On Tue, 2019-09-17 at 16:08 +0200, Daniel Stenberg wrote:
> On Fri, 13 Sep 2019, David Woodhouse via curl-library wrote:
>
> > So: what would it take to use curl for HTTP while basically abusing it from
> > both sides? Not only do I need it to use my own underlying TLS conn
OpenConnect¹ is a SSL VPN client. It needs quite fine-grained control
over the TLS connection that it makes to the VPN server, to allow for
client certificates from various sources (TPM, PKCS#11, etc.) as well
as for interoperability reasons.
I didn't want to have to write my own HTTP support, but
On Tue, 2016-10-04 at 18:42 +, Tiago dos Santos Gomes wrote:
>
> I installed softhsm package (and softhsm2 too), but the file
> /usr/share/p11-kit/modules/softhsm.module was not created. I tried
> removing and reinstalling, but it did not work. In the modules
> folder, I only have gnome-keyr
On Tue, 2016-09-27 at 19:54 +0100, David Woodhouse wrote:
>
> I was trying to be a little more helpful and use pkcs11-spy which
> actually lets you watch all the calls into a PKCS#11 provider module
> (there are software ones like SoftHSM which you can use for testing/
> learning)
On Tue, 2016-09-27 at 17:11 +, Tiago dos Santos Gomes wrote:
> So how do I insert my access functions to the smartcard into a pkcs module
> 11?
> Should I create a library? Some document or example to guide me?
> It is my first project using this standard.
http://docs.oasis-open.org/pkcs11/
(You dropped me from Cc. Please don't do that if you want me to try to
help you! http://david.woodhou.se/reply-to-list.html )
On Mon, 2016-09-26 at 15:53 +, Tiago dos Santos Gomes wrote:
>
> Here are some additional information to better explain my problem:
>
> Embedded Linux: Ubuntu 16.04
On Wed, 2016-09-21 at 13:52 +0200, Daniel Stenberg wrote:
> On Wed, 21 Sep 2016, Gilles Vollant wrote:
>
> >
> > I tried the "binary" option you suggested, and this not perform well. Only
> > the base64 option does the job.
>
> That's crazy talk! Of course you'd need to change some code to make
On Fri, 2016-09-16 at 19:35 +, Tiago dos Santos Gomes wrote:
> My doubt is: How to use the smart card to replace the private key and
> password in the libcurl setup process?
>
>
> The smart card does not allow access to private key, only to the
> public key, as expected. However, I can send
ntains no colon nor backslash, this
* means no passphrase was given and no characters escaped */
- if(!strpbrk(cert_parameter, ":\\")) {
+ if(!strncmp(cert_parameter, "pkcs11:", 7) ||
+ !strpbrk(cert_parameter, ":\\")) {
*certname =
> RFC7512 provides a standard method to reference certificates in PKCS#11
> tokens, by means of a URI starting 'pkcs11:'.
>
> We're working on fixing various applications so that whenever they
> would have been able to use certificates from a file, users can simply
> insert a PKCS#11 URI instead a
On Mon, 2016-08-01 at 01:00 +0200, Daniel Stenberg wrote:
> On Tue, 26 Jul 2016, David Woodhouse wrote:
>
> Hello!
>
> Thanks a lot for your contribution. Sorry for the slight delay in responding
> to this patch.
And apologies for the further delay in responding; I didn&#
XY
+ else if (data->set.libproxy)
+proxy = Curl_libproxy_detect_proxy(data->change.url);
+#endif
else if(!proxy)
proxy = detect_proxy(conn);
diff --git a/lib/urldata.h b/lib/urldata.h
index 611c5a7..71002f0 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -198,6 +198,10
colon nor backslash; this
* means no passphrase was given and no characters escaped */
- if(!strpbrk(cert_parameter, ":\\")) {
+ if(!strncmp(cert_parameter, "pkcs11:", 7) ||
+ !strpbrk(cert_parameter, ":\\")) {
*certname = strdup(cer
-return CURLE_REMOTE_ACCESS_DENIED;
+goto done;
/* invalid response */
if(len_out < 4)
goto done;
--
2.4.3
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporatio
On Tue, 2014-07-15 at 21:55 +, David Woodhouse wrote:
>
> FWIW I'm fairly happy with my testing of SPNEGO inder Windows and Linux,
> watching it use IAKERB, KRB5 and NTLMSSP mechanisms as appropriate. I may
> run some more tests on the farm of random *BSD/Solaris VM
On Tue, 2014-07-15 at 10:30 +0200, Tor Arntsen wrote:
> On 15 July 2014 00:00, Dan Fandrich wrote:
>
> > I missed your message before I committed the change, but curl isn't using
> > any
> > of those functions outside getpwuid_r, which confirms that that was the
> > right
> > approach. And if w
On Thu, 2014-07-17 at 15:47 +0200, Michael Osipov wrote:
> This patched is made on top of the recent work of David Woodhouse.
> It consequently fixed macros, options and switches, as well as
> names.
Looks good to me; thanks for doing this.
--
David Woodhouse
> Am 2014-07-15 21:17, schrieb Daniel Stenberg:
>> On Tue, 15 Jul 2014, David Woodhouse wrote:
>>
>>> Merged into git://, http://git.infradead.org/users/dwmw2/curl.git
>>> which now looks like this:
>>
>> Thanks for working on this, David - I believe M
>> David Woodhouse (8):
>>ntlm_wb: Fix hard-coded limit on NTLM auth packet size
>>ntlm_wb: Avoid invoking ntlm_auth helper with empty username
>
> I do not think that this belongs in this patchset because it is
> completely unrelated.
It all falls
On Thu, 2014-07-17 at 15:47 +0200, Michael Osipov wrote:
>
> Servers:
> - Apache 2.2.27 on FreeBSD with mod_spnego (MIT Kerberos 1.12.1)
Was that the one offering the duplicate 'WWW-Authenticate: Negotiate'
headers? I think you fixed it to stop doing that... but could you break
it again, and te
On Fri, 2014-05-09 at 13:46 +0200, Kamil Dudka wrote:
> On Friday 09 May 2014 13:25:21 Daniel Stenberg wrote:
> > On Fri, 9 May 2014, Kamil Dudka wrote:
> > > ... 'WWW-Authenticate: Negotiate' received from server
> >
> > Seems reasonable to me!
>
> Thanks for review! I have pushed the patch:
>
erged into git://, http://git.infradead.org/users/dwmw2/curl.git which
now looks like this:
David Woodhouse (8):
ntlm_wb: Fix hard-coded limit on NTLM auth packet size
ntlm_wb: Avoid invoking ntlm_auth helper with empty username
Remove all traces of FBOpenSSL SPNEGO support
Use SP
7;WWW-Authenticate: Kerberos' but I've tested the
non-SPNEGO path in both cases and it works correctly, using *only*
Kerberos and thus failing to authenticate to hosts where NTLM fallback
is required.
From 5109cf90206eb26c69d48d205a4689fbd404e9c2 Mon Sep 17 00:00:00 2001
From: David W
On Tue, 2014-07-15 at 13:18 +0200, Michael Osipov wrote:
> Am 2014-07-13 22:22, schrieb David Woodhouse:
> > On Sun, 2014-07-13 at 11:31 +0200, Michael Osipov wrote:
> >>
> >> Please have a look:
> >> https://github.com/michael-o/curl/commit/b78ad621d45f537dfde
s that in, and then you use it to
select the appropriate OID within curl_gssapi.c. And in the SSPI
version, which we want to be called identically, that same enum actually
translates into an appropriate *string* argument to
AcquireCredentalsHandle().
--
David Woodhouse
On Sun, 2014-07-13 at 11:31 +0200, Michael Osipov wrote:
> Am 2014-07-12 17:58, schrieb David Woodhouse:
> > [...]
> >>> So what *do* we want to do on top of the patch set I posted? Just add
> >>> support for '{Proxy,WWW}-Authenticate: Kerberos'?
> &
On Sun, 2014-07-13 at 01:09 +0200, Dan Fandrich wrote:
> On Sat, Jul 12, 2014 at 05:59:56PM +0100, David Woodhouse wrote:
> > The cipher list problem was because Fedora's GnuTLS doesn't have SRP
> > support. Given that gnutls_set_priority_direct() actually *gives* us a
&
From: David Woodhouse
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...
---
The cipher list problem was because Fedora's GnuTLS doesn&
It looks like curl needs the same workaround for GnuTLS failing to check
IP addresses in gnutls_x509_crt_check_hostname(), as implemented at
http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/gnutls.c#l1795
I couldn't get as far as validating that though; having configured the
git tre
On Fri, 2014-07-11 at 22:47 +0200, Michael Osipov wrote:
> Am 2014-07-11 20:41, schrieb David Woodhouse:
> > On Fri, 2014-07-11 at 20:09 +0200, Michael Osipov wrote:
> >> Am 2014-07-11 19:41, schrieb David Woodhouse:
> >>> On Fri, 2014-07-11 at 19:17 +0200, Michae
On Fri, 2014-07-11 at 15:50 +0200, Michael Osipov wrote:
>
> I my opinion, we can refer to the HTTP standard which mandates to use
> strongest to weakest auth. So curl would actually need to priorize
> authentication and try in that order:
>
> Kerberos > Negotiate > Digest > NTLM_WB > NTLM > Ba
From: David Woodhouse
---
v2: Add getpwuid_r() and $USER as potential sources of username.
On Sat, 2014-07-12 at 02:49 +0200, Dan Fandrich wrote:
> If the intent is to get the current user name, getpwuid(geteuid())->pw_name
> seems to me like the best way to get it (but actually
On Fri, 2014-07-11 at 20:15 +0200, Michael Osipov wrote:
> Am 2014-07-11 13:28, schrieb David Woodhouse:
> > From: David Woodhouse
> >
>
> You can safely remove this from http_negotiate.c because the caller
> already checks that:
>
> if(checkprefix("GSS-Neg
200 bytes is not enough; I currently see 516 bytes for an NTLMv2 session
auth with target_info included. I can't bring myself just to take the easy
option and increase the buffer size. Instead, make it reallocate as needed
instead of having a hard limit.
---
v2:
- Use NTLM_BUFSIZE from curl_ntlm_m
On Fri, 2014-07-11 at 20:09 +0200, Michael Osipov wrote:
> Am 2014-07-11 19:41, schrieb David Woodhouse:
> > On Fri, 2014-07-11 at 19:17 +0200, Michael Osipov wrote:
> >> I would implement a fallback but provide two options where one should be
> >> picked sticked t
On Fri, 2014-07-11 at 19:17 +0200, Michael Osipov wrote:
> I would implement a fallback but provide two options where one should be
> picked sticked to it:
>
> 1. Discover SPNEGO capability at compile time with autoconf. GSS-API
> provides this option:
>
> OM_uint32 major, minor;
> gs
From: David Woodhouse
---
lib/http.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index fe9ae3e..0b7c79b 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -737,6 +739,10 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
bool proxy
From: David Woodhouse
It's wrong to assume that we can send a single SPNEGO packet which will
complete the authentication. It's a *negotiation* — the clue is in the
name. So make sure we handle responses from the server.
Curl_input_negotiate() will already handle bailing out if it
On Fri, 2014-07-11 at 13:28 +0200, Michael Osipov wrote:
> Am 2014-07-11 13:19, schrieb David Woodhouse:
> > On Fri, 2014-07-11 at 13:04 +0200, Michael Osipov wrote:
> >> Why do you provide a slash as a breaking char too? Backslash is the
> >> only used char to separate
From: David Woodhouse
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things. And to complicate matters
From: David Woodhouse
GSSAPI doesn't work very well if we forget everything ever time.
XX: Is Curl_http_done() the right place to do the final cleanup?
---
lib/http.c| 4
lib/http_negotiate.c | 1 -
lib/http_negotiate_sspi.c | 1 -
3 files changed, 4 insertions(
From: David Woodhouse
This is the correct way to do SPNEGO. Just ask for it
Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
isn't available. Of course, we bail out when the server responds with the
challenge packet, since we don't expect that. But I'
low people to specify the user on the command line
with a slash instead of a backslash?
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cr
On Fri, 2014-07-11 at 12:21 +0200, Michael Osipov wrote:
> Your patch looks good but not complete, right?
Right. If you look at the top of my tree at
http://git.infradead.org/users/dwmw2/curl.git you'll see it's somewhat
more complete now — on a system with sane GSSAPI I can watch it
authenticate
t I'm not quite sure what the best
fix is. Should we patch http.c to always try ntlm_wb *before* ntlm auth?
Or patch the native NTLM auth method to bail out if the username and
password are empty? Or both?
--
David WoodhouseOpen Source Technology Centre
da
From: David Woodhouse
200 bytes is not enough; I currently see 516 bytes for an NTLMv2 session
auth with target_info included. I can't bring myself just to take the easy
option and increase the buffer size. Instead, make it reallocate as needed
instead of having a hard limit.
---
From: David Woodhouse
---
lib/curl_ntlm_wb.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c
index 52d1323..ac05fbb 100644
--- a/lib/curl_ntlm_wb.c
+++ b/lib/curl_ntlm_wb.c
@@ -124,6 +124,21 @@ static CURLcode ntlm_wb_init(struct
On Fri, 2014-07-11 at 12:01 +0200, Michael Osipov wrote:
> Am 2014-07-11 11:47, schrieb David Woodhouse:
> > On Fri, 2014-07-11 at 11:24 +0200, Michael Osipov wrote:
> >> Am 2014-07-10 17:17, schrieb David Woodhouse:
> >>> On Fri, 2014-05-30 at 10:21 +0200, Michael-O
On Fri, 2014-07-11 at 11:24 +0200, Michael Osipov wrote:
> Am 2014-07-10 17:17, schrieb David Woodhouse:
> > On Fri, 2014-05-30 at 10:21 +0200, Michael-O wrote:
> >>
> >> Providing ':' will only work with SSPI, on Linux/Unix, there is not
> >> NTLM
nit_sec_context()
is for. And then it should all Just Work™.
That 'sane way' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
--
David Woodhouse
fefree(encoded);
- Curl_cleanup_negotiate(conn->data);
+ // Curl_cleanup_negotiate(conn->data);
return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
}
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Co
On Fri, 2014-05-30 at 10:21 +0200, Michael-O wrote:
>
> Providing ':' will only work with SSPI, on Linux/Unix, there is not
> NTLM password cache. ':' works only with a Kerberos credential cache.
That isn't strictly true. Samba/winbind has an NTLM password cache, and
it works fine via the /usr/bi
On Mon, 16 May 2011, Patrick Monnerat wrote:
> I would not like the generalization: the mail client "evolution" does so
> and this causes a big problem:
>
> _ Periodically, W$ domain requests you to change your password.
> _ The next time you start evolution (configured to identify in the M$
> do
On Mon, 16 May 2011, Daniel Stenberg wrote:
> On Mon, 16 May 2011, David Woodhouse wrote:
> Hm, is this "try next method" unique for Kerberos/Negotiate? Are there other
> methods that we can expect to be able to fail "early" like that?
Well, it's not so mu
On Fri, 2011-05-13 at 00:05 +0200, Daniel Stenberg wrote:
> > 3) If Negotiate fails using kerberos, then it should fallback to ntlm,
> > which
> > is not working at all here
>
> libcurl actually doesn't fall back to another auth. It picks the one auth
> type
> it thinks is best out of the ones
On Wed, 2011-05-11 at 19:21 +0200, Daniel Stenberg wrote:
> A bunch of US-based companies have been sued for infringing on patents, and
> (at least) one of them are using curl for the service they are being sued
> over.
>
> Read my 1100 word rambling about it here:
>
> http://daniel.haxx.se/blo
NEGOTIATE_UNICODE in our initial Type 1
message now that we support it? That means we will basically never have
to use the legacy 8-bit crap.
(Fixing this code to use the /usr/bin/ntlm_auth helper for
single-sign-on has almost reached the top of my TODO list, btw).
--
David Woodhouse
toki framework as a PKCS#11 plugin, and
then a TPM module for OpenCryptoki. I never managed to get that to work.
FWIW I ended up writing my own HTTP client support for that project,
because none of the existing libraries would let me use TPM-based client
certificates with the underlying SSL conne
On Fri, 2010-12-17 at 19:57 +1100, Brad Hards wrote:
>
> I think the second example makes a nice graduation between the first
> (really simple) SMTP example, and the multi-SMTP example.
>
> Here is, for first review:
Looks good, from the RFC-pedant point of view. I'll let Daniel comment
on the
Looks much better; thanks. One more nitpick...
On Thu, 2010-12-16 at 18:15 +1100, Brad Hards wrote:
> +/* this is the URL for your mailserver - you can also use an smtps:// URL
> + * here */
There's no such thing as smtps://. There was a rash of people doing a
non-standard thing on port
On Wed, 2010-12-15 at 19:16 +1100, Brad Hards wrote:
> /* this becomes the Return-Path header value */
> static const char *from = "br...@exmaple.com";
I suspect you mean 'this is the SMTP reverse-path', not a header at all.
It might be the case that when receiving mail, *your* system puts it
On Wed, 2010-12-08 at 12:44 +0100, Daniel Stenberg wrote:
>
> - result = curl_multi_socket_all(multi, &handles);
> + result = curl_multi_socket_action(multi, CURL_SOCKET_TIMEOUT, 0,
> + &handles);
Excellent. Thank you!
--
dwmw2
libcurl often fails to call our timer_callback function to set up the
next timer when it should. The can mean that a download hangs, for
example when it's waiting for getaddrinfo() to complete in a thread it
spawned for that purpose.
Don't ever allow the timer to be unset while there are downloads
On Tue, 2010-12-07 at 09:53 +, David Woodhouse wrote:
>
> Yes, the problem still happens. I've made a simpler test case out of
> the
> code in PacRunner: http://david.woodhou.se/gcurl.c
OK, I think I have this working.
The problem is that my timer callback isn't
On Mon, 2010-12-06 at 19:14 +0100, Daniel Stenberg wrote:
>
> It certainly sounds like a bug in that it doesn't set the timeout properly -
> during the threaded resolver phase it should set a short timeout to
> essentially cause a polling effect since there's no socket to wait for then.
Of cour
On Mon, 2010-12-06 at 16:10 +, David Woodhouse wrote:
> Am I missing some way that the completion of the getaddrinfo thread is
> supposed to poke us to call back into libcurl? Some hook we've failed to
> register? Or were we supposed to *repeat* that 1ms timer until to
On Mon, 2010-12-06 at 13:45 +, David Woodhouse wrote:
> It seems to be reliably failing to load the PAC file on the first
> attempt.
I think this may be a curl bug.
We set up our new request and call curl_multi_add_handle(). It sets a
timer to happen in 1ms, and from that timeout w
67 matches
Mail list logo
