romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-16 19:16:22 +03:00
Code Issues Projects Releases Packages Wiki Activity

snpego_sspi: preserve distinction btw policy-only and uncond delegation

Browse source 
CURLOPT_GSSAPI_DELEGATION exposes distinct modes:
CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when
OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is
unconditional. The new SSPI implementation checks for either bit and
sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation
is put on the same SSPI path as unconditional delegation.

In addition, curl's existing protection that avoids reusing a connection
when the GSS delegation setting differs was guarded only by HAVE_GSSAPI;
SSPI-only builds now have an effective delegation option, but the
connection's delegation setting was neither copied nor compared. This
would cause Windows SSPI Negotiate/Kerberos authentication to delegate
credentials contrary to the caller's selected policy or reuse an
already-delegated authenticated connection for a transfer that requested
no delegation.

Follow-up to cc6777d939

Reported by Codex Security
Closes #21583
This commit is contained in:
Daniel Stenberg 2026-05-13 09:55:36 +02:00
parent 5e99b73cf4
commit 11df1251e5
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
2 changed files with 5 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
lib/url.c
View file

@ -943,9 +943,9 @@ static bool url_match_auth(struct connectdata *conn,
if(!Curl_creds_same(m->data->state.creds, conn->creds))
return FALSE;
}
#ifdef HAVE_GSSAPI
/* GSS delegation differences do not actually affect every connection
and auth method, but this check takes precaution before efficiency */
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
/* GSS delegation differences do not actually affect every connection and
auth method, but this check takes precaution before efficiency */
if(m->needle->gssapi_delegation != conn->gssapi_delegation)
return FALSE;
#endif
@ -1340,7 +1340,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
conn->fclosesocket = data->set.fclosesocket;
conn->closesocket_client = data->set.closesocket_client;
conn->lastused = conn->created;
#ifdef HAVE_GSSAPI
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
conn->gssapi_delegation = data->set.gssapi_delegation;
#endif
DEBUGF(infof(data, "alloc connection, bits.close=%d", conn->bits.close));

3
lib/vauth/spnego_sspi.c
View file

@ -227,8 +227,7 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
/* Generate our challenge-response message */
{
DWORD sspi_flags = ISC_REQ_CONFIDENTIALITY;
if(data->set.gssapi_delegation & (CURLGSSAPI_DELEGATION_FLAG |
CURLGSSAPI_DELEGATION_POLICY_FLAG))
if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
sspi_flags |= ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH;
nego->status =
Curl_pSecFn->InitializeSecurityContext(nego->credentials,