mirror of
https://github.com/curl/curl.git
synced 2026-05-16 21:06:19 +03:00
11df1251e5
CURLOPT_GSSAPI_DELEGATION exposes distinct modes:
CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when
OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is
unconditional. The new SSPI implementation checks for either bit and
sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation
is put on the same SSPI path as unconditional delegation.
In addition, curl's existing protection that avoids reusing a connection
when the GSS delegation setting differs was guarded only by HAVE_GSSAPI;
SSPI-only builds now have an effective delegation option, but the
connection's delegation setting was neither copied nor compared. This
would cause Windows SSPI Negotiate/Kerberos authentication to delegate
credentials contrary to the caller's selected policy or reuse an
already-delegated authenticated connection for a transfer that requested
no delegation.
Follow-up to
|
||
|---|---|---|
| .. | ||
| cleartext.c | ||
| cram.c | ||
| digest.c | ||
| digest.h | ||
| digest_sspi.c | ||
| gsasl.c | ||
| krb5_gssapi.c | ||
| krb5_sspi.c | ||
| ntlm.c | ||
| ntlm_sspi.c | ||
| oauth2.c | ||
| spnego_gssapi.c | ||
| spnego_sspi.c | ||
| vauth.c | ||
| vauth.h | ||