spnego sspi delegation [windows 7]
Hello Everyone,
I have a problem with curl lib in window which I have managed to quick fix it
but I would need some further insight from experts.
I am using curllib (or curl command) with --negotiate authentication on
Windows and "--delegation always" (or policy) parameter. We use Kerberos
authentication for what I know.
The server I connect to will forward the request to a back end system and my
credential must be provided to be authorized. In Linux seems to work out of the
box but in windows I had always had an error like
"Could not impersonate INTRANET\ as authentication token was not provided".
The ticket stored in my box for the server I connect to includes the following
attribute
Ticket Flags -> forwardable renewable pre_authent ok_as_delegate
I have managed to make it work via adding the flag ISC_REQ_DELEGATE to the call
in spnego_sspi.c (around line 250)
nego->status = s_pSecFn->InitializeSecurityContext(nego->credentials,
chlg ? nego->context :
NULL,
nego->spn,
ISC_REQ_DELEGATE |
ISC_REQ_CONFIDENTIALITY, // <== CODE CHANGE added flag ISC_REQ_DELEGATE
0, SECURITY_NATIVE_DREP,
chlg ? _desc : NULL,
0, nego->context,
_desc, ,
);
Now what I wanted to do is to handle the parameter --delegation properly.
First of all I wound need to see in the security package support DELEGATION.
Hence I have checked if the
nego->status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
TEXT(SP_NAME_NEGOTIATE),
);
unsigned long isc_flags = ISC_REQ_CONFIDENTIALITY;
if (SecurityPackage->fCapabilities & SECPKG_FLAG_DELEGATION)
{
if (data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG)
{
isc_flags |= ISC_REQ_DELEGATE;
}
else if (data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
{
// error not supported ???
}
}
Of course is not a gssapi_delegation but I assume sspi should mimic the gssapi
interface/functionality so we could in theory use the same flag.
Question 1: Is there a way to force the delegation using sspi ? or
CURLGSSAPI_DELEGATION_FLAG is not supported e.g. there is no way to force if
the Active directory does not allow it?
Question 2: When I Iook at the fCapability flags in the SecurityPackage
structure for the loaded package (secur32) I have the info below back (which I
have pretty printed). The SECPKG_FLAG_DELEGATION is false so I am a bit
puzzled. I can make it work but the library tells me the delegation is not
supported.
Now my knowledge in here is very limited.
If I want to reuse the delegation option what flag do I need to check to know
If this functionality is supported ? If It is GSS COMPATIBLE ?
Thanks for any help you could provide.
Best Regards
Claudio Rinaldi
Security Package: Negotiate
Security Package supported flags: 83bb3
Comment: Microsoft Package Negotiator
SUPPORTED [SECPKG_FLAG_INTEGRITY]
SUPPORTED [SECPKG_FLAG_PRIVACY]
NOT SUPPORTED [SECPKG_FLAG_TOKEN_ONLY]
NOT SUPPORTED [SECPKG_FLAG_DATAGRAM]
SUPPORTED [SECPKG_FLAG_CONNECTION]
SUPPORTED [SECPKG_FLAG_MULTI_REQUIRED]
NOT SUPPORTED [SECPKG_FLAG_CLIENT_ONLY]
SUPPORTED [SECPKG_FLAG_EXTENDED_ERROR]
SUPPORTED [SECPKG_FLAG_IMPERSONATION]
SUPPORTED [SECPKG_FLAG_ACCEPT_WIN32_NAME]
NOT SUPPORTED [SECPKG_FLAG_STREAM]
SUPPORTED [SECPKG_FLAG_NEGOTIABLE]
SUPPORTED [SECPKG_FLAG_GSS_COMPATIBLE]
SUPPORTED [SECPKG_FLAG_LOGON]
NOT SUPPORTED [SECPKG_FLAG_ASCII_BUFFERS]
NOT SUPPORTED [SECPKG_FLAG_FRAGMENT]
NOT SUPPORTED [SECPKG_FLAG_MUTUAL_AUTH]
NOT SUPPORTED [SECPKG_FLAG_DELEGATION]
NOT SUPPORTED [SECPKG_FLAG_READONLY_WITH_CHECKSUM]
SUPPORTED [SECPKG_FLAG_RESTRICTED_TOKENS]
NOT SUPPORTED [SECPKG_FLAG_NEGO_EXTENDER]
NOT SUPPORTED [SECPKG_FLAG_NEGOTIABLE2]
NOT SUPPORTED [SECPKG_FLAG_APPCONTAINER_PASSTHROUGH]
NOT SUPPORTED [SECPKG_FLAG_APPCONTAINER_CHECKS]
This e-mail and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under applicable
law. If you are not the addressee, or have received this e-mail in error,
please notify the sender immediately, delete it from your system and do not
copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or
Re: Missing bcrytp.dll when running Watcom compiled Libcurl program on XP.
Dan Gribble wrote:
I have copied libcrypto-1_1.dll and libssl-1_1.dll (from openssl 1.1.1c)
to my application directory in order to run the compiled application,
but other than that I have not done anything else.
You have to rebuild OpenSSL with a '_WIN32_WINNT' value
suitable for Win-XP ('-D_WIN32_WINNT=0x0501' should work
I think). Or maybe lower the value in 'Configurations\50-win-onecore.conf'
Look at OpenSSL's crypto/rand/rand_win.c where bcrypt.dll
functions are used:
/* On Windows Vista or higher use BCrypt instead of the legacy CryptoAPI */
# if defined(_MSC_VER) && defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0600
# define USE_BCRYPTGENRANDOM
# endif
--
--gv
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Re: Missing bcrytp.dll when running Watcom compiled Libcurl program on XP.
From: curl-library on behalf of Ray Satiro via curl-library Sent: 02 July 2019 22:13 To: curl-library@cool.haxx.se Cc: Ray Satiro Subject: Re: Missing bcrytp.dll when running Watcom compiled Libcurl program on XP. On 7/2/2019 11:44 AM, Dan Gribble via curl-library wrote: Please excuse my ignorance/inexperience but i'm very new to C++ (and OOP, compiling/linking in general).? I'll try and explain as best i can what I have done so far and hopefully you will be able to advise how to proceed. I am developing an application that uses the cURL library to post JSON format data. The requirement at my installation is to use the Watcom compiler which intially caused a few headaches, but I have managed to overcome them with some help from Luca on this mailing list. I downloaded cURL 7.64.0 and have been using the curl header in my application to carry out the post operations. In order to get around the problem of the Watcom calling conventions being different to CDECL, under the guidence of Luca I generated an import Lib for Watcom from the libcurl.dll and have been using that when compiling and linking to generate my executable. My application works fine under Windows 7 and 10, however, I get the bcrypt.dll missing error message when attempting to run it on Windows XP. If you require any further information, please let me know and I will do my best to assist you. Please don't top-post [1] it makes the conversation hard to follow. Either libcurl or one of its dependents is dependent on bcrypt. Official builds don't need bcrypt. You can use Dependency Walker [2] to see exactly what DLL needs bcrypt. As I said it's possible you are building curl in a way that requires bcrypt but I don't know what that is. It would help to know exactly how you are building curl. [1]: https://curl.haxx.se/mail/etiquette.html#Do_Not_Top_Post [2]: http://www.dependencywalker.com/ Please accept my apologies for the top posting Ray, I should have familiarised myself with the rules before posting. I have run dependency walker against my executable and it is showing that BCRYPT.DLL is being called from the following LIBCURL.DLL '--> LIBCRYPTO-1_1.DLL '--> BCRYPT.DLL It is also being called from a number of other Windows DLLs. I have not built cURL from scatch. I downloaded the binary (7.64.0) which had the command line cURL application and also the header files which I could include in my application. As mentioned perviously, I generated an import library to get around the calling convention differences between Watcom and other compilers, using the following Watcom command: > wlib -n watcom_libcurl.dll.lib +libcurl.dll .. and have been compiling and linking using the following command: > wcl386 -i=%WATCOM%\h -i=%WATCOM%\h\nt > -i=C:\OEM\CURL\CURL-7.64.0-WIN32-MINGW\INCLUDE\CURL-DNDEBUG-DWIN32 > -bt=nt-l=nt-5s-xsc:\djg\myapplication.cpp > watcom_libcurl.dll.lib I have copied libcrypto-1_1.dll and libssl-1_1.dll (from openssl 1.1.1c) to my application directory in order to run the compiled application, but other than that I have not done anything else. Kind regards Dan --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
Windows compilation error
I tried to build curl-7.65.1 on Windows 2008R2 64bit. The build for library is finished but for curl.exe the warning is displayed with following. cd winbuild nmake /F Makefile.vc mode=static WITH_MBEDTLS=static MBEDTLS_PATH=..\..\mbedtls-2.7.10\build ... link.exe /incremental:no /libpath:"..\builds\libcurl-vc-x64-release-static-mbedtls-static-ipv6-sspi\lib" ... MSVCRT.lib(cinitexe.obj) : warning LNK4098: defaultlib 'libcmt.lib' conflicts with use of other libs; use /NODEFAULTLIB:library After then, I tried to build other application but error occurs. V0@@Z) already defined in LIBCMT.lib(typinfo.obj) MSVCRT.lib(MSVCR90.dll) : error LNK2005: _strdup already defined in LIBCMT.lib(strdup.obj) MSVCRT.lib(MSVCR90.dll) : error LNK2005: _read already defined in LIBCMT.lib(read.obj) MSVCRT.lib(MSVCR90.dll) : error LNK2005: _write already defined in LIBCMT.lib(write.obj) MSVCRT.lib(MSVCR90.dll) : error LNK2005: _close already defined in LIBCMT.lib(close.obj) MSVCRT.lib(MSVCR90.dll) : error LNK2005: _open already defined in LIBCMT.lib(open.obj) LINK : warning LNK4098: defaultlib 'MSVCRT' conflicts with use of other libs; use /NODEFAULTLIB:library ..\..\..\bin\win64\xxx.exe : fatal error LNK1169: one or more multiply defined symbols found In my research, the curl library with /MD option in spite of static. https://docs.microsoft.com/en-us/cpp/build/reference/md-mt-ld-use-run-time-library?view=vs-2019 So, I made the patch. With it, for curl.exe no warning is displayed and other application is built with no error. Daiki --- curl-7.65.1.orig/winbuild/Makefile.vc 2019-05-14 21:50:37.0 +0900 +++ curl-7.65.1/winbuild/Makefile.vc 2019-07-02 10:29:52.254305777 +0900 @@ -269,6 +269,7 @@ $(MODE): @SET USE_WINSSL=$(USE_WINSSL) # compatibility bit @SET WITH_NGHTTP2=$(WITH_NGHTTP2) + @SET RTLIBCFG=$(MODE) @$(MAKE) /NOLOGO /F MakefileBuild.vc --- curl-7.65.1.orig/winbuild/MakefileBuild.vc 2019-05-14 21:50:37.0 +0900 +++ curl-7.65.1/winbuild/MakefileBuild.vc 2019-07-02 12:12:05.245529791 +0900 @@ -178,7 +178,7 @@ NGHTTP2_LIBS = nghttp2_static.lib !IFDEF MBEDTLS_PATH MBEDTLS_INC_DIR = $(MBEDTLS_PATH)\include -MBEDTLS_LIB_DIR = $(MBEDTLS_PATH)\lib +MBEDTLS_LIB_DIR = $(MBEDTLS_PATH)\library MBEDTLS_LFLAGS = $(MBEDTLS_LFLAGS) "/LIBPATH:$(MBEDTLS_LIB_DIR)" !ELSE MBEDTLS_INC_DIR = $(DEVEL_INCLUDE) --- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
