moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 06:25:03 -05:00
Code Issues Releases Wiki Activity

digest_sspi: Don't reuse context if the user/passwd has changed

Browse Source 
Bug: https://github.com/curl/curl/issues/1685
Reported-by: paulharris@users.noreply.github.com

Assisted-by: Isaac Boukris

Closes https://github.com/curl/curl/pull/1742
This commit is contained in:
Jay Satiro 2017-08-08 19:32:19 -04:00
parent 7e949de1d2
commit 0b5665c98a
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/urldata.h
View File

@ -417,6 +417,10 @@ struct digestdata {
BYTE *input_token; BYTE *input_token;
size_t input_token_len; size_t input_token_len;
CtxtHandle *http_context; CtxtHandle *http_context;
/* copy of user/passwd used to make the identity for http_context.
either may be NULL. */
char *user;
char *passwd;
#else #else
char *nonce; char *nonce;
char *cnonce; char *cnonce;

41
lib/vauth/digest_sspi.c
View File

@ -438,6 +438,20 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
} }
/* If the user/passwd that was used to make the identity for http_context
has changed then delete that context. */
if((userp && !digest->user) || (!userp && digest->user) ||
(passwdp && !digest->passwd) || (!passwdp && digest->passwd) ||
(userp && digest->user && strcmp(userp, digest->user)) ||
(passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) {
if(digest->http_context) {
s_pSecFn->DeleteSecurityContext(digest->http_context);
Curl_safefree(digest->http_context);
}
Curl_safefree(digest->user);
Curl_safefree(digest->passwd);
}
if(digest->http_context) { if(digest->http_context) {
chlg_desc.ulVersion = SECBUFFER_VERSION; chlg_desc.ulVersion = SECBUFFER_VERSION;
chlg_desc.cBuffers = 5; chlg_desc.cBuffers = 5;
@ -479,6 +493,10 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */ TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */
TCHAR *spn; TCHAR *spn;
/* free the copy of user/passwd used to make the previous identity */
Curl_safefree(digest->user);
Curl_safefree(digest->passwd);
if(userp && *userp) { if(userp && *userp) {
/* Populate our identity structure */ /* Populate our identity structure */
if(Curl_create_sspi_identity(userp, passwdp, &identity)) { if(Curl_create_sspi_identity(userp, passwdp, &identity)) {
@ -500,6 +518,25 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
/* Use the current Windows user */ /* Use the current Windows user */
p_identity = NULL; p_identity = NULL;
if(userp) {
digest->user = strdup(userp);
if(!digest->user) {
free(output_token);
return CURLE_OUT_OF_MEMORY;
}
}
if(passwdp) {
digest->passwd = strdup(passwdp);
if(!digest->passwd) {
free(output_token);
Curl_safefree(digest->user);
return CURLE_OUT_OF_MEMORY;
}
}
/* Acquire our credentials handle */ /* Acquire our credentials handle */
status = s_pSecFn->AcquireCredentialsHandle(NULL, status = s_pSecFn->AcquireCredentialsHandle(NULL,
(TCHAR *) TEXT(SP_NAME_DIGEST), (TCHAR *) TEXT(SP_NAME_DIGEST),
@ -623,6 +660,10 @@ void Curl_auth_digest_cleanup(struct digestdata *digest)
s_pSecFn->DeleteSecurityContext(digest->http_context); s_pSecFn->DeleteSecurityContext(digest->http_context);
Curl_safefree(digest->http_context); Curl_safefree(digest->http_context);
} }
/* Free the copy of user/passwd used to make the identity for http_context */
Curl_safefree(digest->user);
Curl_safefree(digest->passwd);
} }
#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */ #endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */