Use SPNEGO for HTTP Negotiate

This is the correct way to do SPNEGO. Just ask for it Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket isn't available. Of course, we bail out when the server responds with the challenge packet, since we don't expect that. But I'll fix that bug next...
2014-07-11 10:55:07 +01:00 · 2014-07-11 10:55:07 +01:00 · 59431c242b
parent 9ad282b1ae
commit 59431c242b
5 changed files with 12 additions and 1 deletions
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@ -27,11 +27,18 @@
 #include "curl_gssapi.h"
 #include "sendf.h"

+static const char spnego_OID[] = "\x2b\x06\x01\x05\x05\x02";
+static const gss_OID_desc gss_mech_spnego = {
+  6,
+  &spnego_OID
+};
+
 OM_uint32 Curl_gss_init_sec_context(
    struct SessionHandle *data,
    OM_uint32 * minor_status,
    gss_ctx_id_t * context,
    gss_name_t target_name,
+    bool use_spnego,
    gss_channel_bindings_t input_chan_bindings,
    gss_buffer_t input_token,
    gss_buffer_t output_token,
@ -55,7 +62,7 @@ OM_uint32 Curl_gss_init_sec_context(
                              GSS_C_NO_CREDENTIAL, /* cred_handle */
                              context,
                              target_name,
-                              GSS_C_NO_OID, /* mech_type */
+                              use_spnego ? (gss_OID)&gss_mech_spnego : GSS_C_NO_OID,
                              req_flags,
                              0, /* time_req */
                              input_chan_bindings,
--- a/lib/curl_gssapi.h
+++ b/lib/curl_gssapi.h
@ -47,6 +47,7 @@ OM_uint32 Curl_gss_init_sec_context(
    OM_uint32 * minor_status,
    gss_ctx_id_t * context,
    gss_name_t target_name,
+    bool use_spnego,
    gss_channel_bindings_t input_chan_bindings,
    gss_buffer_t input_token,
    gss_buffer_t output_token,
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@ -184,6 +184,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                                           &minor_status,
                                           &neg_ctx->context,
                                           neg_ctx->server_name,
+                                           TRUE,
                                           GSS_C_NO_CHANNEL_BINDINGS,
                                           &input_token,
                                           &output_token,
--- a/lib/krb5.c
+++ b/lib/krb5.c
@ -236,6 +236,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
                                      &min,
                                      context,
                                      gssname,
+                                      FALSE,
                                      &chan,
                                      gssresp,
                                      &output_buffer,
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@ -181,6 +181,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
                                                 &gss_minor_status,
                                                 &gss_context,
                                                 server,
+                                                 FALSE,
                                                 NULL,
                                                 gss_token,
                                                 &gss_send_token,