Re: [PATCH] http: Control GSSAPI credential delegation.
Petr Stodulkawrites: > However, I discuss it with libcurl maintainer and he confirm that this > option can be required in some cases and this is what I need to do. > this already. I tested just setting of parameter in libcurl according > to description and nothing else seems broken. So anyone else who will > be able to test complete behaviour, where delegation is needed, is welcomed. Thanks; let's queue this in 'pu' to make it easier for people who would be affected to try it out.
Re: [PATCH] http: Control GSSAPI credential delegation.
On 28.9.2016 19:16, Jeff King wrote: > On Wed, Sep 28, 2016 at 06:05:52PM +0200, Petr Stodulka wrote: > >> Delegation of credentials is disabled by default in libcurl since >> version 7.21.7 due to security vulnerability CVE-2011-2192. Which >> makes troubles with GSS/kerberos authentication where delegation >> of credentials is required. This can be changed with option >> CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter >> since libcurl version 7.22.0. > > I don't have any real knowledge of GSSAPI, so I'll refrain from > commenting on that aspect. But I did notice one mechanical issue: > Me neither. I have just basic knowledge and I am not able to configure virtual machine, which really need set delegation in libcurl (I need just negotiation, which is in git possible, I guess since v2.8.0). However, I discuss it with libcurl maintainer and he confirm that this option can be required in some cases and this is what I need to do. this already. I tested just setting of parameter in libcurl according to description and nothing else seems broken. So anyone else who will be able to test complete behaviour, where delegation is needed, is welcomed. [snip] > We only declare the curl_deleg variable if we have a new-enough curl. > But... > >> @@ -323,6 +335,10 @@ static int http_options(const char *var, const char >> *value, void *cb) >> return 0; >> } >> >> +if (!strcmp("http.delegation", var)) { >> +return git_config_string(_deleg, var, value); >> +} >> + > > ...here we try to use it regardless. I think you want another #ifdef, > and probably to warn the user in the #else block (similar to what the > http.pinnedpubkey code does). > > -Peff > You are right. Thanks. I sent new version of patch with fix. Petr signature.asc Description: OpenPGP digital signature
Re: [PATCH] http: Control GSSAPI credential delegation.
On Wed, Sep 28, 2016 at 06:05:52PM +0200, Petr Stodulka wrote: > Delegation of credentials is disabled by default in libcurl since > version 7.21.7 due to security vulnerability CVE-2011-2192. Which > makes troubles with GSS/kerberos authentication where delegation > of credentials is required. This can be changed with option > CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter > since libcurl version 7.22.0. I don't have any real knowledge of GSSAPI, so I'll refrain from commenting on that aspect. But I did notice one mechanical issue: > +#if LIBCURL_VERSION_NUM >= 0x071600 > +static const char *curl_deleg; > +static struct { > + const char *name; > + long curl_deleg_param; > +} curl_deleg_levels[] = { > + { "none", CURLGSSAPI_DELEGATION_NONE }, > + { "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG }, > + { "always", CURLGSSAPI_DELEGATION_FLAG }, > +}; > +#endif We only declare the curl_deleg variable if we have a new-enough curl. But... > @@ -323,6 +335,10 @@ static int http_options(const char *var, const char > *value, void *cb) > return 0; > } > > + if (!strcmp("http.delegation", var)) { > + return git_config_string(_deleg, var, value); > + } > + ...here we try to use it regardless. I think you want another #ifdef, and probably to warn the user in the #else block (similar to what the http.pinnedpubkey code does). -Peff
Re: [PATCH] http: Control GSSAPI credential delegation.
On 28.9.2016 18:05, Petr Stodulka wrote: > Delegation of credentials is disabled by default in libcurl since > version 7.21.7 due to security vulnerability CVE-2011-2192. Which > makes troubles with GSS/kerberos authentication where delegation > of credentials is required. This can be changed with option > CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter > since libcurl version 7.22.0. Correction: Which makes troubles with GSS/kerberos authentication when delegation of credentials is required. signature.asc Description: OpenPGP digital signature
[PATCH] http: Control GSSAPI credential delegation.
Delegation of credentials is disabled by default in libcurl since version 7.21.7 due to security vulnerability CVE-2011-2192. Which makes troubles with GSS/kerberos authentication where delegation of credentials is required. This can be changed with option CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter since libcurl version 7.22.0. This patch provides new configuration variable http.delegation which corresponds to curl parameter "--delegation" (see man 1 curl). The following values are supported: * none (default). * policy * always Signed-off-by: Petr Stodulka--- Documentation/config.txt | 14 ++ http.c | 32 2 files changed, 46 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index e78293b..a179474 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1736,6 +1736,20 @@ http.emptyAuth:: a username in the URL, as libcurl normally requires a username for authentication. +http.delegation:: + Control GSSAPI credential delegation. The delegation is disabled + by default in libcurl since version 7.21.7. Set parameter to tell + the server what it is allowed to delegate when it comes to user + credentials. Used with GSS/kerberos. Possible values are: ++ +-- +* `none` - Don't allow any delegation. +* `policy` - Delegates if and only if the OK-AS-DELEGATE flag is set in the + Kerberos service ticket, which is a matter of realm policy. +* `always` - Unconditionally allow the server to delegate. +-- + + http.extraHeader:: Pass an additional HTTP header when communicating with a server. If more than one such entry exists, all of them are added as extra diff --git a/http.c b/http.c index 82ed542..5f8fab3 100644 --- a/http.c +++ b/http.c @@ -90,6 +90,18 @@ static struct { * here, too */ }; +#if LIBCURL_VERSION_NUM >= 0x071600 +static const char *curl_deleg; +static struct { + const char *name; + long curl_deleg_param; +} curl_deleg_levels[] = { + { "none", CURLGSSAPI_DELEGATION_NONE }, + { "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG }, + { "always", CURLGSSAPI_DELEGATION_FLAG }, +}; +#endif + static struct credential proxy_auth = CREDENTIAL_INIT; static const char *curl_proxyuserpwd; static const char *curl_cookie_file; @@ -323,6 +335,10 @@ static int http_options(const char *var, const char *value, void *cb) return 0; } + if (!strcmp("http.delegation", var)) { + return git_config_string(_deleg, var, value); + } + if (!strcmp("http.pinnedpubkey", var)) { #if LIBCURL_VERSION_NUM >= 0x072c00 return git_config_pathname(_pinnedkey, var, value); @@ -629,6 +645,22 @@ static CURL *get_curl_handle(void) curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY); #endif +#if LIBCURL_VERSION_NUM >= 0x071600 + if (curl_deleg) { + int i; + for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) { + if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) { + curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION, + curl_deleg_levels[i].curl_deleg_param); + break; + } + } + if (i == ARRAY_SIZE(curl_deleg_levels)) + warning("Unknown delegation method '%s': using default", + curl_deleg); + } +#endif + if (http_proactive_auth) init_curl_http_auth(result); -- 2.5.5