On Tue, 2019-09-17 at 16:08 +0200, Daniel Stenberg wrote:
> On Fri, 13 Sep 2019, David Woodhouse via curl-library wrote:
>
> > So: what would it take to use curl for HTTP while basically abusing it from
> > both sides? Not only do I need it to use my own underlying TLS conn
OpenConnect¹ is a SSL VPN client. It needs quite fine-grained control
over the TLS connection that it makes to the VPN server, to allow for
client certificates from various sources (TPM, PKCS#11, etc.) as well
as for interoperability reasons.
I didn't want to have to write my own HTTP support,
On Tue, 2016-10-04 at 18:42 +, Tiago dos Santos Gomes wrote:
>
> I installed softhsm package (and softhsm2 too), but the file
> /usr/share/p11-kit/modules/softhsm.module was not created. I tried
> removing and reinstalling, but it did not work. In the modules
> folder, I only have
On Tue, 2016-09-27 at 19:54 +0100, David Woodhouse wrote:
>
> I was trying to be a little more helpful and use pkcs11-spy which
> actually lets you watch all the calls into a PKCS#11 provider module
> (there are software ones like SoftHSM which you can use for testing/
> learning)
On Tue, 2016-09-27 at 17:11 +, Tiago dos Santos Gomes wrote:
> So how do I insert my access functions to the smartcard into a pkcs module
> 11?
> Should I create a library? Some document or example to guide me?
> It is my first project using this standard.
(You dropped me from Cc. Please don't do that if you want me to try to
help you! http://david.woodhou.se/reply-to-list.html )
On Mon, 2016-09-26 at 15:53 +, Tiago dos Santos Gomes wrote:
>
> Here are some additional information to better explain my problem:
>
> Embedded Linux: Ubuntu 16.04
On Wed, 2016-09-21 at 13:52 +0200, Daniel Stenberg wrote:
> On Wed, 21 Sep 2016, Gilles Vollant wrote:
>
> >
> > I tried the "binary" option you suggested, and this not perform well. Only
> > the base64 option does the job.
>
> That's crazy talk! Of course you'd need to change some code to
On Fri, 2016-09-16 at 19:35 +, Tiago dos Santos Gomes wrote:
> My doubt is: How to use the smart card to replace the private key and
> password in the libcurl setup process?
>
>
> The smart card does not allow access to private key, only to the
> public key, as expected. However, I can send
f(!strpbrk(cert_parameter, ":\\")) {
+ if(!strncmp(cert_parameter, "pkcs11:", 7) ||
+ !strpbrk(cert_parameter, ":\\")) {
*certname = strdup(cert_parameter);
return;
}
--
David WoodhouseOpen Source Tec
> RFC7512 provides a standard method to reference certificates in PKCS#11
> tokens, by means of a URI starting 'pkcs11:'.
>
> We're working on fixing various applications so that whenever they
> would have been able to use certificates from a file, users can simply
> insert a PKCS#11 URI instead
On Mon, 2016-08-01 at 01:00 +0200, Daniel Stenberg wrote:
> On Tue, 26 Jul 2016, David Woodhouse wrote:
>
> Hello!
>
> Thanks a lot for your contribution. Sorry for the slight delay in responding
> to this patch.
And apologies for the further delay in responding; I didn't
f(!strpbrk(cert_parameter, ":\\")) {
+ if(!strncmp(cert_parameter, "pkcs11:", 7) ||
+ !strpbrk(cert_parameter, ":\\")) {
*certname = strdup(cert_parameter);
return;
}
--
David WoodhouseOpen Source Tec
response */
if(len_out 4)
goto done;
--
2.4.3
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
Am 2014-07-15 21:17, schrieb Daniel Stenberg:
On Tue, 15 Jul 2014, David Woodhouse wrote:
Merged into git://, http://git.infradead.org/users/dwmw2/curl.git
which now looks like this:
Thanks for working on this, David - I believe Michael has felt a bit
left on his own with regards
David Woodhouse (8):
ntlm_wb: Fix hard-coded limit on NTLM auth packet size
ntlm_wb: Avoid invoking ntlm_auth helper with empty username
I do not think that this belongs in this patchset because it is
completely unrelated.
It all falls under the heading of making curl work
On Thu, 2014-07-17 at 15:47 +0200, Michael Osipov wrote:
This patched is made on top of the recent work of David Woodhouse.
It consequently fixed macros, options and switches, as well as
names.
Looks good to me; thanks for doing this.
--
David WoodhouseOpen Source
On Tue, 2014-07-15 at 10:30 +0200, Tor Arntsen wrote:
On 15 July 2014 00:00, Dan Fandrich d...@coneharvesters.com wrote:
I missed your message before I committed the change, but curl isn't using
any
of those functions outside getpwuid_r, which confirms that that was the
right
On Tue, 2014-07-15 at 21:55 +, David Woodhouse wrote:
FWIW I'm fairly happy with my testing of SPNEGO inder Windows and Linux,
watching it use IAKERB, KRB5 and NTLMSSP mechanisms as appropriate. I may
run some more tests on the farm of random *BSD/Solaris VMs that I keep for
OpenConnect
On Fri, 2014-05-09 at 13:46 +0200, Kamil Dudka wrote:
On Friday 09 May 2014 13:25:21 Daniel Stenberg wrote:
On Fri, 9 May 2014, Kamil Dudka wrote:
... 'WWW-Authenticate: Negotiate' received from server
Seems reasonable to me!
Thanks for review! I have pushed the patch:
On Thu, 2014-07-17 at 15:47 +0200, Michael Osipov wrote:
Servers:
- Apache 2.2.27 on FreeBSD with mod_spnego (MIT Kerberos 1.12.1)
Was that the one offering the duplicate 'WWW-Authenticate: Negotiate'
headers? I think you fixed it to stop doing that... but could you break
it again, and
On Tue, 2014-07-15 at 13:18 +0200, Michael Osipov wrote:
Am 2014-07-13 22:22, schrieb David Woodhouse:
On Sun, 2014-07-13 at 11:31 +0200, Michael Osipov wrote:
Please have a look:
https://github.com/michael-o/curl/commit/b78ad621d45f537dfde745e961427257f1e1fc2d
Work is based on top
-SPNEGO path in both cases and it works correctly, using *only*
Kerberos and thus failing to authenticate to hosts where NTLM fallback
is required.
From 5109cf90206eb26c69d48d205a4689fbd404e9c2 Mon Sep 17 00:00:00 2001
From: David Woodhouse david.woodho...@intel.com
Date: Tue, 15 Jul 2014 14:23:12
://git.infradead.org/users/dwmw2/curl.git which
now looks like this:
David Woodhouse (8):
ntlm_wb: Fix hard-coded limit on NTLM auth packet size
ntlm_wb: Avoid invoking ntlm_auth helper with empty username
Remove all traces of FBOpenSSL SPNEGO support
Use SPNEGO for HTTP Negotiate
Don't
On Sun, 2014-07-13 at 01:09 +0200, Dan Fandrich wrote:
On Sat, Jul 12, 2014 at 05:59:56PM +0100, David Woodhouse wrote:
The cipher list problem was because Fedora's GnuTLS doesn't have SRP
support. Given that gnutls_set_priority_direct() actually *gives* us a
pointer to the part
On Sun, 2014-07-13 at 11:31 +0200, Michael Osipov wrote:
Am 2014-07-12 17:58, schrieb David Woodhouse:
[...]
So what *do* we want to do on top of the patch set I posted? Just add
support for '{Proxy,WWW}-Authenticate: Kerberos'?
I would rather do that after this patch has been tested
it to
select the appropriate OID within curl_gssapi.c. And in the SSPI
version, which we want to be called identically, that same enum actually
translates into an appropriate *string* argument to
AcquireCredentalsHandle().
--
David WoodhouseOpen Source Technology Centre
From: David Woodhouse david.woodho...@intel.com
---
v2: Add getpwuid_r() and $USER as potential sources of username.
On Sat, 2014-07-12 at 02:49 +0200, Dan Fandrich wrote:
If the intent is to get the current user name, getpwuid(geteuid())-pw_name
seems to me like the best way to get
On Fri, 2014-07-11 at 22:47 +0200, Michael Osipov wrote:
Am 2014-07-11 20:41, schrieb David Woodhouse:
On Fri, 2014-07-11 at 20:09 +0200, Michael Osipov wrote:
Am 2014-07-11 19:41, schrieb David Woodhouse:
On Fri, 2014-07-11 at 19:17 +0200, Michael Osipov wrote:
I would implement
On Fri, 2014-07-11 at 15:50 +0200, Michael Osipov wrote:
I my opinion, we can refer to the HTTP standard which mandates to use
strongest to weakest auth. So curl would actually need to priorize
authentication and try in that order:
Kerberos Negotiate Digest NTLM_WB NTLM Basic.
It looks like curl needs the same workaround for GnuTLS failing to check
IP addresses in gnutls_x509_crt_check_hostname(), as implemented at
http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/gnutls.c#l1795
I couldn't get as far as validating that though; having configured the
git
From: David Woodhouse david.woodho...@intel.com
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...
---
The cipher list problem was because Fedora's
' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com
On Fri, 2014-07-11 at 11:24 +0200, Michael Osipov wrote:
Am 2014-07-10 17:17, schrieb David Woodhouse:
On Fri, 2014-05-30 at 10:21 +0200, Michael-O wrote:
Providing ':' will only work with SSPI, on Linux/Unix, there is not
NTLM password cache. ':' works only with a Kerberos credential
On Fri, 2014-07-11 at 12:01 +0200, Michael Osipov wrote:
Am 2014-07-11 11:47, schrieb David Woodhouse:
On Fri, 2014-07-11 at 11:24 +0200, Michael Osipov wrote:
Am 2014-07-10 17:17, schrieb David Woodhouse:
On Fri, 2014-05-30 at 10:21 +0200, Michael-O wrote:
Providing ':' will only work
From: David Woodhouse david.woodho...@intel.com
200 bytes is not enough; I currently see 516 bytes for an NTLMv2 session
auth with target_info included. I can't bring myself just to take the easy
option and increase the buffer size. Instead, make it reallocate as needed
instead of having a hard
From: David Woodhouse david.woodho...@intel.com
---
lib/curl_ntlm_wb.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c
index 52d1323..ac05fbb 100644
--- a/lib/curl_ntlm_wb.c
+++ b/lib/curl_ntlm_wb.c
@@ -124,6 +124,21 @@ static CURLcode
to always try ntlm_wb *before* ntlm auth?
Or patch the native NTLM auth method to bail out if the username and
password are empty? Or both?
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporation
smime.p7s
On Fri, 2014-07-11 at 12:21 +0200, Michael Osipov wrote:
Your patch looks good but not complete, right?
Right. If you look at the top of my tree at
http://git.infradead.org/users/dwmw2/curl.git you'll see it's somewhat
more complete now — on a system with sane GSSAPI I can watch it
authenticate
the user on the command line
with a slash instead of a backslash?
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
From: David Woodhouse david.woodho...@intel.com
This is the correct way to do SPNEGO. Just ask for it
Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
isn't available. Of course, we bail out when the server responds with the
challenge packet, since we don't expect
From: David Woodhouse david.woodho...@intel.com
GSSAPI doesn't work very well if we forget everything ever time.
XX: Is Curl_http_done() the right place to do the final cleanup?
---
lib/http.c| 4
lib/http_negotiate.c | 1 -
lib/http_negotiate_sspi.c | 1 -
3 files
From: David Woodhouse david.woodho...@intel.com
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things
On Fri, 2014-07-11 at 13:28 +0200, Michael Osipov wrote:
Am 2014-07-11 13:19, schrieb David Woodhouse:
On Fri, 2014-07-11 at 13:04 +0200, Michael Osipov wrote:
Why do you provide a slash as a breaking char too? Backslash is the
only used char to separate domain from samaccountname.
I
From: David Woodhouse david.woodho...@intel.com
It's wrong to assume that we can send a single SPNEGO packet which will
complete the authentication. It's a *negotiation* — the clue is in the
name. So make sure we handle responses from the server.
Curl_input_negotiate() will already handle
From: David Woodhouse david.woodho...@intel.com
---
lib/http.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index fe9ae3e..0b7c79b 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -737,6 +739,10 @@ CURLcode Curl_http_input_auth(struct
On Fri, 2014-07-11 at 19:17 +0200, Michael Osipov wrote:
I would implement a fallback but provide two options where one should be
picked sticked to it:
1. Discover SPNEGO capability at compile time with autoconf. GSS-API
provides this option:
OM_uint32 major, minor;
On Fri, 2014-07-11 at 20:09 +0200, Michael Osipov wrote:
Am 2014-07-11 19:41, schrieb David Woodhouse:
On Fri, 2014-07-11 at 19:17 +0200, Michael Osipov wrote:
I would implement a fallback but provide two options where one should be
picked sticked to it:
1. Discover SPNEGO capability
200 bytes is not enough; I currently see 516 bytes for an NTLMv2 session
auth with target_info included. I can't bring myself just to take the easy
option and increase the buffer size. Instead, make it reallocate as needed
instead of having a hard limit.
---
v2:
- Use NTLM_BUFSIZE from
On Fri, 2014-07-11 at 20:15 +0200, Michael Osipov wrote:
Am 2014-07-11 13:28, schrieb David Woodhouse:
From: David Woodhouse david.woodho...@intel.com
You can safely remove this from http_negotiate.c because the caller
already checks that:
if(checkprefix(GSS-Negotiate, header
On Fri, 2014-05-30 at 10:21 +0200, Michael-O wrote:
Providing ':' will only work with SSPI, on Linux/Unix, there is not
NTLM password cache. ':' works only with a Kerberos credential cache.
That isn't strictly true. Samba/winbind has an NTLM password cache, and
it works fine via the
:26.407741492 +0100
@@ -357,7 +357,7 @@ CURLcode Curl_output_negotiate(struct co
}
Curl_safefree(encoded);
- Curl_cleanup_negotiate(conn-data);
+ // Curl_cleanup_negotiate(conn-data);
return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
}
--
David Woodhouse
On Mon, 16 May 2011, Daniel Stenberg wrote:
On Mon, 16 May 2011, David Woodhouse wrote:
Hm, is this try next method unique for Kerberos/Negotiate? Are there other
methods that we can expect to be able to fail early like that?
Well, it's not so much about failing early. Surely the distinction
On Mon, 16 May 2011, Patrick Monnerat wrote:
I would not like the generalization: the mail client evolution does so
and this causes a big problem:
_ Periodically, W$ domain requests you to change your password.
_ The next time you start evolution (configured to identify in the M$
domain),
On Wed, 2011-05-11 at 19:21 +0200, Daniel Stenberg wrote:
A bunch of US-based companies have been sued for infringing on patents, and
(at least) one of them are using curl for the service they are being sued
over.
Read my 1100 word rambling about it here:
message now that we support it? That means we will basically never have
to use the legacy 8-bit crap.
(Fixing this code to use the /usr/bin/ntlm_auth helper for
single-sign-on has almost reached the top of my TODO list, btw).
--
David WoodhouseOpen Source Technology
, and
then a TPM module for OpenCryptoki. I never managed to get that to work.
FWIW I ended up writing my own HTTP client support for that project,
because none of the existing libraries would let me use TPM-based client
certificates with the underlying SSL connection.
--
David Woodhouse
Looks much better; thanks. One more nitpick...
On Thu, 2010-12-16 at 18:15 +1100, Brad Hards wrote:
+/* this is the URL for your mailserver - you can also use an smtps:// URL
+ * here */
There's no such thing as smtps://. There was a rash of people doing a
non-standard thing on port
On Wed, 2010-12-15 at 19:16 +1100, Brad Hards wrote:
/* this becomes the Return-Path header value */
static const char *from = br...@exmaple.com;
I suspect you mean 'this is the SMTP reverse-path', not a header at all.
It might be the case that when receiving mail, *your* system puts it
On Wed, 2010-12-08 at 12:44 +0100, Daniel Stenberg wrote:
- result = curl_multi_socket_all(multi, handles);
+ result = curl_multi_socket_action(multi, CURL_SOCKET_TIMEOUT, 0,
+ handles);
Excellent. Thank you!
--
dwmw2
On Mon, 2010-12-06 at 19:14 +0100, Daniel Stenberg wrote:
It certainly sounds like a bug in that it doesn't set the timeout properly -
during the threaded resolver phase it should set a short timeout to
essentially cause a polling effect since there's no socket to wait for then.
Of course
On Tue, 2010-12-07 at 09:53 +, David Woodhouse wrote:
Yes, the problem still happens. I've made a simpler test case out of
the
code in PacRunner: http://david.woodhou.se/gcurl.c
OK, I think I have this working.
The problem is that my timer callback isn't being called after the first
libcurl often fails to call our timer_callback function to set up the
next timer when it should. The can mean that a download hangs, for
example when it's waiting for getaddrinfo() to complete in a thread it
spawned for that purpose.
Don't ever allow the timer to be unset while there are
On Mon, 2010-12-06 at 13:45 +, David Woodhouse wrote:
It seems to be reliably failing to load the PAC file on the first
attempt.
I think this may be a curl bug.
We set up our new request and call curl_multi_add_handle(). It sets a
timer to happen in 1ms, and from that timeout we call
On Mon, 2010-12-06 at 16:10 +, David Woodhouse wrote:
Am I missing some way that the completion of the getaddrinfo thread is
supposed to poke us to call back into libcurl? Some hook we've failed to
register? Or were we supposed to *repeat* that 1ms timer until told
otherwise?
Repeating
64 matches
Mail list logo