Mark Davies fixed Negotiate authentication over proxy, and also introduced
the --proxy-negotiate command line option to allow a user to explicitly select it.
This commit is contained in:
Daniel Stenberg
parent
4686adb433
commit
015d5869d7
5
CHANGES
5
CHANGES
@ -6,6 +6,11 @@
|
||||
|
||||
Changelog
|
||||
|
||||
Daniel S (21 September 2007)
|
||||
- Mark Davies fixed Negotiate authentication over proxy, and also introduced
|
||||
the --proxy-negotiate command line option to allow a user to explicitly
|
||||
select it.
|
||||
|
||||
Daniel S (19 September 2007)
|
||||
- Rob Crittenden provided an NSS update with the following highlights:
|
||||
|
||||
|
||||
@ -13,6 +13,7 @@ This release includes the following changes:
|
||||
|
||||
o automatically append ";type=<a|i>" when using HTTP proxies for FTP urls
|
||||
o improved NSS support
|
||||
o added --proxy-negotiate
|
||||
|
||||
This release includes the following bugfixes:
|
||||
|
||||
@ -20,6 +21,7 @@ This release includes the following bugfixes:
|
||||
o ldapv3 support on Windows
|
||||
o ldap builds with the MSVC makefiles
|
||||
o no HOME and no key given caused SSH auth failure
|
||||
o Negotiate authentication over proxy
|
||||
|
||||
This release includes the following known bugs:
|
||||
|
||||
@ -36,6 +38,7 @@ New curl mirrors:
|
||||
This release would not have looked like this without help, code, reports and
|
||||
advice from friends like these:
|
||||
|
||||
Dan Fandrich, Michal Marek, Günter Knauf, Rob Crittenden, Immanuel Gregoire
|
||||
Dan Fandrich, Michal Marek, Günter Knauf, Rob Crittenden, Immanuel Gregoire,
|
||||
Mark Davies
|
||||
|
||||
Thanks! (and sorry if I forgot to mention someone)
|
||||
|
||||
11
docs/curl.1
11
docs/curl.1
@ -774,6 +774,9 @@ meant as a support for Kerberos5 authentication but may be also used along
|
||||
with another authentication methods. For more information see IETF draft
|
||||
draft-brezak-spnego-http-04.txt.
|
||||
|
||||
If you want to enable Negotiate for your proxy authentication, then use
|
||||
\fI--proxy-negotiate\fP.
|
||||
|
||||
This option requires that the library was built with GSSAPI support. This is
|
||||
not very common. Use \fI-V/--version\fP to see if your version supports
|
||||
GSS-Negotiate.
|
||||
@ -863,6 +866,14 @@ Tells curl to use HTTP Digest authentication when communicating with the given
|
||||
proxy. Use \fI--digest\fP for enabling HTTP Digest with a remote host.
|
||||
|
||||
If this option is used twice, the second will again disable proxy HTTP Digest.
|
||||
.IP "--proxy-negotiate"
|
||||
Tells curl to use HTTP Negotiate authentication when communicating
|
||||
with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate
|
||||
with a remote host.
|
||||
|
||||
If this option is used twice, the second will again disable proxy HTTP
|
||||
Negotiate.
|
||||
|
||||
.IP "--proxy-ntlm"
|
||||
Tells curl to use HTTP NTLM authentication when communicating with the given
|
||||
proxy. Use \fI--ntlm\fP for enabling NTLM with a remote host.
|
||||
|
||||
16
lib/http.c
16
lib/http.c
@ -424,6 +424,18 @@ Curl_http_output_auth(struct connectdata *conn,
|
||||
/* Send proxy authentication header if needed */
|
||||
if (conn->bits.httpproxy &&
|
||||
(conn->bits.tunnel_proxy == proxytunnel)) {
|
||||
#ifdef HAVE_GSSAPI
|
||||
if((authproxy->picked == CURLAUTH_GSSNEGOTIATE) &&
|
||||
data->state.negotiate.context &&
|
||||
!GSS_ERROR(data->state.negotiate.status)) {
|
||||
auth="GSS-Negotiate";
|
||||
result = Curl_output_negotiate(conn, TRUE);
|
||||
if (result)
|
||||
return result;
|
||||
authproxy->done = TRUE;
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#ifdef USE_NTLM
|
||||
if(authproxy->picked == CURLAUTH_NTLM) {
|
||||
auth="NTLM";
|
||||
@ -486,7 +498,7 @@ Curl_http_output_auth(struct connectdata *conn,
|
||||
data->state.negotiate.context &&
|
||||
!GSS_ERROR(data->state.negotiate.status)) {
|
||||
auth="GSS-Negotiate";
|
||||
result = Curl_output_negotiate(conn);
|
||||
result = Curl_output_negotiate(conn, FALSE);
|
||||
if (result)
|
||||
return result;
|
||||
authhost->done = TRUE;
|
||||
@ -593,7 +605,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
|
||||
authp->avail |= CURLAUTH_GSSNEGOTIATE;
|
||||
if(authp->picked == CURLAUTH_GSSNEGOTIATE) {
|
||||
/* if exactly this is wanted, go */
|
||||
int neg = Curl_input_negotiate(conn, start);
|
||||
int neg = Curl_input_negotiate(conn, (bool)(httpcode == 407), start);
|
||||
if (neg == 0) {
|
||||
data->reqdata.newurl = strdup(data->change.url);
|
||||
data->state.authproblem = (data->reqdata.newurl == NULL);
|
||||
|
||||
@ -49,7 +49,7 @@
|
||||
#include "memdebug.h"
|
||||
|
||||
static int
|
||||
get_gss_name(struct connectdata *conn, gss_name_t *server)
|
||||
get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)
|
||||
{
|
||||
struct negotiatedata *neg_ctx = &conn->data->state.negotiate;
|
||||
OM_uint32 major_status, minor_status;
|
||||
@ -69,11 +69,11 @@ get_gss_name(struct connectdata *conn, gss_name_t *server)
|
||||
else
|
||||
service = "HTTP";
|
||||
|
||||
token.length = strlen(service) + 1 + strlen(conn->host.name) + 1;
|
||||
token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : conn->host.name) + 1;
|
||||
if (token.length + 1 > sizeof(name))
|
||||
return EMSGSIZE;
|
||||
|
||||
snprintf(name, sizeof(name), "%s@%s", service, conn->host.name);
|
||||
snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name : conn->host.name);
|
||||
|
||||
token.value = (void *) name;
|
||||
major_status = gss_import_name(&minor_status,
|
||||
@ -113,7 +113,7 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix)
|
||||
infof(conn->data, "%s", buf);
|
||||
}
|
||||
|
||||
int Curl_input_negotiate(struct connectdata *conn, const char *header)
|
||||
int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header)
|
||||
{
|
||||
struct negotiatedata *neg_ctx = &conn->data->state.negotiate;
|
||||
OM_uint32 major_status, minor_status, minor_status2;
|
||||
@ -156,7 +156,7 @@ int Curl_input_negotiate(struct connectdata *conn, const char *header)
|
||||
}
|
||||
|
||||
if (neg_ctx->server_name == NULL &&
|
||||
(ret = get_gss_name(conn, &neg_ctx->server_name)))
|
||||
(ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
|
||||
return ret;
|
||||
|
||||
header += strlen(neg_ctx->protocol);
|
||||
@ -245,7 +245,7 @@ int Curl_input_negotiate(struct connectdata *conn, const char *header)
|
||||
}
|
||||
|
||||
|
||||
CURLcode Curl_output_negotiate(struct connectdata *conn)
|
||||
CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
|
||||
{
|
||||
struct negotiatedata *neg_ctx = &conn->data->state.negotiate;
|
||||
OM_uint32 minor_status;
|
||||
@ -299,7 +299,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
conn->allocptr.userpwd =
|
||||
aprintf("Authorization: %s %s\r\n", neg_ctx->protocol, encoded);
|
||||
aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", neg_ctx->protocol, encoded);
|
||||
free(encoded);
|
||||
gss_release_buffer(&minor_status, &neg_ctx->output_token);
|
||||
return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
|
||||
|
||||
@ -27,10 +27,10 @@
|
||||
#ifdef HAVE_GSSAPI
|
||||
|
||||
/* this is for Negotiate header input */
|
||||
int Curl_input_negotiate(struct connectdata *conn, const char *header);
|
||||
int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header);
|
||||
|
||||
/* this is for creating Negotiate header output */
|
||||
CURLcode Curl_output_negotiate(struct connectdata *conn);
|
||||
CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy);
|
||||
|
||||
void Curl_cleanup_negotiate(struct SessionHandle *data);
|
||||
|
||||
|
||||
11
src/main.c
11
src/main.c
@ -426,6 +426,7 @@ struct Configurable {
|
||||
bool create_dirs;
|
||||
bool ftp_create_dirs;
|
||||
bool ftp_skip_ip;
|
||||
bool proxynegotiate;
|
||||
bool proxyntlm;
|
||||
bool proxydigest;
|
||||
bool proxybasic;
|
||||
@ -690,6 +691,7 @@ static void help(void)
|
||||
" --proxy-anyauth Pick \"any\" proxy authentication method (H)",
|
||||
" --proxy-basic Use Basic authentication on the proxy (H)",
|
||||
" --proxy-digest Use Digest authentication on the proxy (H)",
|
||||
" --proxy-negotiate Use Negotiate authentication on the proxy (H)",
|
||||
" --proxy-ntlm Use NTLM authentication on the proxy (H)",
|
||||
" -P/--ftp-port <address> Use PORT with address instead of PASV (F)",
|
||||
" -q If used as the first parameter disables .curlrc",
|
||||
@ -1492,6 +1494,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
|
||||
{"$g", "retry", TRUE},
|
||||
{"$h", "retry-delay", TRUE},
|
||||
{"$i", "retry-max-time", TRUE},
|
||||
{"$k", "proxy-negotiate", FALSE},
|
||||
{"$m", "ftp-account", TRUE},
|
||||
{"$n", "proxy-anyauth", FALSE},
|
||||
{"$o", "trace-time", FALSE},
|
||||
@ -1892,6 +1895,12 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
|
||||
return PARAM_BAD_NUMERIC;
|
||||
break;
|
||||
|
||||
case 'k': /* --proxy-negotiate */
|
||||
if(curlinfo->features & CURL_VERSION_GSSNEGOTIATE)
|
||||
config->proxynegotiate ^= TRUE;
|
||||
else
|
||||
return PARAM_LIBCURL_DOESNT_SUPPORT;
|
||||
break;
|
||||
case 'm': /* --ftp-account */
|
||||
GetStr(&config->ftp_account, nextarg);
|
||||
break;
|
||||
@ -4302,6 +4311,8 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
|
||||
config->ftp_create_dirs);
|
||||
if(config->proxyanyauth)
|
||||
my_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
|
||||
else if(config->proxynegotiate)
|
||||
my_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_GSSNEGOTIATE);
|
||||
else if(config->proxyntlm)
|
||||
my_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_NTLM);
|
||||
else if(config->proxydigest)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user