128672731a5edef2c7526610584fef821ec2309 Mon Sep 17 00:00:00 2001 From: Michael Osipov <1983-01-06@gmx.net> Date: Mon, 21 Jul 2014 09:53:44 +0200 Subject: [PATCH] HTTP: Remove checkprefix("GSS-Negotiate") That auth mech has never existed neither on MS nor on Unix side. There is only Negotiate over SPNEGO. --- lib/http.c | 5 ++--- lib/http_negotiate.c | 43 ++++--------------------------------- lib/http_negotiate_sspi.c | 45 ++++----------------------------------- lib/urldata.h | 6 ++---- 4 files changed, 12 insertions(+), 87 deletions(-) diff --git a/lib/http.c b/lib/http.c index 4931dd897..8cd15dece 100644 --- a/lib/http.c +++ b/lib/http.c @@ -571,7 +571,7 @@ output_auth_headers(struct connectdata *conn, negdata->state = GSS_AUTHNONE; if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) && negdata->context && !GSS_ERROR(negdata->status)) { - auth="GSS-Negotiate"; + auth="Negotiate"; result = Curl_output_negotiate(conn, proxy); if(result) return result; @@ -772,8 +772,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy, while(*auth) { #ifdef USE_HTTP_NEGOTIATE - if(checkprefix("GSS-Negotiate", auth) || - checkprefix("Negotiate", auth)) { + if(checkprefix("Negotiate", auth)) { int neg; *availp |= CURLAUTH_GSSNEGOTIATE; authp->avail |= CURLAUTH_GSSNEGOTIATE; diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index dc2bb383d..f5e9252eb 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -53,19 +53,7 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server) OM_uint32 major_status, minor_status; gss_buffer_desc token = GSS_C_EMPTY_BUFFER; char name[2048]; - const char* service; - - /* GSSAPI implementation by Globus (known as GSI) requires the name to be - of form "/" instead of @ (ie. slash instead - of at-sign). Also GSI servers are often identified as 'host' not 'khttp'. - Change following lines if you want to use GSI */ - - /* IIS uses the @ form but uses 'http' as the service name */ - - if(neg_ctx->gss) - service = "KHTTP"; - else - service = "HTTP"; + const char* service = "HTTP"; token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : conn->host.name) + 1; @@ -128,31 +116,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, int ret; size_t len; size_t rawlen = 0; - bool gss; - const char* protocol; CURLcode error; - if(checkprefix("GSS-Negotiate", header)) { - protocol = "GSS-Negotiate"; - gss = TRUE; - } - else if(checkprefix("Negotiate", header)) { - protocol = "Negotiate"; - gss = FALSE; - } - else - return -1; - - if(neg_ctx->context) { - if(neg_ctx->gss != gss) { - return -1; - } - } - else { - neg_ctx->protocol = protocol; - neg_ctx->gss = gss; - } - if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) { /* We finished successfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we @@ -165,7 +130,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, (ret = get_gss_name(conn, proxy, &neg_ctx->server_name))) return ret; - header += strlen(neg_ctx->protocol); + header += strlen("Negotiate"); while(*header && ISSPACE(*header)) header++; @@ -238,8 +203,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) return CURLE_REMOTE_ACCESS_DENIED; } - userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", - neg_ctx->protocol, encoded); + userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "", + encoded); if(proxy) { Curl_safefree(conn->allocptr.proxyuserpwd); conn->allocptr.proxyuserpwd = userp; diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c index 236766b16..2bf131f90 100644 --- a/lib/http_negotiate_sspi.c +++ b/lib/http_negotiate_sspi.c @@ -45,27 +45,13 @@ static int get_gss_name(struct connectdata *conn, bool proxy, struct negotiatedata *neg_ctx) { - const char* service; + const char* service = "HTTP"; size_t length; if(proxy && !conn->proxy.name) /* proxy auth requested but no given proxy name, error out! */ return -1; - /* GSSAPI implementation by Globus (known as GSI) requires the name to be - of form "/" instead of @ (ie. slash instead - of at-sign). Also GSI servers are often identified as 'host' not 'khttp'. - Change following lines if you want to use GSI */ - - /* IIS uses the @ form but uses 'http' as the service name, - and SSPI then generates an NTLM token. When using / a - Kerberos token is generated. */ - - if(neg_ctx->gss) - service = "KHTTP"; - else - service = "HTTP"; - length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : conn->host.name) + 1; if(length + 1 > sizeof(neg_ctx->server_name)) @@ -94,31 +80,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, TCHAR *sname; int ret; size_t len = 0, input_token_len = 0; - bool gss = FALSE; - const char* protocol; CURLcode error; - if(checkprefix("GSS-Negotiate", header)) { - protocol = "GSS-Negotiate"; - gss = TRUE; - } - else if(checkprefix("Negotiate", header)) { - protocol = "Negotiate"; - gss = FALSE; - } - else - return -1; - - if(neg_ctx->context) { - if(neg_ctx->gss != gss) { - return -1; - } - } - else { - neg_ctx->protocol = protocol; - neg_ctx->gss = gss; - } - if(neg_ctx->context && neg_ctx->status == SEC_E_OK) { /* We finished successfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we @@ -148,7 +111,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, } /* Obtain the input token, if any */ - header += strlen(neg_ctx->protocol); + header += strlen("Negotiate"); while(*header && ISSPACE(*header)) header++; @@ -260,8 +223,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) if(len == 0) return CURLE_REMOTE_ACCESS_DENIED; - userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", - neg_ctx->protocol, encoded); + userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "", + encoded); if(proxy) conn->allocptr.proxyuserpwd = userp; diff --git a/lib/urldata.h b/lib/urldata.h index ebdad803d..3ed7292d3 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -446,11 +446,9 @@ struct ntlmdata { #ifdef USE_HTTP_NEGOTIATE struct negotiatedata { - /* when doing Negotiate we first need to receive an auth token and then we - need to send our header */ + /* When doing Negotiate (SPNEGO) auth, we first need to send a token + and then validate the received one. */ enum { GSS_AUTHNONE, GSS_AUTHRECV, GSS_AUTHSENT } state; - bool gss; /* Whether we're processing GSS-Negotiate or Negotiate */ - const char* protocol; /* "GSS-Negotiate" or "Negotiate" */ #ifdef HAVE_GSSAPI OM_uint32 status; gss_ctx_id_t context;