mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-11-21 01:16:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
18,070 Commits 14 Branches 221 Tags 221 MiB
C 74.8%
Perl 8.1%
M4 5%
Python 4.1%
CMake 2.4%
Other 5.6%
9ad282b1ae
Go to file
David Woodhouse 9ad282b1ae Remove all traces of FBOpenSSL SPNEGO support 
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things. And to complicate matters, there are various
different OIDs which can be used to specify the Kerberos mechanism too.

A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
and will exchange GSSAPI tokens which are appropriate for that mechanism.

But this SPNEGO implementation just strips the incoming SPNEGO packet
and extracts the token, if any. And completely discards the information
about *which* mechanism is being used. Then we *assume* it was Kerberos,
and feed the token into gss_init_sec_context() with the default
mechanism (GSS_S_NO_OID for the mech_type argument).

Furthermore... broken as this code is, it was never even *used* for input
tokens anyway, because higher layers of curl would just bail out if the
server actually said anything *back* to us in the negotiation. We assume
that we send a single token to the server, and it accepts it. If the server
wants to continue the exchange (as is required for NTLM and for SPNEGO
to do anything useful), then curl was broken anyway.

So the only bit which actually did anything was the bit in
Curl_output_negotiate(), which always generates an *initial* SPNEGO
token saying "Hey, I support only the Kerberos mechanism and this is its
token".

You could have done that by manually just prefixing the Kerberos token
with the appropriate bytes, if you weren't going to do any proper SPNEGO
handling. There's no need for the FBOpenSSL library at all.

The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
is for. And then it should all Just Work™.

That 'sane way' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
2014-07-16 17:26:08 +02:00
CMake
docs Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
include curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx 2014-06-18 15:10:02 +02:00
lib Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
m4 Enable poll on darwin13 2014-05-06 08:31:10 +02:00
packages OS400: make it compilable again. Make RPG binding up to date. 2014-06-18 20:22:44 +02:00
perl
projects build: Fixed overridden compiler PDB settings in VC7 to VC12 2014-07-12 14:46:36 +01:00
src Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
tests test506: verify aa68848451 2014-07-16 00:09:58 +02:00
winbuild Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
.gitattributes
.gitignore
.travis.yml
acinclude.m4
buildconf buildconf: do not search tools in current directory. 2014-06-18 15:41:06 +02:00
buildconf.bat
CHANGES
CHANGES.0
CMakeLists.txt CMakeLists.txt: add standard curl source code header 2014-01-01 22:35:59 +01:00
configure.ac Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
contributors.sh contributors.sh: output list RELEASE-NOTES formatted 2014-01-20 17:08:08 +01:00
COPYING Bumped copyright year to 2014 2014-01-02 23:53:49 +00:00
CTestConfig.cmake
curl-config.in
GIT-INFO
install-sh Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
libcurl.pc.in
log2changes.pl
MacOSX-Framework
Makefile.am build: Use CURLX_* file lists for Visual Studio curl tool project generation 2014-05-22 23:10:38 +01:00
Makefile.dist Makefile.dist: Added support for VC7 2014-01-11 14:33:42 +00:00
maketgz maketgz: two more CRLF 2014-05-18 19:04:32 +02:00
missing
mkinstalldirs Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
README
RELEASE-NOTES RELEASE-NOTES: synced with 4cb2521595 2014-07-16 16:29:02 +02:00
TODO-RELEASE

README 

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

README

  Curl is a command line tool for transferring data specified with URL
  syntax. Find out how to use curl by reading the curl.1 man page or the
  MANUAL document. Find out how to install Curl by reading the INSTALL
  document.

  libcurl is the library curl is using to do its job. It is readily
  available to be used by your software. Read the libcurl.3 man page to
  learn how!

  You find answers to the most frequent questions we get in the FAQ document.

  Study the COPYING file for distribution terms and similar. If you distribute
  curl binaries or other binaries that involve libcurl, you might enjoy the
  LICENSE-MIXING document.

CONTACT

  If you have problems, questions, ideas or suggestions, please contact us
  by posting to a suitable mailing list. See http://curl.haxx.se/mail/

  All contributors to the project are listed in the THANKS document.

WEB SITE

  Visit the curl web site for the latest news and downloads:

        http://curl.haxx.se/

GIT

  To download the very latest source off the GIT server do this:

    git clone git://github.com/bagder/curl.git

  (you'll get a directory named curl created, filled with the source code)

NOTICE

  Curl contains pieces of source code that is Copyright (c) 1998, 1999
  Kungliga Tekniska Högskolan. This notice is included here to comply with the
  distribution terms.