1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00

HTTP: Remove checkprefix("GSS-Negotiate")

That auth mech has never existed neither on MS nor on Unix side.
There is only Negotiate over SPNEGO.
This commit is contained in:
Michael Osipov 2014-07-21 09:53:44 +02:00 committed by Daniel Stenberg
parent eda12bcff8
commit 5128672731
4 changed files with 12 additions and 87 deletions

View File

@ -571,7 +571,7 @@ output_auth_headers(struct connectdata *conn,
negdata->state = GSS_AUTHNONE; negdata->state = GSS_AUTHNONE;
if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) && if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) &&
negdata->context && !GSS_ERROR(negdata->status)) { negdata->context && !GSS_ERROR(negdata->status)) {
auth="GSS-Negotiate"; auth="Negotiate";
result = Curl_output_negotiate(conn, proxy); result = Curl_output_negotiate(conn, proxy);
if(result) if(result)
return result; return result;
@ -772,8 +772,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy,
while(*auth) { while(*auth) {
#ifdef USE_HTTP_NEGOTIATE #ifdef USE_HTTP_NEGOTIATE
if(checkprefix("GSS-Negotiate", auth) || if(checkprefix("Negotiate", auth)) {
checkprefix("Negotiate", auth)) {
int neg; int neg;
*availp |= CURLAUTH_GSSNEGOTIATE; *availp |= CURLAUTH_GSSNEGOTIATE;
authp->avail |= CURLAUTH_GSSNEGOTIATE; authp->avail |= CURLAUTH_GSSNEGOTIATE;

View File

@ -53,19 +53,7 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)
OM_uint32 major_status, minor_status; OM_uint32 major_status, minor_status;
gss_buffer_desc token = GSS_C_EMPTY_BUFFER; gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
char name[2048]; char name[2048];
const char* service; const char* service = "HTTP";
/* GSSAPI implementation by Globus (known as GSI) requires the name to be
of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
Change following lines if you want to use GSI */
/* IIS uses the <service>@<fqdn> form but uses 'http' as the service name */
if(neg_ctx->gss)
service = "KHTTP";
else
service = "HTTP";
token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
conn->host.name) + 1; conn->host.name) + 1;
@ -128,31 +116,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
int ret; int ret;
size_t len; size_t len;
size_t rawlen = 0; size_t rawlen = 0;
bool gss;
const char* protocol;
CURLcode error; CURLcode error;
if(checkprefix("GSS-Negotiate", header)) {
protocol = "GSS-Negotiate";
gss = TRUE;
}
else if(checkprefix("Negotiate", header)) {
protocol = "Negotiate";
gss = FALSE;
}
else
return -1;
if(neg_ctx->context) {
if(neg_ctx->gss != gss) {
return -1;
}
}
else {
neg_ctx->protocol = protocol;
neg_ctx->gss = gss;
}
if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) { if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) {
/* We finished successfully our part of authentication, but server /* We finished successfully our part of authentication, but server
* rejected it (since we're again here). Exit with an error since we * rejected it (since we're again here). Exit with an error since we
@ -165,7 +130,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
(ret = get_gss_name(conn, proxy, &neg_ctx->server_name))) (ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
return ret; return ret;
header += strlen(neg_ctx->protocol); header += strlen("Negotiate");
while(*header && ISSPACE(*header)) while(*header && ISSPACE(*header))
header++; header++;
@ -238,8 +203,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
return CURLE_REMOTE_ACCESS_DENIED; return CURLE_REMOTE_ACCESS_DENIED;
} }
userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
neg_ctx->protocol, encoded); encoded);
if(proxy) { if(proxy) {
Curl_safefree(conn->allocptr.proxyuserpwd); Curl_safefree(conn->allocptr.proxyuserpwd);
conn->allocptr.proxyuserpwd = userp; conn->allocptr.proxyuserpwd = userp;

View File

@ -45,27 +45,13 @@ static int
get_gss_name(struct connectdata *conn, bool proxy, get_gss_name(struct connectdata *conn, bool proxy,
struct negotiatedata *neg_ctx) struct negotiatedata *neg_ctx)
{ {
const char* service; const char* service = "HTTP";
size_t length; size_t length;
if(proxy && !conn->proxy.name) if(proxy && !conn->proxy.name)
/* proxy auth requested but no given proxy name, error out! */ /* proxy auth requested but no given proxy name, error out! */
return -1; return -1;
/* GSSAPI implementation by Globus (known as GSI) requires the name to be
of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
Change following lines if you want to use GSI */
/* IIS uses the <service>@<fqdn> form but uses 'http' as the service name,
and SSPI then generates an NTLM token. When using <service>/<fqdn> a
Kerberos token is generated. */
if(neg_ctx->gss)
service = "KHTTP";
else
service = "HTTP";
length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
conn->host.name) + 1; conn->host.name) + 1;
if(length + 1 > sizeof(neg_ctx->server_name)) if(length + 1 > sizeof(neg_ctx->server_name))
@ -94,31 +80,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
TCHAR *sname; TCHAR *sname;
int ret; int ret;
size_t len = 0, input_token_len = 0; size_t len = 0, input_token_len = 0;
bool gss = FALSE;
const char* protocol;
CURLcode error; CURLcode error;
if(checkprefix("GSS-Negotiate", header)) {
protocol = "GSS-Negotiate";
gss = TRUE;
}
else if(checkprefix("Negotiate", header)) {
protocol = "Negotiate";
gss = FALSE;
}
else
return -1;
if(neg_ctx->context) {
if(neg_ctx->gss != gss) {
return -1;
}
}
else {
neg_ctx->protocol = protocol;
neg_ctx->gss = gss;
}
if(neg_ctx->context && neg_ctx->status == SEC_E_OK) { if(neg_ctx->context && neg_ctx->status == SEC_E_OK) {
/* We finished successfully our part of authentication, but server /* We finished successfully our part of authentication, but server
* rejected it (since we're again here). Exit with an error since we * rejected it (since we're again here). Exit with an error since we
@ -148,7 +111,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
} }
/* Obtain the input token, if any */ /* Obtain the input token, if any */
header += strlen(neg_ctx->protocol); header += strlen("Negotiate");
while(*header && ISSPACE(*header)) while(*header && ISSPACE(*header))
header++; header++;
@ -260,8 +223,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
if(len == 0) if(len == 0)
return CURLE_REMOTE_ACCESS_DENIED; return CURLE_REMOTE_ACCESS_DENIED;
userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
neg_ctx->protocol, encoded); encoded);
if(proxy) if(proxy)
conn->allocptr.proxyuserpwd = userp; conn->allocptr.proxyuserpwd = userp;

View File

@ -446,11 +446,9 @@ struct ntlmdata {
#ifdef USE_HTTP_NEGOTIATE #ifdef USE_HTTP_NEGOTIATE
struct negotiatedata { struct negotiatedata {
/* when doing Negotiate we first need to receive an auth token and then we /* When doing Negotiate (SPNEGO) auth, we first need to send a token
need to send our header */ and then validate the received one. */
enum { GSS_AUTHNONE, GSS_AUTHRECV, GSS_AUTHSENT } state; enum { GSS_AUTHNONE, GSS_AUTHRECV, GSS_AUTHSENT } state;
bool gss; /* Whether we're processing GSS-Negotiate or Negotiate */
const char* protocol; /* "GSS-Negotiate" or "Negotiate" */
#ifdef HAVE_GSSAPI #ifdef HAVE_GSSAPI
OM_uint32 status; OM_uint32 status;
gss_ctx_id_t context; gss_ctx_id_t context;