Commit Graph

26 Commits

Author SHA1 Message Date
David Woodhouse
9ad282b1ae Remove all traces of FBOpenSSL SPNEGO support
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things. And to complicate matters, there are various
different OIDs which can be used to specify the Kerberos mechanism too.

A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
and will exchange GSSAPI tokens which are appropriate for that mechanism.

But this SPNEGO implementation just strips the incoming SPNEGO packet
and extracts the token, if any. And completely discards the information
about *which* mechanism is being used. Then we *assume* it was Kerberos,
and feed the token into gss_init_sec_context() with the default
mechanism (GSS_S_NO_OID for the mech_type argument).

Furthermore... broken as this code is, it was never even *used* for input
tokens anyway, because higher layers of curl would just bail out if the
server actually said anything *back* to us in the negotiation. We assume
that we send a single token to the server, and it accepts it. If the server
wants to continue the exchange (as is required for NTLM and for SPNEGO
to do anything useful), then curl was broken anyway.

So the only bit which actually did anything was the bit in
Curl_output_negotiate(), which always generates an *initial* SPNEGO
token saying "Hey, I support only the Kerberos mechanism and this is its
token".

You could have done that by manually just prefixing the Kerberos token
with the appropriate bytes, if you weren't going to do any proper SPNEGO
handling. There's no need for the FBOpenSSL library at all.

The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
is for. And then it should all Just Work™.

That 'sane way' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
2014-07-16 17:26:08 +02:00
Steve Holme
8223972af2 winbuild: Don't USE_WINSSL when WITH_SSL is being used
Regression of commit d39bbcfa8d when compiling against OpenSSL.
2014-06-06 14:14:30 +01:00
Steve Holme
e8b7431305 build: Renamed CURLX_ONES file list definition to CURLX_CFILES
Renamed the CURLX_ONES file list definition in order to a) try and be
consistent with other file lists and b) to allow for the addition of
the curlx header files, which will assist with Visual Studio project
files generation rather than hard coding those files.
2014-05-21 23:11:51 +01:00
Steve Holme
0151316183 makefile: Added support for VC12 2014-01-08 02:26:42 +00:00
Steve Holme
aa1ee9e7a2 makefile: Added support for VC11 2014-01-08 01:36:33 +00:00
Yang Tse
63605d281f Makefile.inc: fix $(top_srcdir) not allowed in _SOURCES variables 2013-01-20 04:20:02 +01:00
Yang Tse
ae2a2c9931 curl tool: renaming hugehelp files to tool_hugehelp 2012-12-26 23:30:54 +01:00
Mark Snelling
6d8443a245 winbuild: Fix PDB file output
And fix some newlines to be proper CRLF

Bug: http://curl.haxx.se/bug/view.cgi?id=3586741
2012-11-14 23:20:10 +01:00
Marc Hoersken
7c0f201075 winbuild: Use machine type of development environment
This patch restores the original behavior instead of always
falling back to x86 if no MACHINE-type was specified.
2012-11-01 22:23:05 +01:00
Marc Hoersken
0ecb57056f winbuild: Additional clean up 2012-11-01 22:16:47 +01:00
Sapien2
0cb5650386 Minor winbuild refactoring 2012-11-01 22:06:53 +01:00
Sapien2
8f61e5cea7 Architecture selection for winbuild and minor makefiles refactoring 2012-11-01 22:06:53 +01:00
Marc Hoersken
8a57b3c972 winbuild: Added support for building with SPNEGO enabled
Since Simple and Protected GSSAPI Negotiation Mechanism
is already implemented in curl and supported by the MinGW
builds, this change adds build support to winbuild makefiles.
2012-09-10 22:03:56 +02:00
Marc Hoersken
f665e5d130 winbuild: Adjusted order of options to generated config name
Cleaned up order of handled build options by ordering them
nearly alphabetically by using the order of the generated
config name. Preparation for future/more build options.
2012-09-10 21:56:39 +02:00
Marc Hoersken
d7c9f2f63a winbuild: Aligned BUILD.WINDOWS.txt and Makefile.vc usage help 2012-07-08 10:41:53 +02:00
Marc Hoersken
d39bbcfa8d winbuild: Make USE_WINSSL depend on USE_SSPI
Since WinSSL cannot be build without SSPI being enabled,
USE_WINSSL now defaults to the value of USE_SSPI.

The makefile does now raise an error if WinSSL is enabled
while SSPI is disabled.
2012-07-07 23:30:37 +02:00
Marc Hoersken
86871577d9 winbuild: Aligned USE_SSPI with other USE_x defines
Renamed external parameter USE_SSPI = yes/no to ENABLE_SSPI = yes/no.
Backwards compatible change: USE_SSPI can still be passed as external
parameter with yes/no value as long as ENABLE_SSPI is not given.

USE_x defines are passed around with true/false values internally,
USE_SSPI is now aligned to this approach, but still accepts external
values yes/no being passed, just like the other defines.
2012-07-07 23:30:37 +02:00
Marc Hoersken
aeca33f96c winbuild: Clean up formatting and variable naming
- Changed space usage to line up with the whole file
- Renamed CFLAGS_SSPI/IPV6 to SSPI/IPV6_CFLAGS to be
  consistent with the other CFLAGS_x variables
- Make use of existing CFLAGS_IPV6 (previously IPV6_CFLAGS)
  instead of appending directly to CFLAGS
2012-07-07 23:30:36 +02:00
Marc Hoersken
9d8375c29b winbuild: Allow SSPI build with or without Schannel
The changes introduced in commit 2bfa57bc32 are not enough
to make it actually possible to use the USE_WINSSL option.
Makefile.vc was not updated and the configuration name which is
used in the build path did not match between both build files.

This patch fixes those issues and introduces the following changes:

- Replaced the -schannel name with -winssl in order to be consistent
with the other options
- Added ENABLE_WINSSL option to winbuild/Makefile.vc (default yes)
- Changed winbuild/MakefileBuild.vc to set USE_WINSSL to true if
USE_SSL is false and USE_WINSSL was not specified as a parameter
- Separated WINSSL handling from SSPI handling to be consistent with
the other options and their corresponding code path
2012-06-14 18:16:47 +02:00
Marc Hoersken
c45069bfbe winbuild: Removed WITH_SSL=schannel and tie schannel to SSPI
Removed specific WITH_SSL=schannel paramter that did not fit the general
schema and complicated the parameters. For now Schannel will be enabled
if SSPI is enabled and OpenSSL is disabled.
2012-06-11 19:04:49 +02:00
Marc Hoersken
cb142cf217 winbuild: Updated winbuild scripts to add schannel 2012-06-11 19:03:14 +02:00
Marc Hoersken
72c7c1d64e winbuild: Fixed environment variables being lost
Fixed USE_IPV6 and USE_IDN not being passed
from Makefile.vc to MakefileBuild.vc
Fixed whitespace and formatting issues
Fixed typo and format in help message
2012-06-10 16:12:48 +01:00
Pierre Joye
575f3c30ed - fix IPV6 and IDN options 2012-01-26 16:39:26 +01:00
Pierre Joye
00e615de7e - s, use, enable, for options name, avoiding conflicts with the names used in the makefile 2012-01-19 14:08:24 +01:00
Tom Wright
b7e242de0e looks like this should be static, not dll 2011-06-24 11:49:07 -07:00
Pierre Joye
76ac6b94ed Windows build: alternative makefile
This is a separate makefile for MSVC builds. It is deliberately put in
another dir than src/ and lib/ to allow a different build experience
than the previous - at least during a period. Eventually we should
unify.
2011-01-28 22:24:39 +01:00