diff options
author | David Woodhouse <David.Woodhouse@intel.com> | 2014-07-11 10:55:07 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2014-07-16 17:26:08 +0200 |
commit | 59431c242bf1d93980756fa2db2d08744bfa79d3 (patch) | |
tree | a12e313fc08e3e314b47f4b7377035292f355738 /lib | |
parent | 9ad282b1ae1135e7d5dd2e466ff8671c1e4ee04b (diff) | |
download | curl-59431c242bf1d93980756fa2db2d08744bfa79d3.tar.gz |
Use SPNEGO for HTTP Negotiate
This is the correct way to do SPNEGO. Just ask for it
Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
isn't available. Of course, we bail out when the server responds with the
challenge packet, since we don't expect that. But I'll fix that bug next...
Diffstat (limited to 'lib')
-rw-r--r-- | lib/curl_gssapi.c | 9 | ||||
-rw-r--r-- | lib/curl_gssapi.h | 1 | ||||
-rw-r--r-- | lib/http_negotiate.c | 1 | ||||
-rw-r--r-- | lib/krb5.c | 1 | ||||
-rw-r--r-- | lib/socks_gssapi.c | 1 |
5 files changed, 12 insertions, 1 deletions
diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c index fabbe3598..af1813b03 100644 --- a/lib/curl_gssapi.c +++ b/lib/curl_gssapi.c @@ -27,11 +27,18 @@ #include "curl_gssapi.h" #include "sendf.h" +static const char spnego_OID[] = "\x2b\x06\x01\x05\x05\x02"; +static const gss_OID_desc gss_mech_spnego = { + 6, + &spnego_OID +}; + OM_uint32 Curl_gss_init_sec_context( struct SessionHandle *data, OM_uint32 * minor_status, gss_ctx_id_t * context, gss_name_t target_name, + bool use_spnego, gss_channel_bindings_t input_chan_bindings, gss_buffer_t input_token, gss_buffer_t output_token, @@ -55,7 +62,7 @@ OM_uint32 Curl_gss_init_sec_context( GSS_C_NO_CREDENTIAL, /* cred_handle */ context, target_name, - GSS_C_NO_OID, /* mech_type */ + use_spnego ? (gss_OID)&gss_mech_spnego : GSS_C_NO_OID, req_flags, 0, /* time_req */ input_chan_bindings, diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h index ed33b51a2..5af7a0261 100644 --- a/lib/curl_gssapi.h +++ b/lib/curl_gssapi.h @@ -47,6 +47,7 @@ OM_uint32 Curl_gss_init_sec_context( OM_uint32 * minor_status, gss_ctx_id_t * context, gss_name_t target_name, + bool use_spnego, gss_channel_bindings_t input_chan_bindings, gss_buffer_t input_token, gss_buffer_t output_token, diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index ccd005bbb..9b01e0a56 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -184,6 +184,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, &minor_status, &neg_ctx->context, neg_ctx->server_name, + TRUE, GSS_C_NO_CHANNEL_BINDINGS, &input_token, &output_token, diff --git a/lib/krb5.c b/lib/krb5.c index 1643f11a6..9a36af1db 100644 --- a/lib/krb5.c +++ b/lib/krb5.c @@ -236,6 +236,7 @@ krb5_auth(void *app_data, struct connectdata *conn) &min, context, gssname, + FALSE, &chan, gssresp, &output_buffer, diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c index 1f840bd4e..0a35dfa09 100644 --- a/lib/socks_gssapi.c +++ b/lib/socks_gssapi.c @@ -181,6 +181,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, &gss_minor_status, &gss_context, server, + FALSE, NULL, gss_token, &gss_send_token, |