On Friday 08 July 2011 16:19:03 Kamil Dudka wrote: > On Thu July 7 2011 21:42:26 Dan Fandrich wrote: > > On Thu, Jul 07, 2011 at 03:14:15PM -0400, Rob Crittenden wrote: > > > This completely disables delegation in libcurl. Are there plans to > > > add an option for this or would you accept a patch to add this? The > > > freeipa project needs to be able to do delegation in libcurl. > > > > That was a limitation we accepted in the interests of releasing a timely > > fix and avoiding prematurely publicising the issue. Since none of the > > core curl developers uses Kerberos, it would have been a bit risky to > > develop a proper API without public feedback. I believe that patches > > to add such an API would be welcome. > > I think this patch should go on top of the Julien's patchset, which is not > yet in. Could we make at least some consensus on the API change at this > point? Chances are that Red Hat will need to fix this prior to the usptream > fix. My proposal is a new easy option CURLOPT_GSSAPI_DELEGATION that given > 1L enables the old behavior. Any objections? Thanks in advance.
Attached is a draft of the proposed patch that applies on the current upstream HEAD. Note I will not be able to respond in the next two weeks as I am just leaving for vacation. Kamil
From 475f1a804ca39149aaeaed77c5068e2deb331298 Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[email protected]> Date: Sat, 9 Jul 2011 00:08:44 +0200 Subject: [PATCH] http_negotiate: a new option CURLOPT_GSSAPI_DELEGATION If the option is set to 1, it allows GSSAPI credential delegation in the way it worked prior to the fix for CVE-2011-2192. --- RELEASE-NOTES | 3 ++- docs/libcurl/curl_easy_setopt.3 | 4 ++++ include/curl/curl.h | 3 +++ lib/http_negotiate.c | 6 +++++- lib/url.c | 6 ++++++ lib/urldata.h | 2 ++ 6 files changed, 22 insertions(+), 2 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 9ab8716..7272fa8 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -2,13 +2,14 @@ Curl and libcurl 7.21.8 Public curl releases: 124 Command line options: 144 - curl_easy_setopt() options: 186 + curl_easy_setopt() options: 187 Public functions in libcurl: 58 Known libcurl bindings: 39 Contributors: 868 This release includes the following changes: + o Added CURLOPT_GSSAPI_DELEGATION o This release includes the following bugfixes: diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 014269f..2cdfcf8 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -2109,6 +2109,10 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos support for FTP. (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3) +.IP CURLOPT_GSSAPI_DELEGATION +Set the parameter to 1 to allow GSSAPI credential delegation. The delegation +is disabled by default since 7.21.7. +(Added in 7.21.8) .SH SSH OPTIONS .IP CURLOPT_SSH_AUTH_TYPES Pass a long set to a bitmask consisting of one or more of diff --git a/include/curl/curl.h b/include/curl/curl.h index a9d42fa..518ac69 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1483,6 +1483,9 @@ typedef enum { CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208), CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209), + /* allow GSSAPI credential delegation */ + CINIT(GSSAPI_DELEGATION, LONG, 210), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 5127e64..5a218b8 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -144,6 +144,10 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, bool gss; const char* protocol; + OM_uint32 req_flags = 0; + if(conn->data->set.gssapi_delegation) + req_flags = GSS_C_DELEG_FLAG; + while(*header && ISSPACE(*header)) header++; if(checkprefix("GSS-Negotiate", header)) { @@ -243,7 +247,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, &neg_ctx->context, neg_ctx->server_name, GSS_C_NO_OID, - 0, + req_flags, 0, GSS_C_NO_CHANNEL_BINDINGS, &input_token, diff --git a/lib/url.c b/lib/url.c index c5b642f..f9a2049 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1985,6 +1985,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, va_arg(param, char *)); data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]); break; + case CURLOPT_GSSAPI_DELEGATION: + /* + * allow GSSAPI credential delegation + */ + data->set.gssapi_delegation = (bool)(0 != va_arg(param, long)); + break; case CURLOPT_SSL_VERIFYPEER: /* * Enable peer SSL verifying. diff --git a/lib/urldata.h b/lib/urldata.h index d256968..ac8ef11 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1517,6 +1517,8 @@ struct UserDefined { curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds to pattern (e.g. if WILDCARDMATCH is on) */ void *fnmatch_data; + + bool gssapi_delegation; /* allow GSSAPI credential delegation */ }; struct Names { -- 1.7.4.4
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
