Re: [PATCH] http: Control GSSAPI credential delegation.

2016-09-28 Thread Junio C Hamano 
Petr Stodulka  writes:

> However, I discuss it with libcurl maintainer and he confirm that this
> option can be required in some cases and this is what I need to do.
> this already. I tested just setting of parameter in libcurl according
> to description and nothing else seems broken. So anyone else who will
> be able to test complete behaviour, where delegation is needed, is welcomed.

Thanks; let's queue this in 'pu' to make it easier for people who
would be affected to try it out.

Re: [PATCH] http: Control GSSAPI credential delegation.

2016-09-28 Thread Petr Stodulka 


On 28.9.2016 19:16, Jeff King wrote:
> On Wed, Sep 28, 2016 at 06:05:52PM +0200, Petr Stodulka wrote:
> 
>> Delegation of credentials is disabled by default in libcurl since
>> version 7.21.7 due to security vulnerability CVE-2011-2192. Which
>> makes troubles with GSS/kerberos authentication where delegation
>> of credentials is required. This can be changed with option
>> CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter
>> since libcurl version 7.22.0.
> 
> I don't have any real knowledge of GSSAPI, so I'll refrain from
> commenting on that aspect. But I did notice one mechanical issue:
> 

Me neither. I have just basic knowledge and I am not able to configure
virtual machine, which really need set delegation in libcurl (I need
just negotiation, which is in git possible, I guess since v2.8.0).

However, I discuss it with libcurl maintainer and he confirm that this
option can be required in some cases and this is what I need to do.
this already. I tested just setting of parameter in libcurl according
to description and nothing else seems broken. So anyone else who will
be able to test complete behaviour, where delegation is needed, is welcomed.

[snip]
> We only declare the curl_deleg variable if we have a new-enough curl.
> But...
> 
>> @@ -323,6 +335,10 @@ static int http_options(const char *var, const char 
>> *value, void *cb)
>>  return 0;
>>  }
>>  
>> +if (!strcmp("http.delegation", var)) {
>> +return git_config_string(_deleg, var, value);
>> +}
>> +
> 
> ...here we try to use it regardless. I think you want another #ifdef,
> and probably to warn the user in the #else block (similar to what the
> http.pinnedpubkey code does).
> 
> -Peff
> 

You are right. Thanks. I sent new version of patch with fix.

Petr



signature.asc
Description: OpenPGP digital signature

Re: [PATCH] http: Control GSSAPI credential delegation.

2016-09-28 Thread Jeff King 
On Wed, Sep 28, 2016 at 06:05:52PM +0200, Petr Stodulka wrote:

> Delegation of credentials is disabled by default in libcurl since
> version 7.21.7 due to security vulnerability CVE-2011-2192. Which
> makes troubles with GSS/kerberos authentication where delegation
> of credentials is required. This can be changed with option
> CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter
> since libcurl version 7.22.0.

I don't have any real knowledge of GSSAPI, so I'll refrain from
commenting on that aspect. But I did notice one mechanical issue:

> +#if LIBCURL_VERSION_NUM >= 0x071600
> +static const char *curl_deleg;
> +static struct {
> + const char *name;
> + long curl_deleg_param;
> +} curl_deleg_levels[] = {
> + { "none", CURLGSSAPI_DELEGATION_NONE },
> + { "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
> + { "always", CURLGSSAPI_DELEGATION_FLAG },
> +};
> +#endif

We only declare the curl_deleg variable if we have a new-enough curl.
But...

> @@ -323,6 +335,10 @@ static int http_options(const char *var, const char 
> *value, void *cb)
>   return 0;
>   }
>  
> + if (!strcmp("http.delegation", var)) {
> + return git_config_string(_deleg, var, value);
> + }
> +

...here we try to use it regardless. I think you want another #ifdef,
and probably to warn the user in the #else block (similar to what the
http.pinnedpubkey code does).

-Peff

Re: [PATCH] http: Control GSSAPI credential delegation.

2016-09-28 Thread Petr Stodulka 


On 28.9.2016 18:05, Petr Stodulka wrote:
> Delegation of credentials is disabled by default in libcurl since
> version 7.21.7 due to security vulnerability CVE-2011-2192. Which
> makes troubles with GSS/kerberos authentication where delegation
> of credentials is required. This can be changed with option
> CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter
> since libcurl version 7.22.0.

Correction:
  Which makes troubles with GSS/kerberos authentication when delegation
  of credentials is required.



signature.asc
Description: OpenPGP digital signature

[PATCH] http: Control GSSAPI credential delegation.

2016-09-28 Thread Petr Stodulka 
Delegation of credentials is disabled by default in libcurl since
version 7.21.7 due to security vulnerability CVE-2011-2192. Which
makes troubles with GSS/kerberos authentication where delegation
of credentials is required. This can be changed with option
CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter
since libcurl version 7.22.0.

This patch provides new configuration variable http.delegation
which corresponds to curl parameter "--delegation" (see man 1 curl).

The following values are supported:

* none (default).
* policy
* always

Signed-off-by: Petr Stodulka 
---
 Documentation/config.txt | 14 ++
 http.c   | 32 
 2 files changed, 46 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index e78293b..a179474 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1736,6 +1736,20 @@ http.emptyAuth::
a username in the URL, as libcurl normally requires a username for
authentication.
 
+http.delegation::
+   Control GSSAPI credential delegation. The delegation is disabled
+   by default in libcurl since version 7.21.7. Set parameter to tell
+   the server what it is allowed to delegate when it comes to user
+   credentials. Used with GSS/kerberos. Possible values are:
++
+--
+* `none` - Don't allow any delegation.
+* `policy` - Delegates if and only if the OK-AS-DELEGATE flag is set in the
+  Kerberos service ticket, which is a matter of realm policy.
+* `always` - Unconditionally allow the server to delegate.
+--
+
+
 http.extraHeader::
Pass an additional HTTP header when communicating with a server.  If
more than one such entry exists, all of them are added as extra
diff --git a/http.c b/http.c
index 82ed542..5f8fab3 100644
--- a/http.c
+++ b/http.c
@@ -90,6 +90,18 @@ static struct {
 * here, too
 */
 };
+#if LIBCURL_VERSION_NUM >= 0x071600
+static const char *curl_deleg;
+static struct {
+   const char *name;
+   long curl_deleg_param;
+} curl_deleg_levels[] = {
+   { "none", CURLGSSAPI_DELEGATION_NONE },
+   { "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
+   { "always", CURLGSSAPI_DELEGATION_FLAG },
+};
+#endif
+
 static struct credential proxy_auth = CREDENTIAL_INIT;
 static const char *curl_proxyuserpwd;
 static const char *curl_cookie_file;
@@ -323,6 +335,10 @@ static int http_options(const char *var, const char 
*value, void *cb)
return 0;
}
 
+   if (!strcmp("http.delegation", var)) {
+   return git_config_string(_deleg, var, value);
+   }
+
if (!strcmp("http.pinnedpubkey", var)) {
 #if LIBCURL_VERSION_NUM >= 0x072c00
return git_config_pathname(_pinnedkey, var, value);
@@ -629,6 +645,22 @@ static CURL *get_curl_handle(void)
curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
 #endif
 
+#if LIBCURL_VERSION_NUM >= 0x071600
+   if (curl_deleg) {
+   int i;
+   for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {
+   if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {
+   curl_easy_setopt(result, 
CURLOPT_GSSAPI_DELEGATION,
+   
curl_deleg_levels[i].curl_deleg_param);
+   break;
+   }
+   }
+   if (i == ARRAY_SIZE(curl_deleg_levels))
+   warning("Unknown delegation method '%s': using default",
+   curl_deleg);
+   }
+#endif
+
if (http_proactive_auth)
init_curl_http_auth(result);
 
-- 
2.5.5