aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/http.c5
-rw-r--r--lib/http_negotiate.c43
-rw-r--r--lib/http_negotiate_sspi.c45
-rw-r--r--lib/urldata.h6
4 files changed, 12 insertions, 87 deletions
diff --git a/lib/http.c b/lib/http.c
index 4931dd897..8cd15dece 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -571,7 +571,7 @@ output_auth_headers(struct connectdata *conn,
negdata->state = GSS_AUTHNONE;
if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) &&
negdata->context && !GSS_ERROR(negdata->status)) {
- auth="GSS-Negotiate";
+ auth="Negotiate";
result = Curl_output_negotiate(conn, proxy);
if(result)
return result;
@@ -772,8 +772,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy,
while(*auth) {
#ifdef USE_HTTP_NEGOTIATE
- if(checkprefix("GSS-Negotiate", auth) ||
- checkprefix("Negotiate", auth)) {
+ if(checkprefix("Negotiate", auth)) {
int neg;
*availp |= CURLAUTH_GSSNEGOTIATE;
authp->avail |= CURLAUTH_GSSNEGOTIATE;
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index dc2bb383d..f5e9252eb 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -53,19 +53,7 @@ get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)
OM_uint32 major_status, minor_status;
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
char name[2048];
- const char* service;
-
- /* GSSAPI implementation by Globus (known as GSI) requires the name to be
- of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
- of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
- Change following lines if you want to use GSI */
-
- /* IIS uses the <service>@<fqdn> form but uses 'http' as the service name */
-
- if(neg_ctx->gss)
- service = "KHTTP";
- else
- service = "HTTP";
+ const char* service = "HTTP";
token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
conn->host.name) + 1;
@@ -128,31 +116,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
int ret;
size_t len;
size_t rawlen = 0;
- bool gss;
- const char* protocol;
CURLcode error;
- if(checkprefix("GSS-Negotiate", header)) {
- protocol = "GSS-Negotiate";
- gss = TRUE;
- }
- else if(checkprefix("Negotiate", header)) {
- protocol = "Negotiate";
- gss = FALSE;
- }
- else
- return -1;
-
- if(neg_ctx->context) {
- if(neg_ctx->gss != gss) {
- return -1;
- }
- }
- else {
- neg_ctx->protocol = protocol;
- neg_ctx->gss = gss;
- }
-
if(neg_ctx->context && neg_ctx->status == GSS_S_COMPLETE) {
/* We finished successfully our part of authentication, but server
* rejected it (since we're again here). Exit with an error since we
@@ -165,7 +130,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
(ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
return ret;
- header += strlen(neg_ctx->protocol);
+ header += strlen("Negotiate");
while(*header && ISSPACE(*header))
header++;
@@ -238,8 +203,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
return CURLE_REMOTE_ACCESS_DENIED;
}
- userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
- neg_ctx->protocol, encoded);
+ userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
+ encoded);
if(proxy) {
Curl_safefree(conn->allocptr.proxyuserpwd);
conn->allocptr.proxyuserpwd = userp;
diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c
index 236766b16..2bf131f90 100644
--- a/lib/http_negotiate_sspi.c
+++ b/lib/http_negotiate_sspi.c
@@ -45,27 +45,13 @@ static int
get_gss_name(struct connectdata *conn, bool proxy,
struct negotiatedata *neg_ctx)
{
- const char* service;
+ const char* service = "HTTP";
size_t length;
if(proxy && !conn->proxy.name)
/* proxy auth requested but no given proxy name, error out! */
return -1;
- /* GSSAPI implementation by Globus (known as GSI) requires the name to be
- of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
- of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
- Change following lines if you want to use GSI */
-
- /* IIS uses the <service>@<fqdn> form but uses 'http' as the service name,
- and SSPI then generates an NTLM token. When using <service>/<fqdn> a
- Kerberos token is generated. */
-
- if(neg_ctx->gss)
- service = "KHTTP";
- else
- service = "HTTP";
-
length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
conn->host.name) + 1;
if(length + 1 > sizeof(neg_ctx->server_name))
@@ -94,31 +80,8 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
TCHAR *sname;
int ret;
size_t len = 0, input_token_len = 0;
- bool gss = FALSE;
- const char* protocol;
CURLcode error;
- if(checkprefix("GSS-Negotiate", header)) {
- protocol = "GSS-Negotiate";
- gss = TRUE;
- }
- else if(checkprefix("Negotiate", header)) {
- protocol = "Negotiate";
- gss = FALSE;
- }
- else
- return -1;
-
- if(neg_ctx->context) {
- if(neg_ctx->gss != gss) {
- return -1;
- }
- }
- else {
- neg_ctx->protocol = protocol;
- neg_ctx->gss = gss;
- }
-
if(neg_ctx->context && neg_ctx->status == SEC_E_OK) {
/* We finished successfully our part of authentication, but server
* rejected it (since we're again here). Exit with an error since we
@@ -148,7 +111,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
}
/* Obtain the input token, if any */
- header += strlen(neg_ctx->protocol);
+ header += strlen("Negotiate");
while(*header && ISSPACE(*header))
header++;
@@ -260,8 +223,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
if(len == 0)
return CURLE_REMOTE_ACCESS_DENIED;
- userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "",
- neg_ctx->protocol, encoded);
+ userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
+ encoded);
if(proxy)
conn->allocptr.proxyuserpwd = userp;
diff --git a/lib/urldata.h b/lib/urldata.h
index ebdad803d..3ed7292d3 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -446,11 +446,9 @@ struct ntlmdata {
#ifdef USE_HTTP_NEGOTIATE
struct negotiatedata {
- /* when doing Negotiate we first need to receive an auth token and then we
- need to send our header */
+ /* When doing Negotiate (SPNEGO) auth, we first need to send a token
+ and then validate the received one. */
enum { GSS_AUTHNONE, GSS_AUTHRECV, GSS_AUTHSENT } state;
- bool gss; /* Whether we're processing GSS-Negotiate or Negotiate */
- const char* protocol; /* "GSS-Negotiate" or "Negotiate" */
#ifdef HAVE_GSSAPI
OM_uint32 status;
gss_ctx_id_t context;