From: Marin Hannache Date: Mon, 14 Aug 2023 08:21:46 +0000 (+0200) Subject: http: do not require a user name when using CURLAUTH_NEGOTIATE X-Git-Tag: curl-8_3_0~163 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67e9e3cb1ea498cb94071dddb7653ab5169734b2;p=thirdparty%2Fcurl.git http: do not require a user name when using CURLAUTH_NEGOTIATE In order to get Negotiate (SPNEGO) authentication to work in HTTP you used to be required to provide a (fake) user name (this concerned both curl and the lib) because the code wrongly only considered authentication if there was a user name provided, as in: curl -u : --negotiate https://example.com/ This commit leverages the `struct auth` want member to figure out if the user enabled CURLAUTH_NEGOTIATE, effectively removing the requirement of setting a user name both in curl and the lib. Signed-off-by: Marin Hannache Reported-by: Enrico Scholz Fixes https://sourceforge.net/p/curl/bugs/440/ Fixes #1161 Closes #9047 --- diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS index 0a5ec33fd3..07ed78e751 100644 --- a/docs/KNOWN_BUGS +++ b/docs/KNOWN_BUGS @@ -50,7 +50,6 @@ problems may have been fixed or changed somewhat since this was written. 6.1 NTLM authentication and unicode 6.2 MIT Kerberos for Windows build 6.3 NTLM in system context uses wrong name - 6.4 Negotiate and Kerberos V5 need a fake user name 6.5 NTLM does not support password with § character 6.6 libcurl can fail to try alternatives with --proxy-any 6.7 Do not clear digest for single realm @@ -317,18 +316,6 @@ problems may have been fixed or changed somewhat since this was written. "system context" will make it use wrong(?) user name - at least when compared to what winhttp does. See https://curl.se/bug/view.cgi?id=535 -6.4 Negotiate and Kerberos V5 need a fake user name - - In order to get Negotiate (SPNEGO) authentication to work in HTTP or Kerberos - V5 in the email protocols, you need to provide a (fake) user name (this - concerns both curl and the lib) because the code wrongly only considers - authentication if there's a user name provided by setting - conn->bits.user_passwd in url.c https://curl.se/bug/view.cgi?id=440 How? - https://curl.se/mail/lib-2004-08/0182.html A possible solution is to - either modify this variable to be set or introduce a variable such as - new conn->bits.want_authentication which is set when any of the authentication - options are set. - 6.5 NTLM does not support password with § character https://github.com/curl/curl/issues/2120 diff --git a/lib/http.c b/lib/http.c index a49286c1a1..40ccd51df9 100644 --- a/lib/http.c +++ b/lib/http.c @@ -866,7 +866,12 @@ Curl_http_output_auth(struct Curl_easy *data, #ifndef CURL_DISABLE_PROXY (conn->bits.httpproxy && conn->bits.proxy_user_passwd) || #endif - data->state.aptr.user || data->set.str[STRING_BEARER]) + data->state.aptr.user || +#ifdef USE_SPNEGO + authhost->want & CURLAUTH_NEGOTIATE || + authproxy->want & CURLAUTH_NEGOTIATE || +#endif + data->set.str[STRING_BEARER]) /* continue please */; else { authhost->done = TRUE; diff --git a/tests/data/test2056 b/tests/data/test2056 index d262e097da..008f137dfb 100644 --- a/tests/data/test2056 +++ b/tests/data/test2056 @@ -47,7 +47,7 @@ LD_PRELOAD=%PWD/libtest/.libs/libstubgss.so CURL_STUB_GSS_CREDS="KRB5_Alice" --u: --negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER +--negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER diff --git a/tests/data/test2057 b/tests/data/test2057 index c5443cc601..dfc7798f64 100644 --- a/tests/data/test2057 +++ b/tests/data/test2057 @@ -63,7 +63,7 @@ LD_PRELOAD=%PWD/libtest/.libs/libstubgss.so CURL_STUB_GSS_CREDS="NTLM_Alice" --u: --negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER +--negotiate http://%HOSTIP:%HTTPPORT/%TESTNUMBER diff --git a/tests/data/test2077 b/tests/data/test2077 index 44a197481a..b244b9466c 100644 --- a/tests/data/test2077 +++ b/tests/data/test2077 @@ -29,7 +29,7 @@ GSS-API curl --fail --negotiate to unauthenticated service fails -http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u : --fail --negotiate +http://%HOSTIP:%HTTPPORT/%TESTNUMBER --fail --negotiate diff --git a/tests/data/test2078 b/tests/data/test2078 index 387352afa9..ec1277e5ef 100644 --- a/tests/data/test2078 +++ b/tests/data/test2078 @@ -29,7 +29,7 @@ GSS-API curl --negotiate should not send empty POST request only -http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u : --negotiate --data name=value +http://%HOSTIP:%HTTPPORT/%TESTNUMBER --negotiate --data name=value