Re: [PATCH 2/5] Use SPNEGO for HTTP Negotiate

Fri, 11 Jul 2014 17:36:12 -0700 

On Fri, 2014-07-11 at 20:15 +0200, Michael Osipov wrote:
> Am 2014-07-11 13:28, schrieb David Woodhouse:
> > From: David Woodhouse <[email protected]>
> >
> 
> You can safely remove this from http_negotiate.c because the caller 
> already checks that:
> 
>   if(checkprefix("GSS-Negotiate", header)) {
>      protocol = "GSS-Negotiate";
>      gss = TRUE;
>    }
>    else if(checkprefix("Negotiate", header)) {
>      protocol = "Negotiate";
>      gss = FALSE;
>    }

Yes, and I agree that 'GSS-Negotiate' should die.

We'll end up wanting to add very similar logic to differentiate between
Negotiate and Kerberos though, and it'll be 'use_spnego' that gets set
or cleared depending on which one we see.

> I don't like that code change. It can be done better.
> 
> In curl_gssapi.h you should do:
> 
> #ifdef HAVE_GSSAPI
> #ifndef SPNEGO_MECHANISM
> static gss_OID_desc spnego_mech_oid = { 6, "\x2b\x06\x01\x05\x05\x02" };
> #define SPNEGO_MECHANISM &spnego_mech_oid
> #endif
> #ifndef KRB5_MECHANISM
> static gss_OID_desc krb5_mech_oid = { 6, ... };
> #define KRB5_MECHANISM &krb5_mech_oid
> #endif

Now you've defined a separate copy of spnego_mech_oid in every C file
that includes curl_gssapi.h. Potentially unused.

Surely you'd want it to be defined *once* in curl_gssapi.c and then
exported?

Doing something like this was my first inclination, to keep the
signature of Curl_gss_init_sec_context() closer to that of the real
gss_init_sec_context(), but I figured that a simple 'use_spnego' was
probably cleaner in the end.

That said, I don't care too much. If you want to do it your way then
please go ahead and I'll insert your patch in my sequence instead.

> This gives you the ability to use any mech and clearly indicate which is 
> used, for FTP and SOCKS GSS_KRB5_MECHANISM and for HTTP 
> GSS_SPNEGO_MECHANISM. You mave even define NTLM_MECHISM for your custom 
> GSS NTLMSSP.

I don't think we'll be implementing an alternative to ntlm_wb using
gssapi+gss-ntlmssp any time soon. The boolean for SPNEGO or not ought to
be fine.

-- 
dwmw2

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to