mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
HTTP: Remove checkprefix("GSS-Negotiate")
That auth mech has never existed neither on MS nor on Unix side. There is only Negotiate over SPNEGO.
This commit is contained in:
parent
eda12bcff8
commit
5128672731
@ -571,7 +571,7 @@ output_auth_headers(struct connectdata *conn,
|
|||||||
negdata->state = GSS_AUTHNONE;
|
negdata->state = GSS_AUTHNONE;
|
||||||
if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) &&
|
if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) &&
|
||||||
negdata->context && !GSS_ERROR(negdata->status)) {
|
negdata->context && !GSS_ERROR(negdata->status)) {
|
||||||
auth="GSS-Negotiate";
|
auth="Negotiate";
|
||||||
result = Curl_output_negotiate(conn, proxy);
|
result = Curl_output_negotiate(conn, proxy);
|
||||||
if(result)
|
if(result)
|
||||||
return result;
|
return result;
|
||||||
@ -772,8 +772,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy,
|
|||||||
|
|
||||||
while(*auth) {
|
while(*auth) {
|
||||||
#ifdef USE_HTTP_NEGOTIATE
|
#ifdef USE_HTTP_NEGOTIATE
|
||||||
if(checkprefix("GSS-Negotiate", auth) ||
|
if(checkprefix("Negotiate", auth)) {
|
||||||
checkprefix("Negotiate", auth)) {
|
|
||||||
int neg;
|
int neg;
|
||||||
*availp |= CURLAUTH_GSSNEGOTIATE;
|
*availp |= CURLAUTH_GSSNEGOTIATE;
|
||||||
authp->avail |= CURLAUTH_GSSNEGOTIATE;
|
authp->avail |= CURLAUTH_GSSNEGOTIATE;
|
||||||
|
@ -53,19 +53,7 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)
|
|||||||
OM_uint32 major_status, minor_status;
|
OM_uint32 major_status, minor_status;
|
||||||
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
|
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
|
||||||
char name[2048];
|
char name[2048];
|
||||||
const char* service;
|
const char* service = "HTTP";
|
||||||
|
|
||||||
/* GSSAPI implementation by Globus (known as GSI) requires the name to be
|
|
||||||
of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
|
|
||||||
of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
|
|
||||||
Change following lines if you want to use GSI */
|
|
||||||
|
|
||||||
/* IIS uses the <service>@<fqdn> form but uses 'http' as the service name */
|
|
||||||
|
|
||||||
if(neg_ctx->gss)
|
|
||||||
service = "KHTTP";
|
|
||||||
else
|
|
||||||
service = "HTTP";
|
|
||||||
|
|
||||||
token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
|
token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
|
||||||
conn->host.name) + 1;
|
conn->host.name) + 1;
|
||||||
@ -128,31 +116,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|||||||
int ret;
|
int ret;
|
||||||
size_t len;
|
size_t len;
|
||||||
size_t rawlen = 0;
|
size_t rawlen = 0;
|
||||||
bool gss;
|
|
||||||
const char* protocol;
|
|
||||||
CURLcode error;
|
CURLcode error;
|
||||||
|
|
||||||
if(checkprefix("GSS-Negotiate", header)) {
|
|
||||||
protocol = "GSS-Negotiate";
|
|
||||||
gss = TRUE;
|
|
||||||
}
|
|
||||||
else if(checkprefix("Negotiate", header)) {
|
|
||||||
protocol = "Negotiate";
|
|
||||||
gss = FALSE;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
if(neg_ctx->context) {
|
|
||||||
if(neg_ctx->gss != gss) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
neg_ctx->protocol = protocol;
|
|
||||||
neg_ctx->gss = gss;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) {
|
if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) {
|
||||||
/* We finished successfully our part of authentication, but server
|
/* We finished successfully our part of authentication, but server
|
||||||
* rejected it (since we're again here). Exit with an error since we
|
* rejected it (since we're again here). Exit with an error since we
|
||||||
@ -165,7 +130,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|||||||
(ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
|
(ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
header += strlen(neg_ctx->protocol);
|
header += strlen("Negotiate");
|
||||||
while(*header && ISSPACE(*header))
|
while(*header && ISSPACE(*header))
|
||||||
header++;
|
header++;
|
||||||
|
|
||||||
@ -238,8 +203,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
|
|||||||
return CURLE_REMOTE_ACCESS_DENIED;
|
return CURLE_REMOTE_ACCESS_DENIED;
|
||||||
}
|
}
|
||||||
|
|
||||||
userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
|
userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
|
||||||
neg_ctx->protocol, encoded);
|
encoded);
|
||||||
if(proxy) {
|
if(proxy) {
|
||||||
Curl_safefree(conn->allocptr.proxyuserpwd);
|
Curl_safefree(conn->allocptr.proxyuserpwd);
|
||||||
conn->allocptr.proxyuserpwd = userp;
|
conn->allocptr.proxyuserpwd = userp;
|
||||||
|
@ -45,27 +45,13 @@ static int
|
|||||||
get_gss_name(struct connectdata *conn, bool proxy,
|
get_gss_name(struct connectdata *conn, bool proxy,
|
||||||
struct negotiatedata *neg_ctx)
|
struct negotiatedata *neg_ctx)
|
||||||
{
|
{
|
||||||
const char* service;
|
const char* service = "HTTP";
|
||||||
size_t length;
|
size_t length;
|
||||||
|
|
||||||
if(proxy && !conn->proxy.name)
|
if(proxy && !conn->proxy.name)
|
||||||
/* proxy auth requested but no given proxy name, error out! */
|
/* proxy auth requested but no given proxy name, error out! */
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
/* GSSAPI implementation by Globus (known as GSI) requires the name to be
|
|
||||||
of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
|
|
||||||
of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
|
|
||||||
Change following lines if you want to use GSI */
|
|
||||||
|
|
||||||
/* IIS uses the <service>@<fqdn> form but uses 'http' as the service name,
|
|
||||||
and SSPI then generates an NTLM token. When using <service>/<fqdn> a
|
|
||||||
Kerberos token is generated. */
|
|
||||||
|
|
||||||
if(neg_ctx->gss)
|
|
||||||
service = "KHTTP";
|
|
||||||
else
|
|
||||||
service = "HTTP";
|
|
||||||
|
|
||||||
length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
|
length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
|
||||||
conn->host.name) + 1;
|
conn->host.name) + 1;
|
||||||
if(length + 1 > sizeof(neg_ctx->server_name))
|
if(length + 1 > sizeof(neg_ctx->server_name))
|
||||||
@ -94,31 +80,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|||||||
TCHAR *sname;
|
TCHAR *sname;
|
||||||
int ret;
|
int ret;
|
||||||
size_t len = 0, input_token_len = 0;
|
size_t len = 0, input_token_len = 0;
|
||||||
bool gss = FALSE;
|
|
||||||
const char* protocol;
|
|
||||||
CURLcode error;
|
CURLcode error;
|
||||||
|
|
||||||
if(checkprefix("GSS-Negotiate", header)) {
|
|
||||||
protocol = "GSS-Negotiate";
|
|
||||||
gss = TRUE;
|
|
||||||
}
|
|
||||||
else if(checkprefix("Negotiate", header)) {
|
|
||||||
protocol = "Negotiate";
|
|
||||||
gss = FALSE;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
if(neg_ctx->context) {
|
|
||||||
if(neg_ctx->gss != gss) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
neg_ctx->protocol = protocol;
|
|
||||||
neg_ctx->gss = gss;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(neg_ctx->context && neg_ctx->status == SEC_E_OK) {
|
if(neg_ctx->context && neg_ctx->status == SEC_E_OK) {
|
||||||
/* We finished successfully our part of authentication, but server
|
/* We finished successfully our part of authentication, but server
|
||||||
* rejected it (since we're again here). Exit with an error since we
|
* rejected it (since we're again here). Exit with an error since we
|
||||||
@ -148,7 +111,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Obtain the input token, if any */
|
/* Obtain the input token, if any */
|
||||||
header += strlen(neg_ctx->protocol);
|
header += strlen("Negotiate");
|
||||||
while(*header && ISSPACE(*header))
|
while(*header && ISSPACE(*header))
|
||||||
header++;
|
header++;
|
||||||
|
|
||||||
@ -260,8 +223,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
|
|||||||
if(len == 0)
|
if(len == 0)
|
||||||
return CURLE_REMOTE_ACCESS_DENIED;
|
return CURLE_REMOTE_ACCESS_DENIED;
|
||||||
|
|
||||||
userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
|
userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
|
||||||
neg_ctx->protocol, encoded);
|
encoded);
|
||||||
|
|
||||||
if(proxy)
|
if(proxy)
|
||||||
conn->allocptr.proxyuserpwd = userp;
|
conn->allocptr.proxyuserpwd = userp;
|
||||||
|
@ -446,11 +446,9 @@ struct ntlmdata {
|
|||||||
|
|
||||||
#ifdef USE_HTTP_NEGOTIATE
|
#ifdef USE_HTTP_NEGOTIATE
|
||||||
struct negotiatedata {
|
struct negotiatedata {
|
||||||
/* when doing Negotiate we first need to receive an auth token and then we
|
/* When doing Negotiate (SPNEGO) auth, we first need to send a token
|
||||||
need to send our header */
|
and then validate the received one. */
|
||||||
enum { GSS_AUTHNONE, GSS_AUTHRECV, GSS_AUTHSENT } state;
|
enum { GSS_AUTHNONE, GSS_AUTHRECV, GSS_AUTHSENT } state;
|
||||||
bool gss; /* Whether we're processing GSS-Negotiate or Negotiate */
|
|
||||||
const char* protocol; /* "GSS-Negotiate" or "Negotiate" */
|
|
||||||
#ifdef HAVE_GSSAPI
|
#ifdef HAVE_GSSAPI
|
||||||
OM_uint32 status;
|
OM_uint32 status;
|
||||||
gss_ctx_id_t context;
|
gss_ctx_id_t context;
|
||||||
|
Loading…
Reference in New Issue
Block a user