|
|
00409b |
From 7dbd01e4815727ce46de0b5d6c2916fec9154196 Mon Sep 17 00:00:00 2001
|
|
|
00409b |
From: Petr Stodulka <pstodulk@redhat.com>
|
|
|
00409b |
Date: Mon, 5 Dec 2016 16:49:09 +0100
|
|
|
00409b |
Subject: [PATCH] http: control GSSAPI credential delegation
|
|
|
00409b |
|
|
|
00409b |
Delegation of credentials is disabled by default in libcurl since
|
|
|
00409b |
version 7.21.7 due to security vulnerability CVE-2011-2192. Which
|
|
|
00409b |
makes troubles with GSS/kerberos authentication when delegation
|
|
|
00409b |
of credentials is required. This can be changed with option
|
|
|
00409b |
CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter
|
|
|
00409b |
since libcurl version 7.22.0.
|
|
|
00409b |
|
|
|
00409b |
This patch provides new configuration variable http.delegation
|
|
|
00409b |
which corresponds to curl parameter "--delegation" (see man 1 curl).
|
|
|
00409b |
|
|
|
00409b |
The following values are supported:
|
|
|
00409b |
|
|
|
00409b |
* none (default).
|
|
|
00409b |
* policy
|
|
|
00409b |
* always
|
|
|
00409b |
---
|
|
|
00409b |
http.c | 38 ++++++++++++++++++++++++++++++++++++++
|
|
|
00409b |
1 file changed, 38 insertions(+)
|
|
|
00409b |
|
|
|
00409b |
diff --git a/http.c b/http.c
|
|
|
00409b |
index a1c7dcb..e7c77c0 100644
|
|
|
00409b |
--- a/http.c
|
|
|
00409b |
+++ b/http.c
|
|
|
00409b |
@@ -66,6 +66,19 @@ static struct curl_slist *no_pragma_header;
|
|
|
00409b |
|
|
|
00409b |
static struct active_request_slot *active_queue_head;
|
|
|
00409b |
|
|
|
00409b |
+#if LIBCURL_VERSION_NUM >= 0x071600
|
|
|
00409b |
+static const char *curl_deleg;
|
|
|
00409b |
+static struct {
|
|
|
00409b |
+ const char *name;
|
|
|
00409b |
+ long curl_deleg_param;
|
|
|
00409b |
+} curl_deleg_levels[] = {
|
|
|
00409b |
+ { "none", CURLGSSAPI_DELEGATION_NONE },
|
|
|
00409b |
+ { "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
|
|
|
00409b |
+ { "always", CURLGSSAPI_DELEGATION_FLAG },
|
|
|
00409b |
+};
|
|
|
00409b |
+#endif
|
|
|
00409b |
+
|
|
|
00409b |
+
|
|
|
00409b |
size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
|
|
|
00409b |
{
|
|
|
00409b |
size_t size = eltsize * nmemb;
|
|
|
00409b |
@@ -169,6 +182,16 @@ static int http_options(const char *var, const char *value, void *cb)
|
|
|
00409b |
curl_ssl_try = git_config_bool(var, value);
|
|
|
00409b |
return 0;
|
|
|
00409b |
}
|
|
|
00409b |
+
|
|
|
00409b |
+ if (!strcmp("http.delegation", var)) {
|
|
|
00409b |
+#if LIBCURL_VERSION_NUM >= 0x071600
|
|
|
00409b |
+ return git_config_string(&curl_deleg, var, value);
|
|
|
00409b |
+#else
|
|
|
00409b |
+ warning("Delegation control is not supported with cURL < 7.22.0");
|
|
|
00409b |
+ return 0;
|
|
|
00409b |
+#endif
|
|
|
00409b |
+ }
|
|
|
00409b |
+
|
|
|
00409b |
if (!strcmp("http.minsessions", var)) {
|
|
|
00409b |
min_curl_sessions = git_config_int(var, value);
|
|
|
00409b |
#ifndef USE_CURL_MULTI
|
|
|
00409b |
@@ -271,6 +294,21 @@ static CURL *get_curl_handle(void)
|
|
|
00409b |
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
|
|
|
00409b |
curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
|
|
|
00409b |
#endif
|
|
|
00409b |
+#if LIBCURL_VERSION_NUM >= 0x071600
|
|
|
00409b |
+ if (curl_deleg) {
|
|
|
00409b |
+ int i;
|
|
|
00409b |
+ for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {
|
|
|
00409b |
+ if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {
|
|
|
00409b |
+ curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION,
|
|
|
00409b |
+ curl_deleg_levels[i].curl_deleg_param);
|
|
|
00409b |
+ break;
|
|
|
00409b |
+ }
|
|
|
00409b |
+ }
|
|
|
00409b |
+ if (i == ARRAY_SIZE(curl_deleg_levels))
|
|
|
00409b |
+ warning("Unknown delegation method '%s': using default",
|
|
|
00409b |
+ curl_deleg);
|
|
|
00409b |
+ }
|
|
|
00409b |
+#endif
|
|
|
00409b |
|
|
|
00409b |
if (http_proactive_auth)
|
|
|
00409b |
init_curl_http_auth(result);
|
|
|
00409b |
--
|
|
|
00409b |
2.5.5
|
|
|
00409b |
|