http: control GSSAPI credential delegation

Delegation of credentials is disabled by default in libcurl since
version 7.21.7 due to security vulnerability CVE-2011-2192. Which
makes troubles with GSS/kerberos authentication when delegation
of credentials is required. This can be changed with option
CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter
since libcurl version 7.22.0.

This patch provides new configuration variable http.delegation
which corresponds to curl parameter "--delegation" (see man 1 curl).

The following values are supported:

* none (default).
* policy
* always

Signed-off-by: Petr Stodulka <pstodulk@redhat.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Petr Stodulka 2016-09-28 20:01:34 +02:00 коммит произвёл Junio C Hamano
Родитель 7c0304af62
Коммит 26a7b23429
2 изменённых файлов: 51 добавлений и 0 удалений

Просмотреть файл

@ -1730,6 +1730,20 @@ http.emptyAuth::
a username in the URL, as libcurl normally requires a username for
authentication.
http.delegation::
Control GSSAPI credential delegation. The delegation is disabled
by default in libcurl since version 7.21.7. Set parameter to tell
the server what it is allowed to delegate when it comes to user
credentials. Used with GSS/kerberos. Possible values are:
+
--
* `none` - Don't allow any delegation.
* `policy` - Delegates if and only if the OK-AS-DELEGATE flag is set in the
Kerberos service ticket, which is a matter of realm policy.
* `always` - Unconditionally allow the server to delegate.
--
http.extraHeader::
Pass an additional HTTP header when communicating with a server. If
more than one such entry exists, all of them are added as extra

37
http.c
Просмотреть файл

@ -90,6 +90,18 @@ static struct {
* here, too
*/
};
#if LIBCURL_VERSION_NUM >= 0x071600
static const char *curl_deleg;
static struct {
const char *name;
long curl_deleg_param;
} curl_deleg_levels[] = {
{ "none", CURLGSSAPI_DELEGATION_NONE },
{ "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
{ "always", CURLGSSAPI_DELEGATION_FLAG },
};
#endif
static struct credential proxy_auth = CREDENTIAL_INIT;
static const char *curl_proxyuserpwd;
static const char *curl_cookie_file;
@ -316,6 +328,15 @@ static int http_options(const char *var, const char *value, void *cb)
return 0;
}
if (!strcmp("http.delegation", var)) {
#if LIBCURL_VERSION_NUM >= 0x071600
return git_config_string(&curl_deleg, var, value);
#else
warning(_("Delegation control is not supported with cURL < 7.22.0"));
return 0;
#endif
}
if (!strcmp("http.pinnedpubkey", var)) {
#if LIBCURL_VERSION_NUM >= 0x072c00
return git_config_pathname(&ssl_pinnedkey, var, value);
@ -622,6 +643,22 @@ static CURL *get_curl_handle(void)
curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
#endif
#if LIBCURL_VERSION_NUM >= 0x071600
if (curl_deleg) {
int i;
for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {
if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {
curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION,
curl_deleg_levels[i].curl_deleg_param);
break;
}
}
if (i == ARRAY_SIZE(curl_deleg_levels))
warning("Unknown delegation method '%s': using default",
curl_deleg);
}
#endif
if (http_proactive_auth)
init_curl_http_auth(result);