1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00
curl/docs
David Woodhouse 9ad282b1ae Remove all traces of FBOpenSSL SPNEGO support
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things. And to complicate matters, there are various
different OIDs which can be used to specify the Kerberos mechanism too.

A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
and will exchange GSSAPI tokens which are appropriate for that mechanism.

But this SPNEGO implementation just strips the incoming SPNEGO packet
and extracts the token, if any. And completely discards the information
about *which* mechanism is being used. Then we *assume* it was Kerberos,
and feed the token into gss_init_sec_context() with the default
mechanism (GSS_S_NO_OID for the mech_type argument).

Furthermore... broken as this code is, it was never even *used* for input
tokens anyway, because higher layers of curl would just bail out if the
server actually said anything *back* to us in the negotiation. We assume
that we send a single token to the server, and it accepts it. If the server
wants to continue the exchange (as is required for NTLM and for SPNEGO
to do anything useful), then curl was broken anyway.

So the only bit which actually did anything was the bit in
Curl_output_negotiate(), which always generates an *initial* SPNEGO
token saying "Hey, I support only the Kerberos mechanism and this is its
token".

You could have done that by manually just prefixing the Kerberos token
with the appropriate bytes, if you weren't going to do any proper SPNEGO
handling. There's no need for the FBOpenSSL library at all.

The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
is for. And then it should all Just Work™.

That 'sane way' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
2014-07-16 17:26:08 +02:00
..
examples Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
libcurl CURLOPT_UPLOAD: Corrected argument type 2014-07-10 22:30:43 +01:00
.gitignore IGNORE: files generated by maketgz 2010-04-14 17:34:57 +02:00
BINDINGS BINDINGS: BBHTTP is a cocoa binding, Julia has a binding 2013-03-30 22:04:56 +01:00
BUGS BUGS: update bug tracker URL 2013-01-13 23:16:11 +01:00
CONTRIBUTE CONTRIBUTE: mention our Bug/Reported-by commit style 2014-05-09 13:49:22 +02:00
curl-config.1 curl-config.1: fix curl-config usage in example 2012-05-20 15:38:54 +02:00
curl.1 curl.1: minor language fix 2014-07-03 22:37:43 +02:00
DISTRO-DILEMMA docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
FAQ FAQ: expand the thread-safe section 2014-07-09 22:07:36 -05:00
FEATURES docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
HISTORY HISTORY: Fix spelling error. 2013-04-23 21:41:38 +02:00
HTTP-COOKIES HTTP-COOKIES: clarified and modified layout 2012-07-03 11:10:41 +02:00
index.html added doctype tag to get HTML compliant 2004-04-27 07:05:22 +00:00
INSTALL INSTALL: Updated MSVC 6 caveats 2014-05-19 10:34:05 +01:00
INSTALL.cmake docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
INSTALL.devcpp Fixed some typos in documentation 2012-07-20 21:02:58 +02:00
INTERNALS Curl_ossl_init: call OPENSSL_config for initing engines 2014-06-03 22:15:38 +02:00
KNOWN_BUGS KNOWN_BUGS: #83 was addressed with commit c50ce85918 2014-06-04 18:21:33 +00:00
LIBCURL-STRUCTS docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
LICENSE-MIXING Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
MAIL-ETIQUETTE docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
Makefile.am SSL-PROBLEMS: describes common curl+SSL problems 2014-03-08 22:21:41 +00:00
MANUAL docs: Removed mention of -g hack when using IPv6 literals 2014-03-31 09:06:09 +02:00
mk-ca-bundle.1 mk-ca-bundle: added -p 2014-05-08 11:37:45 +02:00
README.cmake removed execute file permission 2011-12-30 03:53:25 +01:00
README.netware docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
README.win32 removed trailing whitespace 2010-02-14 19:40:18 +00:00
RELEASE-PROCEDURE RELEASE-PROCEDURE: new document 2013-12-18 14:37:04 +01:00
RESOURCES Implement SMTP authentication 2010-04-19 11:16:30 +02:00
ROADMAP.md ROADMAP.md: make it markdown formatted 2014-06-19 14:16:14 +02:00
SECURITY docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
SSL-PROBLEMS docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
SSLCERTS docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
THANKS THANKS: 18 new contributors for 7.37.0 2014-05-20 23:42:47 +02:00
TheArtOfHttpScripting docs: fixed a bunch of typos 2014-03-14 23:38:00 +01:00
TODO TODO: firefox will soon support SSL (HTTPS) to proxy 2014-05-09 11:36:11 +02:00
VERSIONS VERSIONS: clarify our versioning concept 2011-08-08 09:25:59 +02:00

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

README.win32

  Read the README file first.

  Curl has been compiled, built and run on all sorts of Windows and win32
  systems. While not being the main develop target, a fair share of curl users
  are win32-based.

  The unix-style man pages are tricky to read on windows, so therefore are all
  those pages converted to HTML as well as pdf, and included in the release
  archives.

  The main curl.1 man page is also "built-in" in the command line tool. Use a
  command line similar to this in order to extract a separate text file:

        curl -M >manual.txt

  Read the INSTALL file for instructions how to compile curl self.