From 74370bd3a89587b6e30971f28a540e081d549d90 Mon Sep 17 00:00:00 2001 From: Marin Hannache Date: Fri, 24 Jun 2022 15:24:52 +0200 Subject: [PATCH] http: do not require a username when using CURLAUTH_NEGOTIATE In order to get Negotiate (SPNEGO) authentication to work in HTTP or Kerberos V5 in the email protocols, you used to be required to provide a (fake) user name (this concerns both curl and the lib) because the code wrongly only considered authentication if there was a user name provided. This commit leverages the `struct auth` want member to figure out if the user enabled CURLAUTH_NEGOTIATE, effectively removing the requirement of setting a user name both in curl and the lib. Signed-off-by: Marin Hannache Reported-by: Enrico Scholz Fixes https://sourceforge.net/p/curl/bugs/440/ Fixes #1161 --- docs/KNOWN_BUGS | 45 ++++++++++++++++----------------------------- lib/http.c | 7 ++++++- tests/data/test2056 | 2 +- tests/data/test2057 | 2 +- tests/data/test2077 | 2 +- tests/data/test2078 | 2 +- 6 files changed, 26 insertions(+), 34 deletions(-) diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS index 67197cf66b7c53..27a2d428a12c84 100644 --- a/docs/KNOWN_BUGS +++ b/docs/KNOWN_BUGS @@ -66,15 +66,14 @@ problems may have been fixed or changed somewhat since this was written. 6.1 NTLM authentication and unicode 6.2 MIT Kerberos for Windows build 6.3 NTLM in system context uses wrong name - 6.4 Negotiate and Kerberos V5 need a fake user name - 6.5 NTLM does not support password with § character - 6.6 libcurl can fail to try alternatives with --proxy-any - 6.7 Do not clear digest for single realm - 6.8 RTSP authentication breaks without redirect support - 6.9 SHA-256 digest not supported in Windows SSPI builds - 6.10 curl never completes Negotiate over HTTP - 6.11 Negotiate on Windows fails - 6.12 cannot use Secure Transport with Crypto Token Kit + 6.4 NTLM does not support password with § character + 6.5 libcurl can fail to try alternatives with --proxy-any + 6.6 Do not clear digest for single realm + 6.7 RTSP authentication breaks without redirect support + 6.8 SHA-256 digest not supported in Windows SSPI builds + 6.9 curl never completes Negotiate over HTTP + 6.10 Negotiate on Windows fails + 6.11 cannot use Secure Transport with Crypto Token Kit 7. FTP 7.1 FTP without or slow 220 response @@ -560,23 +559,11 @@ problems may have been fixed or changed somewhat since this was written. "system context" will make it use wrong(?) user name - at least when compared to what winhttp does. See https://curl.se/bug/view.cgi?id=535 -6.4 Negotiate and Kerberos V5 need a fake user name - - In order to get Negotiate (SPNEGO) authentication to work in HTTP or Kerberos - V5 in the email protocols, you need to provide a (fake) user name (this - concerns both curl and the lib) because the code wrongly only considers - authentication if there's a user name provided by setting - conn->bits.user_passwd in url.c https://curl.se/bug/view.cgi?id=440 How? - https://curl.se/mail/lib-2004-08/0182.html A possible solution is to - either modify this variable to be set or introduce a variable such as - new conn->bits.want_authentication which is set when any of the authentication - options are set. - -6.5 NTLM does not support password with § character +6.4 NTLM does not support password with § character https://github.com/curl/curl/issues/2120 -6.6 libcurl can fail to try alternatives with --proxy-any +6.5 libcurl can fail to try alternatives with --proxy-any When connecting via a proxy using --proxy-any, a failure to establish an authentication will cause libcurl to abort trying other options if the @@ -587,11 +574,11 @@ problems may have been fixed or changed somewhat since this was written. https://github.com/curl/curl/issues/876 -6.7 Do not clear digest for single realm +6.6 Do not clear digest for single realm https://github.com/curl/curl/issues/3267 -6.8 RTSP authentication breaks without redirect support +6.7 RTSP authentication breaks without redirect support RTSP authentication broke in 7.66.0. A work-around is to enable RTSP in CURLOPT_REDIR_PROTOCOLS. Authentication should however not be considered an @@ -600,7 +587,7 @@ problems may have been fixed or changed somewhat since this was written. See https://github.com/curl/curl/pull/4750 -6.9 SHA-256 digest not supported in Windows SSPI builds +6.8 SHA-256 digest not supported in Windows SSPI builds Windows builds of curl that have SSPI enabled use the native Windows API calls to create authentication strings. The call to InitializeSecurityContext fails @@ -611,13 +598,13 @@ problems may have been fixed or changed somewhat since this was written. https://github.com/curl/curl/issues/6302 -6.10 curl never completes Negotiate over HTTP +6.9 curl never completes Negotiate over HTTP Apparently it is not working correctly...? See https://github.com/curl/curl/issues/5235 -6.11 Negotiate on Windows fails +6.10 Negotiate on Windows fails When using --negotiate (or NTLM) with curl on Windows, SSL/TLS handshake fails despite having a valid kerberos ticket cached. Works without any issue @@ -625,7 +612,7 @@ problems may have been fixed or changed somewhat since this was written. https://github.com/curl/curl/issues/5881 -6.12 cannot use Secure Transport with Crypto Token Kit +6.11 cannot use Secure Transport with Crypto Token Kit https://github.com/curl/curl/issues/7048 diff --git a/lib/http.c b/lib/http.c index 5284475ba92c43..4a5aae078d581d 100644 --- a/lib/http.c +++ b/lib/http.c @@ -828,7 +828,12 @@ Curl_http_output_auth(struct Curl_easy *data, #ifndef CURL_DISABLE_PROXY (conn->bits.httpproxy && conn->bits.proxy_user_passwd) || #endif - data->state.aptr.user || data->set.str[STRING_BEARER]) + data->state.aptr.user || +#ifdef USE_SPNEGO + authhost->want & CURLAUTH_NEGOTIATE || + authproxy->want & CURLAUTH_NEGOTIATE || +#endif + data->set.str[STRING_BEARER]) /* continue please */; else { authhost->done = TRUE; diff --git a/tests/data/test2056 b/tests/data/test2056 index d262e097da561e..008f137dfb110e 100644 --- a/tests/data/test2056 +++ b/tests/data/test2056 @@ -47,7 +47,7 @@ LD_PRELOAD=%PWD/libtest/.libs/libstubgss.so CURL_STUB_GSS_CREDS="KRB5_Alice" --u: --negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER +--negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER diff --git a/tests/data/test2057 b/tests/data/test2057 index c5443cc6013149..dfc7798f640fc9 100644 --- a/tests/data/test2057 +++ b/tests/data/test2057 @@ -63,7 +63,7 @@ LD_PRELOAD=%PWD/libtest/.libs/libstubgss.so CURL_STUB_GSS_CREDS="NTLM_Alice" --u: --negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER +--negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER diff --git a/tests/data/test2077 b/tests/data/test2077 index 44a197481ad546..b244b9466cf1ac 100644 --- a/tests/data/test2077 +++ b/tests/data/test2077 @@ -29,7 +29,7 @@ GSS-API curl --fail --negotiate to unauthenticated service fails -http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u : --fail --negotiate +http://%HOSTIP:%HTTPPORT/%TESTNUMBER --fail --negotiate diff --git a/tests/data/test2078 b/tests/data/test2078 index 387352afa94de3..ec1277e5efc9fe 100644 --- a/tests/data/test2078 +++ b/tests/data/test2078 @@ -29,7 +29,7 @@ GSS-API curl --negotiate should not send empty POST request only -http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u : --negotiate --data name=value +http://%HOSTIP:%HTTPPORT/%TESTNUMBER --negotiate --data name=value