Markus Moeller's SPNEGO patch applied, with my edits, additions and minor

cleanups.

6 files changed, 106 insertions, 14 deletions

diff --git a/lib/http.c b/lib/http.c
index 8cb97dd1d..5195122a8 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -238,7 +238,7 @@ CURLcode http_auth_headers(struct connectdata *conn,
     }
     /* Send web authentication header if needed */
     if (data->state.authstage == 401) {
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
       if((data->state.authwant == CURLAUTH_GSSNEGOTIATE) &&
          data->state.negotiate.context && 
          !GSS_ERROR(data->state.negotiate.status)) {
@@ -324,7 +324,7 @@ CURLcode Curl_http_auth(struct connectdata *conn,
   while(*start && isspace((int)*start))
     start++;
 
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
   if (checkprefix("GSS-Negotiate", start) ||
       checkprefix("Negotiate", start)) {
     *availp |= CURLAUTH_GSSNEGOTIATE;
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 5012b0764..fcbb3eadb 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -22,7 +22,10 @@
  ***************************************************************************/
 #include "setup.h"
 
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
+#ifdef HAVE_GSSMIT
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif
 
 #ifndef CURL_DISABLE_HTTP
 /* -- WIN32 approved -- */
@@ -171,6 +174,46 @@ int Curl_input_negotiate(struct connectdata *conn, char *header)
     if (rawlen < 0)
       return -1;
     input_token.length = rawlen;
+
+#ifdef SPNEGO /* Handle SPNEGO */
+    if (checkprefix("Negotiate", header)) {
+        ASN1_OBJECT *   object            = NULL;
+        int             rc                = 1;
+        unsigned char * spnegoToken       = NULL;
+        size_t          spnegoTokenLength = 0;
+        unsigned char * mechToken         = NULL;
+        size_t          mechTokenLength   = 0;
+
+        spnegoToken = malloc(input_token.length);
+        if (input_token.value == NULL)
+          return ENOMEM;
+        spnegoTokenLength = input_token.length;
+
+        object = OBJ_txt2obj ("1.2.840.113554.1.2.2", 1);
+        if (!parseSpnegoTargetToken(spnegoToken,
+                                    spnegoTokenLength,
+                                    NULL,
+                                    NULL,
+                                    &mechToken,
+                                    &mechTokenLength,
+                                    NULL,
+                                    NULL)) {
+          free(spnegoToken);
+          spnegoToken = NULL;
+          infof(conn->data, "Parse SPNEGO Target Token failed\n");
+        }
+        else {
+          free(input_token.value);
+          input_token.value = NULL;
+          input_token.value = malloc(mechTokenLength);
+          memcpy(input_token.value, mechToken,mechTokenLength);
+          input_token.length = mechTokenLength;
+          free(mechToken);
+          mechToken = NULL;
+          infof(conn->data, "Parse SPNEGO Target Token succeded\n");
+        }
+    }
+#endif
   }
 
   major_status = gss_init_sec_context(&minor_status,
@@ -212,9 +255,50 @@ CURLcode Curl_output_negotiate(struct connectdata *conn)
   struct negotiatedata *neg_ctx = &conn->data->state.negotiate;
   OM_uint32 minor_status;
   char *encoded = NULL;
-  int len = Curl_base64_encode(neg_ctx->output_token.value,
-                               neg_ctx->output_token.length,
-                               &encoded);
+  int len;
+
+#ifdef SPNEGO /* Handle SPNEGO */
+  if (checkprefix("Negotiate",neg_ctx->protocol)) {
+    ASN1_OBJECT *   object            = NULL;
+    int             rc                = 1;
+    unsigned char * spnegoToken       = NULL;
+    size_t          spnegoTokenLength = 0;
+    unsigned char * responseToken       = NULL;
+    size_t          responseTokenLength = 0;
+    
+    responseToken = malloc(neg_ctx->output_token.length);
+    if ( responseToken == NULL)
+      return CURLE_OUT_OF_MEMORY;
+    memcpy(responseToken, neg_ctx->output_token.value,
+           neg_ctx->output_token.length);
+    responseTokenLength = neg_ctx->output_token.length;
+
+    object=OBJ_txt2obj ("1.2.840.113554.1.2.2", 1);
+    if (!makeSpnegoInitialToken (object,
+                                 responseToken,
+                                 responseTokenLength,
+                                 &spnegoToken,
+                                 &spnegoTokenLength)) {
+      free(responseToken);
+      responseToken = NULL;
+      infof(conn->data, "Make SPNEGO Initial Token failed\n");
+    }
+    else {
+      free(neg_ctx->output_token.value);
+      responseToken = NULL;
+      neg_ctx->output_token.value = malloc(spnegoTokenLength);
+      memcpy(neg_ctx->output_token.value, spnegoToken,spnegoTokenLength);
+      neg_ctx->output_token.length = spnegoTokenLength;
+      free(spnegoToken);
+      spnegoToken = NULL;
+      infof(conn->data, "Make SPNEGO Initial Token succeded\n");
+    }
+  }
+#endif
+  len = Curl_base64_encode(neg_ctx->output_token.value,
+                           neg_ctx->output_token.length,
+                           &encoded);
+
   if (len < 0)
     return CURLE_OUT_OF_MEMORY;
 
diff --git a/lib/http_negotiate.h b/lib/http_negotiate.h
index 36a346c56..f58f45560 100644
--- a/lib/http_negotiate.h
+++ b/lib/http_negotiate.h
@@ -24,7 +24,7 @@
  * $Id$
  ***************************************************************************/
 
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
 
 /* this is for Negotiate header input */
 int Curl_input_negotiate(struct connectdata *conn, char *header);
diff --git a/lib/url.c b/lib/url.c
index a1f474d4d..12abbb2c5 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -879,7 +879,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
 #ifndef USE_SSLEAY
     auth &= ~CURLAUTH_NTLM; /* no NTLM without SSL */
 #endif
-#ifndef GSSAPI
+#ifndef HAVE_GSSAPI
     auth &= ~CURLAUTH_GSSNEGOTIATE; /* no GSS-Negotiate without GSSAPI */
 #endif
     if(!auth)
@@ -899,7 +899,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
 #ifndef USE_SSLEAY
     auth &= ~CURLAUTH_NTLM; /* no NTLM without SSL */
 #endif
-#ifndef GSSAPI
+#ifndef HAVE_GSSAPI
     auth &= ~CURLAUTH_GSSNEGOTIATE; /* no GSS-Negotiate without GSSAPI */
 #endif
     if(!auth)
diff --git a/lib/urldata.h b/lib/urldata.h
index 6d89bf736..16c413d61 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -86,9 +86,14 @@
 #include <zlib.h> 		/* for content-encoding */
 #endif
 
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
+#ifdef HAVE_GSSMIT
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_generic.h>
+#else
 #include <gssapi.h>
 #endif
+#endif
 
 #ifdef USE_ARES
 #include <ares.h>
@@ -184,7 +189,7 @@ struct ntlmdata {
   unsigned char nonce[8];
 };
 
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
 struct negotiatedata {
   bool gss; /* Whether we're processing GSS-Negotiate or Negotiate */
   const char* protocol; /* "GSS-Negotiate" or "Negotiate" */
@@ -688,7 +693,7 @@ struct UrlState {
 
   struct digestdata digest;
 
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
   struct negotiatedata negotiate;
 #endif
 
diff --git a/lib/version.c b/lib/version.c
index 651f895e1..3e8c88513 100644
--- a/lib/version.c
+++ b/lib/version.c
@@ -114,7 +114,7 @@ char *curl_version(void)
   sprintf(ptr, " zlib/%s", zlibVersion());
   ptr += strlen(ptr);
 #endif
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
   sprintf(ptr, " GSS");
   ptr += strlen(ptr);
 #endif
@@ -177,7 +177,7 @@ static curl_version_info_data version_info = {
 #ifdef HAVE_LIBZ
   | CURL_VERSION_LIBZ
 #endif
-#ifdef GSSAPI
+#ifdef HAVE_GSSAPI
   | CURL_VERSION_GSSNEGOTIATE
 #endif
 #ifdef CURLDEBUG
@@ -186,6 +186,9 @@ static curl_version_info_data version_info = {
 #ifdef USE_ARES
   | CURL_VERSION_ASYNCHDNS
 #endif
+#ifdef HAVE_SPNEGO
+  | CURL_VERSION_SPNEGO
+#endif
   ,
   NULL, /* ssl_version */
   0,    /* ssl_version_num */