Mark Davies fixed Negotiate authentication over proxy, and also introduced

                                  Changelog

Daniel S (21 September 2007)

- Mark Davies fixed Negotiate authentication over proxy, and also introduced

  the --proxy-negotiate command line option to allow a user to explicitly

  select it.

Daniel S (19 September 2007)

- Rob Crittenden provided an NSS update with the following highlights:

 o automatically append ";type=<a|i>" when using HTTP proxies for FTP urls

 o improved NSS support

 o added --proxy-negotiate

This release includes the following bugfixes:

 o ldapv3 support on Windows

 o ldap builds with the MSVC makefiles

 o no HOME and no key given caused SSH auth failure

 o Negotiate authentication over proxy

This release includes the following known bugs:

This release would not have looked like this without help, code, reports and

advice from friends like these:

 Dan Fandrich, Michal Marek, Gnter Knauf, Rob Crittenden, Immanuel Gregoire

 Dan Fandrich, Michal Marek, Gnter Knauf, Rob Crittenden, Immanuel Gregoire,

 Mark Davies

        Thanks! (and sorry if I forgot to mention someone)

with another authentication methods. For more information see IETF draft

draft-brezak-spnego-http-04.txt.

If you want to enable Negotiate for your proxy authentication, then use

\fI--proxy-negotiate\fP.

This option requires that the library was built with GSSAPI support. This is

not very common. Use \fI-V/--version\fP to see if your version supports

GSS-Negotiate.

proxy. Use \fI--digest\fP for enabling HTTP Digest with a remote host.

If this option is used twice, the second will again disable proxy HTTP Digest.

.IP "--proxy-negotiate"

Tells curl to use HTTP Negotiate authentication when communicating

with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate

with a remote host.

If this option is used twice, the second will again disable proxy HTTP

Negotiate.

.IP "--proxy-ntlm"

Tells curl to use HTTP NTLM authentication when communicating with the given

proxy. Use \fI--ntlm\fP for enabling NTLM with a remote host.

  /* Send proxy authentication header if needed */

  if (conn->bits.httpproxy &&

      (conn->bits.tunnel_proxy == proxytunnel)) {

#ifdef HAVE_GSSAPI

    if((authproxy->picked == CURLAUTH_GSSNEGOTIATE) &&

       data->state.negotiate.context &&

       !GSS_ERROR(data->state.negotiate.status)) {

      auth="GSS-Negotiate";

      result = Curl_output_negotiate(conn, TRUE);

      if (result)

        return result;

      authproxy->done = TRUE;

    } 

    else

#endif

#ifdef USE_NTLM

    if(authproxy->picked == CURLAUTH_NTLM) {

      auth="NTLM";

         data->state.negotiate.context &&

         !GSS_ERROR(data->state.negotiate.status)) {

        auth="GSS-Negotiate";

        result = Curl_output_negotiate(conn);

        result = Curl_output_negotiate(conn, FALSE);

        if (result)

          return result;

        authhost->done = TRUE;

    authp->avail |= CURLAUTH_GSSNEGOTIATE;

    if(authp->picked == CURLAUTH_GSSNEGOTIATE) {

      /* if exactly this is wanted, go */

      int neg = Curl_input_negotiate(conn, start);

      int neg = Curl_input_negotiate(conn, (bool)(httpcode == 407), start);

      if (neg == 0) {

        data->reqdata.newurl = strdup(data->change.url);

        data->state.authproblem = (data->reqdata.newurl == NULL);

#include "memdebug.h"

static int

get_gss_name(struct connectdata *conn, gss_name_t *server)

get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)

{

  struct negotiatedata *neg_ctx = &conn->data->state.negotiate;

  OM_uint32 major_status, minor_status;

  else

    service = "HTTP";

  token.length = strlen(service) + 1 + strlen(conn->host.name) + 1;

  token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : conn->host.name) + 1;

  if (token.length + 1 > sizeof(name))

    return EMSGSIZE;

  snprintf(name, sizeof(name), "%s@%s", service, conn->host.name);

  snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name : conn->host.name);

  token.value = (void *) name;

  major_status = gss_import_name(&minor_status,

  infof(conn->data, "%s", buf);

}

int Curl_input_negotiate(struct connectdata *conn, const char *header)

int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header)

{

  struct negotiatedata *neg_ctx = &conn->data->state.negotiate;

  OM_uint32 major_status, minor_status, minor_status2;

  }

  if (neg_ctx->server_name == NULL &&

      (ret = get_gss_name(conn, &neg_ctx->server_name)))

      (ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))

    return ret;

  header += strlen(neg_ctx->protocol);

}

CURLcode Curl_output_negotiate(struct connectdata *conn)

CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)

{

  struct negotiatedata *neg_ctx = &conn->data->state.negotiate;

  OM_uint32 minor_status;

    return CURLE_OUT_OF_MEMORY;

  conn->allocptr.userpwd =

    aprintf("Authorization: %s %s\r\n", neg_ctx->protocol, encoded);

    aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", neg_ctx->protocol, encoded);

  free(encoded);

  gss_release_buffer(&minor_status, &neg_ctx->output_token);

  return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;