From 26a7b2342980f2eb46b47122d1d6dfbf13ed4ccb Mon Sep 17 00:00:00 2001

From: Petr Stodulka <pstodulk@redhat.com>

Date: Wed, 28 Sep 2016 20:01:34 +0200

Subject: [PATCH] http: control GSSAPI credential delegation

Delegation of credentials is disabled by default in libcurl since

version 7.21.7 due to security vulnerability CVE-2011-2192. Which

makes troubles with GSS/kerberos authentication when delegation

of credentials is required. This can be changed with option

CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter

since libcurl version 7.22.0.

This patch provides new configuration variable http.delegation

which corresponds to curl parameter "--delegation" (see man 1 curl).

The following values are supported:

* none (default).

* policy

* always

Signed-off-by: Petr Stodulka <pstodulk@redhat.com>

Signed-off-by: Junio C Hamano <gitster@pobox.com>

---

 Documentation/config.txt | 14 ++++++++++++++

 http.c                   | 37 +++++++++++++++++++++++++++++++++++++

 2 files changed, 51 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt

index 0bcb679..c588168 100644

--- a/Documentation/config.txt

+++ b/Documentation/config.txt

@@ -1730,6 +1730,20 @@ http.emptyAuth::

 	a username in the URL, as libcurl normally requires a username for

 	authentication.

+http.delegation::

+	Control GSSAPI credential delegation. The delegation is disabled

+	by default in libcurl since version 7.21.7. Set parameter to tell

+	the server what it is allowed to delegate when it comes to user

+	credentials. Used with GSS/kerberos. Possible values are:

++

+--

+* `none` - Don't allow any delegation.

+* `policy` - Delegates if and only if the OK-AS-DELEGATE flag is set in the

+  Kerberos service ticket, which is a matter of realm policy.

+* `always` - Unconditionally allow the server to delegate.

+--

+

+

 http.extraHeader::

 	Pass an additional HTTP header when communicating with a server.  If

 	more than one such entry exists, all of them are added as extra

diff --git a/http.c b/http.c

index cd40b01..624f0ce 100644

--- a/http.c

+++ b/http.c

@@ -90,6 +90,18 @@ static struct {

 	 * here, too

 	 */

 };

+#if LIBCURL_VERSION_NUM >= 0x071600

+static const char *curl_deleg;

+static struct {

+	const char *name;

+	long curl_deleg_param;

+} curl_deleg_levels[] = {

+	{ "none", CURLGSSAPI_DELEGATION_NONE },

+	{ "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },

+	{ "always", CURLGSSAPI_DELEGATION_FLAG },

+};

+#endif

+

 static struct credential proxy_auth = CREDENTIAL_INIT;

 static const char *curl_proxyuserpwd;

 static const char *curl_cookie_file;

@@ -316,6 +328,15 @@ static int http_options(const char *var, const char *value, void *cb)

 		return 0;

 	}

+	if (!strcmp("http.delegation", var)) {

+#if LIBCURL_VERSION_NUM >= 0x071600

+		return git_config_string(&curl_deleg, var, value);

+#else

+		warning(_("Delegation control is not supported with cURL < 7.22.0"));

+		return 0;

+#endif

+	}

+

 	if (!strcmp("http.pinnedpubkey", var)) {

 #if LIBCURL_VERSION_NUM >= 0x072c00

 		return git_config_pathname(&ssl_pinnedkey, var, value);

@@ -622,6 +643,22 @@ static CURL *get_curl_handle(void)

 	curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);

 #endif

+#if LIBCURL_VERSION_NUM >= 0x071600

+	if (curl_deleg) {

+		int i;

+		for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {

+			if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {

+				curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION,

+						curl_deleg_levels[i].curl_deleg_param);

+				break;

+			}

+		}

+		if (i == ARRAY_SIZE(curl_deleg_levels))

+			warning("Unknown delegation method '%s': using default",

+				curl_deleg);

+	}

+#endif

+

 	if (http_proactive_auth)

 		init_curl_http_auth(result);

-- 

2.5.5