mirror of
https://github.com/curl/curl.git
synced 2024-11-27 05:50:21 +08:00
9ad282b1ae
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which allows client and server to negotiate the underlying mechanism which will actually be used to authenticate. This is *often* Kerberos, and can also be NTLM and other things. And to complicate matters, there are various different OIDs which can be used to specify the Kerberos mechanism too. A SPNEGO exchange will identify *which* GSSAPI mechanism is being used, and will exchange GSSAPI tokens which are appropriate for that mechanism. But this SPNEGO implementation just strips the incoming SPNEGO packet and extracts the token, if any. And completely discards the information about *which* mechanism is being used. Then we *assume* it was Kerberos, and feed the token into gss_init_sec_context() with the default mechanism (GSS_S_NO_OID for the mech_type argument). Furthermore... broken as this code is, it was never even *used* for input tokens anyway, because higher layers of curl would just bail out if the server actually said anything *back* to us in the negotiation. We assume that we send a single token to the server, and it accepts it. If the server wants to continue the exchange (as is required for NTLM and for SPNEGO to do anything useful), then curl was broken anyway. So the only bit which actually did anything was the bit in Curl_output_negotiate(), which always generates an *initial* SPNEGO token saying "Hey, I support only the Kerberos mechanism and this is its token". You could have done that by manually just prefixing the Kerberos token with the appropriate bytes, if you weren't going to do any proper SPNEGO handling. There's no need for the FBOpenSSL library at all. The sane way to do SPNEGO is just to *ask* the GSSAPI library to do SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context() is for. And then it should all Just Work™. That 'sane way' will be added in a subsequent patch, as will bug fixes for our failure to handle any exchange other than a single outbound token to the server which results in immediate success. |
||
|---|---|---|
| .. | ||
| vtls | ||
| .gitignore | ||
| amigaos.c | ||
| amigaos.h | ||
| arpa_telnet.h | ||
| asyn-ares.c | ||
| asyn-thread.c | ||
| asyn.h | ||
| base64.c | ||
| bundles.c | ||
| bundles.h | ||
| checksrc.pl | ||
| CMakeLists.txt | ||
| config-amigaos.h | ||
| config-dos.h | ||
| config-mac.h | ||
| config-os400.h | ||
| config-riscos.h | ||
| config-symbian.h | ||
| config-tpf.h | ||
| config-vxworks.h | ||
| config-win32.h | ||
| config-win32ce.h | ||
| conncache.c | ||
| conncache.h | ||
| connect.c | ||
| connect.h | ||
| content_encoding.c | ||
| content_encoding.h | ||
| cookie.c | ||
| cookie.h | ||
| curl_addrinfo.c | ||
| curl_addrinfo.h | ||
| curl_base64.h | ||
| curl_config.h.cmake | ||
| curl_fnmatch.c | ||
| curl_fnmatch.h | ||
| curl_gethostname.c | ||
| curl_gethostname.h | ||
| curl_gssapi.c | ||
| curl_gssapi.h | ||
| curl_hmac.h | ||
| curl_ldap.h | ||
| curl_md4.h | ||
| curl_md5.h | ||
| curl_memory.h | ||
| curl_memrchr.c | ||
| curl_memrchr.h | ||
| curl_multibyte.c | ||
| curl_multibyte.h | ||
| curl_ntlm_core.c | ||
| curl_ntlm_core.h | ||
| curl_ntlm_msgs.c | ||
| curl_ntlm_msgs.h | ||
| curl_ntlm_wb.c | ||
| curl_ntlm_wb.h | ||
| curl_ntlm.c | ||
| curl_ntlm.h | ||
| curl_rtmp.c | ||
| curl_rtmp.h | ||
| curl_sasl_sspi.c | ||
| curl_sasl.c | ||
| curl_sasl.h | ||
| curl_sec.h | ||
| curl_setup_once.h | ||
| curl_setup.h | ||
| curl_sspi.c | ||
| curl_sspi.h | ||
| curl_threads.c | ||
| curl_threads.h | ||
| curlx.h | ||
| dict.c | ||
| dict.h | ||
| dotdot.c | ||
| dotdot.h | ||
| easy.c | ||
| easyif.h | ||
| escape.c | ||
| escape.h | ||
| file.c | ||
| file.h | ||
| fileinfo.c | ||
| fileinfo.h | ||
| firefox-db2pem.sh | ||
| formdata.c | ||
| formdata.h | ||
| ftp.c | ||
| ftp.h | ||
| ftplistparser.c | ||
| ftplistparser.h | ||
| getenv.c | ||
| getinfo.c | ||
| getinfo.h | ||
| gopher.c | ||
| gopher.h | ||
| hash.c | ||
| hash.h | ||
| hmac.c | ||
| hostasyn.c | ||
| hostcheck.c | ||
| hostcheck.h | ||
| hostip4.c | ||
| hostip6.c | ||
| hostip.c | ||
| hostip.h | ||
| hostsyn.c | ||
| http2.c | ||
| http2.h | ||
| http_chunks.c | ||
| http_chunks.h | ||
| http_digest.c | ||
| http_digest.h | ||
| http_negotiate_sspi.c | ||
| http_negotiate.c | ||
| http_negotiate.h | ||
| http_proxy.c | ||
| http_proxy.h | ||
| http.c | ||
| http.h | ||
| idn_win32.c | ||
| if2ip.c | ||
| if2ip.h | ||
| imap.c | ||
| imap.h | ||
| inet_ntop.c | ||
| inet_ntop.h | ||
| inet_pton.c | ||
| inet_pton.h | ||
| krb5.c | ||
| ldap.c | ||
| libcurl.def | ||
| libcurl.plist | ||
| libcurl.rc | ||
| libcurl.vers.in | ||
| llist.c | ||
| llist.h | ||
| Makefile.am | ||
| makefile.amiga | ||
| Makefile.b32 | ||
| makefile.dj | ||
| Makefile.inc | ||
| Makefile.m32 | ||
| Makefile.netware | ||
| Makefile.vc6 | ||
| Makefile.vxworks | ||
| Makefile.Watcom | ||
| md4.c | ||
| md5.c | ||
| memdebug.c | ||
| memdebug.h | ||
| mk-ca-bundle.pl | ||
| mk-ca-bundle.vbs | ||
| mprintf.c | ||
| multi.c | ||
| multihandle.h | ||
| multiif.h | ||
| netrc.c | ||
| netrc.h | ||
| non-ascii.c | ||
| non-ascii.h | ||
| nonblock.c | ||
| nonblock.h | ||
| nwlib.c | ||
| nwos.c | ||
| objnames-test08.sh | ||
| objnames-test10.sh | ||
| objnames.inc | ||
| openldap.c | ||
| parsedate.c | ||
| parsedate.h | ||
| pingpong.c | ||
| pingpong.h | ||
| pipeline.c | ||
| pipeline.h | ||
| pop3.c | ||
| pop3.h | ||
| progress.c | ||
| progress.h | ||
| rawstr.c | ||
| rawstr.h | ||
| README.ares | ||
| README.curl_off_t | ||
| README.curlx | ||
| README.encoding | ||
| README.hostip | ||
| README.http2 | ||
| README.httpauth | ||
| README.memoryleak | ||
| README.multi_socket | ||
| README.pingpong | ||
| README.pipelining | ||
| rtsp.c | ||
| rtsp.h | ||
| security.c | ||
| select.c | ||
| select.h | ||
| sendf.c | ||
| sendf.h | ||
| setup-os400.h | ||
| setup-vms.h | ||
| share.c | ||
| share.h | ||
| sigpipe.h | ||
| slist.c | ||
| slist.h | ||
| smtp.c | ||
| smtp.h | ||
| sockaddr.h | ||
| socks_gssapi.c | ||
| socks_sspi.c | ||
| socks.c | ||
| socks.h | ||
| speedcheck.c | ||
| speedcheck.h | ||
| splay.c | ||
| splay.h | ||
| ssh.c | ||
| ssh.h | ||
| strdup.c | ||
| strdup.h | ||
| strequal.c | ||
| strequal.h | ||
| strerror.c | ||
| strerror.h | ||
| strtok.c | ||
| strtok.h | ||
| strtoofft.c | ||
| strtoofft.h | ||
| telnet.c | ||
| telnet.h | ||
| tftp.c | ||
| tftp.h | ||
| timeval.c | ||
| timeval.h | ||
| transfer.c | ||
| transfer.h | ||
| url.c | ||
| url.h | ||
| urldata.h | ||
| version.c | ||
| warnless.c | ||
| warnless.h | ||
| wildcard.c | ||
| wildcard.h | ||
| x509asn1.c | ||
| x509asn1.h | ||
HTTP Pipelining with libcurl ============================ Background Since pipelining implies that one or more requests are sent to a server before the previous response(s) have been received, we only support it for multi interface use. Considerations When using the multi interface, you create one easy handle for each transfer. Bascially any number of handles can be created, added and used with the multi interface - simultaneously. It is an interface designed to allow many simultaneous transfers while still using a single thread. Pipelining does not change any of these details. API We've added a new option to curl_multi_setopt() called CURLMOPT_PIPELINING that enables "attempted pipelining" and then all easy handles used on that handle will attempt to use an existing pipeline. Details - A pipeline is only created if a previous connection exists to the same IP address that the new request is being made to use. - Pipelines are only supported for HTTP(S) as no other currently supported protocol has features resemembling this, but we still name this feature plain 'pipelining' to possibly one day support it for other protocols as well. - HTTP Pipelining is for GET and HEAD requests only. - When a pipeline is in use, we must take precautions so that when used easy handles (i.e those who still wait for a response) are removed from the multi handle, we must deal with the outstanding response nicely. - Explicitly asking for pipelining handle X and handle Y won't be supported. It isn't easy for an app to do this association. The lib should probably still resolve the second one properly to make sure that they actually _can_ be considered for pipelining. Also, asking for explicit pipelining on handle X may be tricky when handle X get a closed connection.