Blame SOURCES/0001-http-control-GSSAPI-credential-delegation.patch

00409b
From 7dbd01e4815727ce46de0b5d6c2916fec9154196 Mon Sep 17 00:00:00 2001
00409b
From: Petr Stodulka <pstodulk@redhat.com>
00409b
Date: Mon, 5 Dec 2016 16:49:09 +0100
00409b
Subject: [PATCH] http: control GSSAPI credential delegation
00409b
00409b
Delegation of credentials is disabled by default in libcurl since
00409b
version 7.21.7 due to security vulnerability CVE-2011-2192. Which
00409b
makes troubles with GSS/kerberos authentication when delegation
00409b
of credentials is required. This can be changed with option
00409b
CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter
00409b
since libcurl version 7.22.0.
00409b
00409b
This patch provides new configuration variable http.delegation
00409b
which corresponds to curl parameter "--delegation" (see man 1 curl).
00409b
00409b
The following values are supported:
00409b
00409b
* none (default).
00409b
* policy
00409b
* always
00409b
---
00409b
 http.c | 38 ++++++++++++++++++++++++++++++++++++++
00409b
 1 file changed, 38 insertions(+)
00409b
00409b
diff --git a/http.c b/http.c
00409b
index a1c7dcb..e7c77c0 100644
00409b
--- a/http.c
00409b
+++ b/http.c
00409b
@@ -66,6 +66,19 @@ static struct curl_slist *no_pragma_header;
00409b
 
00409b
 static struct active_request_slot *active_queue_head;
00409b
 
00409b
+#if LIBCURL_VERSION_NUM >= 0x071600
00409b
+static const char *curl_deleg;
00409b
+static struct {
00409b
+	const char *name;
00409b
+	long curl_deleg_param;
00409b
+} curl_deleg_levels[] = {
00409b
+	{ "none", CURLGSSAPI_DELEGATION_NONE },
00409b
+	{ "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
00409b
+	{ "always", CURLGSSAPI_DELEGATION_FLAG },
00409b
+};
00409b
+#endif
00409b
+
00409b
+
00409b
 size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
00409b
 {
00409b
 	size_t size = eltsize * nmemb;
00409b
@@ -169,6 +182,16 @@ static int http_options(const char *var, const char *value, void *cb)
00409b
 		curl_ssl_try = git_config_bool(var, value);
00409b
 		return 0;
00409b
 	}
00409b
+
00409b
+	if (!strcmp("http.delegation", var)) {
00409b
+#if LIBCURL_VERSION_NUM >= 0x071600
00409b
+		return git_config_string(&curl_deleg, var, value);
00409b
+#else
00409b
+		warning("Delegation control is not supported with cURL < 7.22.0");
00409b
+		return 0;
00409b
+#endif
00409b
+	}
00409b
+
00409b
 	if (!strcmp("http.minsessions", var)) {
00409b
 		min_curl_sessions = git_config_int(var, value);
00409b
 #ifndef USE_CURL_MULTI
00409b
@@ -271,6 +294,21 @@ static CURL *get_curl_handle(void)
00409b
 #ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
00409b
 	curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
00409b
 #endif
00409b
+#if LIBCURL_VERSION_NUM >= 0x071600
00409b
+	if (curl_deleg) {
00409b
+		int i;
00409b
+		for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {
00409b
+			if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {
00409b
+				curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION,
00409b
+						curl_deleg_levels[i].curl_deleg_param);
00409b
+				break;
00409b
+			}
00409b
+		}
00409b
+		if (i == ARRAY_SIZE(curl_deleg_levels))
00409b
+			warning("Unknown delegation method '%s': using default",
00409b
+				curl_deleg);
00409b
+	}
00409b
+#endif
00409b
 
00409b
 	if (http_proactive_auth)
00409b
 		init_curl_http_auth(result);
00409b
-- 
00409b
2.5.5
00409b