http: do not require a username when using CURLAUTH_NEGOTIATE

In order to get Negotiate (SPNEGO) authentication to work in HTTP or Kerberos V5 in the email protocols, you used to be required to provide a (fake) user name (this concerns both curl and the lib) because the code wrongly only considered authentication if there was a user name provided. This commit leverages the `struct auth` want member to figure out if the user enabled CURLAUTH_NEGOTIATE, effectively removing the requirement of setting a user name both in curl and the lib. Signed-off-by: Marin Hannache <mareo@cri.epita.fr> Reported-by: Enrico Scholz Fixes https://sourceforge.net/p/curl/bugs/440/ Fixes curl#1161
Mareo · Jun 24, 2022 · 74370bd · 74370bd
1 parent 2b67a0a
commit 74370bd
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 34 deletions.
diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
@@ -66,15 +66,14 @@ problems may have been fixed or changed somewhat since this was written.
  6.1 NTLM authentication and unicode
  6.2 MIT Kerberos for Windows build
  6.3 NTLM in system context uses wrong name
- 6.4 Negotiate and Kerberos V5 need a fake user name
- 6.5 NTLM does not support password with § character
- 6.6 libcurl can fail to try alternatives with --proxy-any
- 6.7 Do not clear digest for single realm
- 6.8 RTSP authentication breaks without redirect support
- 6.9 SHA-256 digest not supported in Windows SSPI builds
- 6.10 curl never completes Negotiate over HTTP
- 6.11 Negotiate on Windows fails
- 6.12 cannot use Secure Transport with Crypto Token Kit
+ 6.4 NTLM does not support password with § character
+ 6.5 libcurl can fail to try alternatives with --proxy-any
+ 6.6 Do not clear digest for single realm
+ 6.7 RTSP authentication breaks without redirect support
+ 6.8 SHA-256 digest not supported in Windows SSPI builds
+ 6.9 curl never completes Negotiate over HTTP
+ 6.10 Negotiate on Windows fails
+ 6.11 cannot use Secure Transport with Crypto Token Kit
 
  7. FTP
  7.1 FTP without or slow 220 response
@@ -560,23 +559,11 @@ problems may have been fixed or changed somewhat since this was written.
  "system context" will make it use wrong(?) user name - at least when compared
  to what winhttp does. See https://curl.se/bug/view.cgi?id=535
 
-6.4 Negotiate and Kerberos V5 need a fake user name
-
- In order to get Negotiate (SPNEGO) authentication to work in HTTP or Kerberos
- V5 in the email protocols, you need to  provide a (fake) user name (this
- concerns both curl and the lib) because the code wrongly only considers
- authentication if there's a user name provided by setting
- conn->bits.user_passwd in url.c  https://curl.se/bug/view.cgi?id=440 How?
- https://curl.se/mail/lib-2004-08/0182.html A possible solution is to
- either modify this variable to be set or introduce a variable such as
- new conn->bits.want_authentication which is set when any of the authentication
- options are set.
-
-6.5 NTLM does not support password with § character
+6.4 NTLM does not support password with § character
 
  https://github.com/curl/curl/issues/2120
 
-6.6 libcurl can fail to try alternatives with --proxy-any
+6.5 libcurl can fail to try alternatives with --proxy-any
 
  When connecting via a proxy using --proxy-any, a failure to establish an
  authentication will cause libcurl to abort trying other options if the
@@ -587,11 +574,11 @@ problems may have been fixed or changed somewhat since this was written.
 
  https://github.com/curl/curl/issues/876
 
-6.7 Do not clear digest for single realm
+6.6 Do not clear digest for single realm
 
  https://github.com/curl/curl/issues/3267
 
-6.8 RTSP authentication breaks without redirect support
+6.7 RTSP authentication breaks without redirect support
 
  RTSP authentication broke in 7.66.0. A work-around is to enable RTSP in
  CURLOPT_REDIR_PROTOCOLS. Authentication should however not be considered an
@@ -600,7 +587,7 @@ problems may have been fixed or changed somewhat since this was written.
 
  See https://github.com/curl/curl/pull/4750
 
-6.9 SHA-256 digest not supported in Windows SSPI builds
+6.8 SHA-256 digest not supported in Windows SSPI builds
 
  Windows builds of curl that have SSPI enabled use the native Windows API calls
  to create authentication strings. The call to InitializeSecurityContext fails
@@ -611,21 +598,21 @@ problems may have been fixed or changed somewhat since this was written.
 
  https://github.com/curl/curl/issues/6302
 
-6.10 curl never completes Negotiate over HTTP
+6.9 curl never completes Negotiate over HTTP
 
  Apparently it is not working correctly...?
 
  See https://github.com/curl/curl/issues/5235
 
-6.11 Negotiate on Windows fails
+6.10 Negotiate on Windows fails
 
  When using --negotiate (or NTLM) with curl on Windows, SSL/TLS handshake
  fails despite having a valid kerberos ticket cached. Works without any issue
  in Unix/Linux.
 
  https://github.com/curl/curl/issues/5881
 
-6.12 cannot use Secure Transport with Crypto Token Kit
+6.11 cannot use Secure Transport with Crypto Token Kit
 
  https://github.com/curl/curl/issues/7048
 

diff --git a/lib/http.c b/lib/http.c
@@ -828,7 +828,12 @@ Curl_http_output_auth(struct Curl_easy *data,
 #ifndef CURL_DISABLE_PROXY
     (conn->bits.httpproxy && conn->bits.proxy_user_passwd) ||
 #endif
-     data->state.aptr.user || data->set.str[STRING_BEARER])
+     data->state.aptr.user ||
+#ifdef USE_SPNEGO
+     authhost->want & CURLAUTH_NEGOTIATE ||
+     authproxy->want & CURLAUTH_NEGOTIATE ||
+#endif
+     data->set.str[STRING_BEARER])
     /* continue please */;
   else {
     authhost->done = TRUE;

diff --git a/tests/data/test2056 b/tests/data/test2056
@@ -47,7 +47,7 @@ LD_PRELOAD=%PWD/libtest/.libs/libstubgss.so
 CURL_STUB_GSS_CREDS="KRB5_Alice"
 </setenv>
 <command>
--u: --negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+--negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER
 </command>
 </client>
 

diff --git a/tests/data/test2057 b/tests/data/test2057
@@ -63,7 +63,7 @@ LD_PRELOAD=%PWD/libtest/.libs/libstubgss.so
 CURL_STUB_GSS_CREDS="NTLM_Alice"
 </setenv>
 <command>
--u: --negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+--negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER
 </command>
 </client>
 

diff --git a/tests/data/test2077 b/tests/data/test2077
@@ -29,7 +29,7 @@ GSS-API
 curl --fail --negotiate to unauthenticated service fails
 </name>
 <command>
-http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u : --fail --negotiate
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --fail --negotiate
 </command>
 </client>
 

diff --git a/tests/data/test2078 b/tests/data/test2078
@@ -29,7 +29,7 @@ GSS-API
 curl --negotiate should not send empty POST request only
 </name>
 <command>
-http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u : --negotiate --data name=value
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --negotiate --data name=value
 </command>
 </client>