[PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

Michael Osipov Mon, 26 May 2014 13:55:26 -0700

Hi folks,

I am the originator of this ticket but was not able to provide asuitable patch up until now.

The changes and reasons in/for this patch:

Due to missing #ifdefs, curl tries to perform SPNEGO auth even if it hasbeen compiled w/o fbopenssl SPNEGO library. Now, Negotiate works, if andonly if, SPNEGO support has bin compiled in, requiring GSS-API ispresent and enabled --with-gssapi.


Git diff: https://github.com/michael-o/curl/compare/HEAD...a893c7e

Patch has been tested on Ubuntu and HP-UX.

Please review and report back,

Michael

diff --git a/lib/curl_setup.h b/lib/curl_setup.h
index 4e18d67..79d2b70 100644
--- a/lib/curl_setup.h
+++ b/lib/curl_setup.h
@@ -602,7 +602,7 @@ int netware_init(void);
 #endif
 
 #if !defined(CURL_DISABLE_CRYPTO_AUTH) && \
-    (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI))
+    (defined(HAVE_GSSAPI) && defined(HAVE_SPNEGO) || defined(USE_WINDOWS_SSPI))
 #define USE_HTTP_NEGOTIATE
 #endif
 
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 53df30e..301cbff 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -28,7 +28,7 @@
 #define NCOMPAT 1
 #endif
 
-#ifndef CURL_DISABLE_HTTP
+#if !defined(CURL_DISABLE_HTTP) && defined(USE_HTTP_NEGOTIATE)
 
 #include "urldata.h"
 #include "sendf.h"
@@ -39,17 +39,15 @@
 #include "curl_memory.h"
 #include "url.h"
 
-#ifdef HAVE_SPNEGO
-#  include <spnegohelp.h>
-#  ifdef USE_SSLEAY
-#    ifdef USE_OPENSSL
-#      include <openssl/objects.h>
-#    else
-#      include <objects.h>
-#    endif
+#include <spnegohelp.h>
+#ifdef USE_SSLEAY
+#  ifdef USE_OPENSSL
+#    include <openssl/objects.h>
 #  else
-#    error "Can't compile SPNEGO support without OpenSSL."
+#    include <objects.h>
 #  endif
+#else
+#  error "Can't compile SPNEGO support without OpenSSL."
 #endif
 
 #define _MPRINTF_REPLACE /* use our functions only */
@@ -192,7 +190,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool 
proxy,
 
     DEBUGASSERT(input_token.value != NULL);
 
-#ifdef HAVE_SPNEGO /* Handle SPNEGO */
+    /* Handle SPNEGO */
     if(checkprefix("Negotiate", header)) {
       unsigned char  *spnegoToken       = NULL;
       size_t          spnegoTokenLength = 0;
@@ -237,7 +235,6 @@ int Curl_input_negotiate(struct connectdata *conn, bool 
proxy,
         infof(data, "Parse SPNEGO Target Token succeeded\n");
       }
     }
-#endif
   }
 
   major_status = Curl_gss_init_sec_context(data,
@@ -279,7 +276,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, 
bool proxy)
   CURLcode error;
   OM_uint32 discard_st;
 
-#ifdef HAVE_SPNEGO /* Handle SPNEGO */
+  /* Handle SPNEGO */
   if(checkprefix("Negotiate", neg_ctx->protocol)) {
     ASN1_OBJECT    *object              = NULL;
     unsigned char  *responseToken       = NULL;
@@ -324,7 +321,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, 
bool proxy)
       infof(conn->data, "Make SPNEGO Initial Token succeeded\n");
     }
   }
-#endif
   error = Curl_base64_encode(conn->data,
                              neg_ctx->output_token.value,
                              neg_ctx->output_token.length,
@@ -382,5 +378,6 @@ void Curl_cleanup_negotiate(struct SessionHandle *data)
 }
 
 
-#endif
+#endif /* !CURL_DISABLE_HTTP && USE_HTTP_NEGOTIATE */
+
 #endif
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 53df30e..301cbff 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -28,7 +28,7 @@
 #define NCOMPAT 1
 #endif
 
-#ifndef CURL_DISABLE_HTTP
+#if !defined(CURL_DISABLE_HTTP) && defined(USE_HTTP_NEGOTIATE)
 
 #include "urldata.h"
 #include "sendf.h"
@@ -39,17 +39,15 @@
 #include "curl_memory.h"
 #include "url.h"
 
-#ifdef HAVE_SPNEGO
-#  include <spnegohelp.h>
-#  ifdef USE_SSLEAY
-#    ifdef USE_OPENSSL
-#      include <openssl/objects.h>
-#    else
-#      include <objects.h>
-#    endif
+#include <spnegohelp.h>
+#ifdef USE_SSLEAY
+#  ifdef USE_OPENSSL
+#    include <openssl/objects.h>
 #  else
-#    error "Can't compile SPNEGO support without OpenSSL."
+#    include <objects.h>
 #  endif
+#else
+#  error "Can't compile SPNEGO support without OpenSSL."
 #endif
 
 #define _MPRINTF_REPLACE /* use our functions only */
@@ -192,7 +190,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool 
proxy,
 
     DEBUGASSERT(input_token.value != NULL);
 
-#ifdef HAVE_SPNEGO /* Handle SPNEGO */
+    /* Handle SPNEGO */
     if(checkprefix("Negotiate", header)) {
       unsigned char  *spnegoToken       = NULL;
       size_t          spnegoTokenLength = 0;
@@ -237,7 +235,6 @@ int Curl_input_negotiate(struct connectdata *conn, bool 
proxy,
         infof(data, "Parse SPNEGO Target Token succeeded\n");
       }
     }
-#endif
   }
 
   major_status = Curl_gss_init_sec_context(data,
@@ -279,7 +276,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, 
bool proxy)
   CURLcode error;
   OM_uint32 discard_st;
 
-#ifdef HAVE_SPNEGO /* Handle SPNEGO */
+  /* Handle SPNEGO */
   if(checkprefix("Negotiate", neg_ctx->protocol)) {
     ASN1_OBJECT    *object              = NULL;
     unsigned char  *responseToken       = NULL;
@@ -324,7 +321,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, 
bool proxy)
       infof(conn->data, "Make SPNEGO Initial Token succeeded\n");
     }
   }
-#endif
   error = Curl_base64_encode(conn->data,
                              neg_ctx->output_token.value,
                              neg_ctx->output_token.length,
@@ -382,5 +378,6 @@ void Curl_cleanup_negotiate(struct SessionHandle *data)
 }
 
 
-#endif
+#endif /* !CURL_DISABLE_HTTP && USE_HTTP_NEGOTIATE */
+
 #endif

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

[PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token

Reply via email to