From 59431c242bf1d93980756fa2db2d08744bfa79d3 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Fri, 11 Jul 2014 10:55:07 +0100 Subject: Use SPNEGO for HTTP Negotiate This is the correct way to do SPNEGO. Just ask for it Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket isn't available. Of course, we bail out when the server responds with the challenge packet, since we don't expect that. But I'll fix that bug next... --- lib/curl_gssapi.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'lib/curl_gssapi.c') diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c index fabbe3598..af1813b03 100644 --- a/lib/curl_gssapi.c +++ b/lib/curl_gssapi.c @@ -27,11 +27,18 @@ #include "curl_gssapi.h" #include "sendf.h" +static const char spnego_OID[] = "\x2b\x06\x01\x05\x05\x02"; +static const gss_OID_desc gss_mech_spnego = { + 6, + &spnego_OID +}; + OM_uint32 Curl_gss_init_sec_context( struct SessionHandle *data, OM_uint32 * minor_status, gss_ctx_id_t * context, gss_name_t target_name, + bool use_spnego, gss_channel_bindings_t input_chan_bindings, gss_buffer_t input_token, gss_buffer_t output_token, @@ -55,7 +62,7 @@ OM_uint32 Curl_gss_init_sec_context( GSS_C_NO_CREDENTIAL, /* cred_handle */ context, target_name, - GSS_C_NO_OID, /* mech_type */ + use_spnego ? (gss_OID)&gss_mech_spnego : GSS_C_NO_OID, req_flags, 0, /* time_req */ input_chan_bindings, -- cgit v1.2.3