Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails

Dan Langille (dalangil) Mon, 05 Jan 2015 08:04:18 -0800

I’ve found the latest patch.  Trying this now.  Thanks.
— 
Dan Langille
Infrastructure & Operations
Talos Group
Sourcefire, Inc.


> On Jan 1, 2015, at 2:56 PM, brian m. carlson <sand...@crustytoothpaste.net> 
> wrote:
> 
> Apache servers using mod_auth_kerb can be configured to allow the user
> to authenticate either using Negotiate (using the Kerberos ticket) or
> Basic authentication (using the Kerberos password).  Often, one will
> want to use Negotiate authentication if it is available, but fall back
> to Basic authentication if the ticket is missing or expired.
> 
> However, libcurl will try very hard to use something other than Basic
> auth, even over HTTPS.  If Basic and something else are offered, libcurl
> will never attempt to use Basic, even if the other option fails.
> Teach the HTTP client code to stop trying authentication mechanisms that
> don't use a password (currently Negotiate) after the first failure,
> since if they failed the first time, they will never succeed.
> 
> Signed-off-by: brian m. carlson <sand...@crustytoothpaste.net>
> ---
> http.c        | 16 ++++++++++++++++
> http.h        |  3 +++
> remote-curl.c | 11 ++++++++++-
> 3 files changed, 29 insertions(+), 1 deletion(-)
> 
> diff --git a/http.c b/http.c
> index 040f362..815194d 100644
> --- a/http.c
> +++ b/http.c
> @@ -62,6 +62,8 @@ static const char *user_agent;
> 
> static struct credential cert_auth = CREDENTIAL_INIT;
> static int ssl_cert_password_required;
> +/* Should we allow non-password-based authentication (e.g. GSSAPI)? */
> +int http_passwordless_auth = 1;
> 
> static struct curl_slist *pragma_header;
> static struct curl_slist *no_pragma_header;
> @@ -986,6 +988,16 @@ static void extract_content_type(struct strbuf *raw, 
> struct strbuf *type,
>               strbuf_addstr(charset, "ISO-8859-1");
> }
> 
> +void disable_passwordless_auth(struct active_request_slot *slot)
> +{
> +#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
> +#define HTTP_AUTH_PASSWORDLESS (CURLAUTH_GSSNEGOTIATE)
> +     curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH,
> +                      CURLAUTH_ANY & ~HTTP_AUTH_PASSWORDLESS);
> +#endif
> +}
> +
> +
> /* http_request() targets */
> #define HTTP_REQUEST_STRBUF   0
> #define HTTP_REQUEST_FILE     1
> @@ -1035,6 +1047,9 @@ static int http_request(const char *url,
>       curl_easy_setopt(slot->curl, CURLOPT_HTTPHEADER, headers);
>       curl_easy_setopt(slot->curl, CURLOPT_ENCODING, "gzip");
> 
> +     if (!http_passwordless_auth)
> +             disable_passwordless_auth(slot);
> +
>       ret = run_one_slot(slot, &results);
> 
>       if (options && options->content_type) {
> @@ -1139,6 +1154,7 @@ static int http_request_reauth(const char *url,
>       }
> 
>       credential_fill(&http_auth);
> +     http_passwordless_auth = 0;
> 
>       return http_request(url, result, target, options);
> }
> diff --git a/http.h b/http.h
> index 473179b..71943d3 100644
> --- a/http.h
> +++ b/http.h
> @@ -98,6 +98,8 @@ extern int handle_curl_result(struct slot_results *results);
> int run_one_slot(struct active_request_slot *slot,
>                struct slot_results *results);
> 
> +void disable_passwordless_auth(struct active_request_slot *slot);
> +
> #ifdef USE_CURL_MULTI
> extern void fill_active_slots(void);
> extern void add_fill_function(void *data, int (*fill)(void *));
> @@ -112,6 +114,7 @@ extern int active_requests;
> extern int http_is_verbose;
> extern size_t http_post_buffer;
> extern struct credential http_auth;
> +extern int http_passwordless_auth;
> 
> extern char curl_errorstr[CURL_ERROR_SIZE];
> 
> diff --git a/remote-curl.c b/remote-curl.c
> index dd63bc2..4ca5447 100644
> --- a/remote-curl.c
> +++ b/remote-curl.c
> @@ -467,6 +467,9 @@ static int probe_rpc(struct rpc_state *rpc, struct 
> slot_results *results)
>       curl_easy_setopt(slot->curl, CURLOPT_WRITEFUNCTION, fwrite_buffer);
>       curl_easy_setopt(slot->curl, CURLOPT_FILE, &buf);
> 
> +     if (!http_passwordless_auth)
> +             disable_passwordless_auth(slot);
> +
>       err = run_slot(slot, results);
> 
>       curl_slist_free_all(headers);
> @@ -510,8 +513,10 @@ static int post_rpc(struct rpc_state *rpc)
> 
>               do {
>                       err = probe_rpc(rpc, &results);
> -                     if (err == HTTP_REAUTH)
> +                     if (err == HTTP_REAUTH) {
>                               credential_fill(&http_auth);
> +                             http_passwordless_auth = 0;
> +                     }
>               } while (err == HTTP_REAUTH);
>               if (err != HTTP_OK)
>                       return -1;
> @@ -533,6 +538,9 @@ retry:
>       curl_easy_setopt(slot->curl, CURLOPT_URL, rpc->service_url);
>       curl_easy_setopt(slot->curl, CURLOPT_ENCODING, "gzip");
> 
> +     if (!http_passwordless_auth)
> +             disable_passwordless_auth(slot);
> +
>       if (large_request) {
>               /* The request body is large and the size cannot be predicted.
>                * We must use chunked encoding to send it.
> @@ -617,6 +625,7 @@ retry:
>       err = run_slot(slot, NULL);
>       if (err == HTTP_REAUTH && !large_request) {
>               credential_fill(&http_auth);
> +             http_passwordless_auth = 0;
>               goto retry;
>       }
>       if (err != HTTP_OK)
> -- 
> 2.2.1.209.g41e5f3a
>

Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails

Reply via email to