mirror of https://github.com/moparisthebest/curl
schannel: Disable auto credentials; add an option to enable it
- Disable auto credentials by default. This is a breaking change for clients that are using it, wittingly or not. - New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl to automatically locate and use a client certificate for authentication, when requested by the server. - New curl tool options --ssl-auto-client-cert and --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT. This option is only supported for Schannel (the native Windows SSL library). Prior to this change Schannel would, with no notification to the client, attempt to locate a client certificate and send it to the server, when requested by the server. Since the server can request any certificate that supports client authentication in the OS certificate store it could be a privacy violation and unexpected. Fixes https://github.com/curl/curl/issues/2262 Reported-by: Jeroen Ooms Assisted-by: Wes Hinsley Assisted-by: Rich FitzJohn Ref: https://curl.se/mail/lib-2021-02/0066.html Reported-by: Morten Minde Neergaard Closes https://github.com/curl/curl/pull/6673
This commit is contained in:
parent
e4ba999646
commit
54e7475016
14
docs/TODO
14
docs/TODO
|
@ -126,7 +126,6 @@
|
|||
15. Schannel
|
||||
15.1 Extend support for client certificate authentication
|
||||
15.2 Extend support for the --ciphers option
|
||||
15.3 Add option to disable client certificate auto-send
|
||||
15.4 Add option to allow abrupt server closure
|
||||
|
||||
16. SASL
|
||||
|
@ -861,19 +860,6 @@
|
|||
- Specifying Schannel Ciphers and Cipher Strengths
|
||||
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx
|
||||
|
||||
15.3 Add option to disable client certificate auto-send
|
||||
|
||||
Microsoft says "By default, Schannel will, with no notification to the client,
|
||||
attempt to locate a client certificate and send it to the server." That could
|
||||
be considered a privacy violation and unexpected.
|
||||
|
||||
Some Windows users have come to expect that default behavior and to change the
|
||||
default to make it consistent with other SSL backends would be a breaking
|
||||
change. An option should be added that can be used to disable the default
|
||||
Schannel auto-send behavior.
|
||||
|
||||
https://github.com/curl/curl/issues/2262
|
||||
|
||||
15.4 Add option to allow abrupt server closure
|
||||
|
||||
libcurl w/schannel will error without a known termination point from the
|
||||
|
|
|
@ -180,6 +180,7 @@ DPAGES = \
|
|||
proxy-pinnedpubkey.d \
|
||||
proxy-service-name.d \
|
||||
proxy-ssl-allow-beast.d \
|
||||
proxy-ssl-auto-client-cert.d \
|
||||
proxy-tls13-ciphers.d \
|
||||
proxy-tlsauthtype.d \
|
||||
proxy-tlspassword.d \
|
||||
|
@ -223,6 +224,7 @@ DPAGES = \
|
|||
speed-limit.d \
|
||||
speed-time.d \
|
||||
ssl-allow-beast.d \
|
||||
ssl-auto-client-cert.d \
|
||||
ssl-no-revoke.d \
|
||||
ssl-reqd.d \
|
||||
ssl-revoke-best-effort.d \
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
Long: proxy-ssl-auto-client-cert
|
||||
Help: Use auto client certificate for proxy (Schannel)
|
||||
Added: 7.77.0
|
||||
Category: proxy tls
|
||||
---
|
||||
Same as --ssl-auto-client-cert but used in HTTPS proxy context.
|
|
@ -0,0 +1,12 @@
|
|||
Long: ssl-auto-client-cert
|
||||
Help: Use auto client certificate (Schannel)
|
||||
Added: 7.77.0
|
||||
See-also: proxy-ssl-auto-client-cert
|
||||
Category: tls
|
||||
---
|
||||
Tell libcurl to automatically locate and use a client certificate for
|
||||
authentication, when requested by the server. This option is only supported
|
||||
for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the
|
||||
default behavior in libcurl with Schannel. Since the server can request any
|
||||
certificate that supports client authentication in the OS certificate store it
|
||||
could be a privacy violation and unexpected.
|
|
@ -49,13 +49,20 @@ Tells libcurl to not accept "partial" certificate chains, which it otherwise
|
|||
does by default. This option is only supported for OpenSSL and will fail the
|
||||
certificate verification if the chain ends with an intermediate certificate
|
||||
and not with a root cert. (Added in 7.68.0)
|
||||
|
||||
.IP CURLSSLOPT_REVOKE_BEST_EFFORT
|
||||
Tells libcurl to ignore certificate revocation checks in case of missing or
|
||||
offline distribution points for those SSL backends where such behavior is
|
||||
present. This option is only supported for Schannel (the native Windows SSL
|
||||
library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes
|
||||
precedence. (Added in 7.70.0)
|
||||
.IP CURLSSLOPT_AUTO_CLIENT_CERT
|
||||
Tell libcurl to automatically locate and use a client certificate for
|
||||
authentication, when requested by the server. This option is only supported
|
||||
for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the
|
||||
default behavior in libcurl with Schannel. Since the server can request any
|
||||
certificate that supports client authentication in the OS certificate store it
|
||||
could be a privacy violation and unexpected.
|
||||
(Added in 7.77.0)
|
||||
.SH DEFAULT
|
||||
0
|
||||
.SH PROTOCOLS
|
||||
|
|
|
@ -60,6 +60,14 @@ Tell libcurl to use the operating system's native CA store for certificate
|
|||
verification. Works only on Windows when built to use OpenSSL. This option is
|
||||
experimental and behavior is subject to change.
|
||||
(Added in 7.71.0)
|
||||
.IP CURLSSLOPT_AUTO_CLIENT_CERT
|
||||
Tell libcurl to automatically locate and use a client certificate for
|
||||
authentication, when requested by the server. This option is only supported
|
||||
for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the
|
||||
default behavior in libcurl with Schannel. Since the server can request any
|
||||
certificate that supports client authentication in the OS certificate store it
|
||||
could be a privacy violation and unexpected.
|
||||
(Added in 7.77.0)
|
||||
.SH DEFAULT
|
||||
0
|
||||
.SH PROTOCOLS
|
||||
|
|
|
@ -816,6 +816,7 @@ CURLSSLBACKEND_SCHANNEL 7.34.0
|
|||
CURLSSLBACKEND_SECURETRANSPORT 7.64.1
|
||||
CURLSSLBACKEND_WOLFSSL 7.49.0
|
||||
CURLSSLOPT_ALLOW_BEAST 7.25.0
|
||||
CURLSSLOPT_AUTO_CLIENT_CERT 7.77.0
|
||||
CURLSSLOPT_NATIVE_CA 7.71.0
|
||||
CURLSSLOPT_NO_PARTIALCHAIN 7.68.0
|
||||
CURLSSLOPT_NO_REVOKE 7.44.0
|
||||
|
|
|
@ -169,6 +169,7 @@
|
|||
--proxy-pinnedpubkey 7.59.0
|
||||
--proxy-service-name 7.43.0
|
||||
--proxy-ssl-allow-beast 7.52.0
|
||||
--proxy-ssl-auto-client-cert 7.77.0
|
||||
--proxy-tls13-ciphers 7.61.0
|
||||
--proxy-tlsauthtype 7.52.0
|
||||
--proxy-tlspassword 7.52.0
|
||||
|
@ -212,6 +213,7 @@
|
|||
--speed-time (-y) 4.7
|
||||
--ssl 7.20.0
|
||||
--ssl-allow-beast 7.25.0
|
||||
--ssl-auto-client-cert 7.77.0
|
||||
--ssl-no-revoke 7.44.0
|
||||
--ssl-reqd 7.20.0
|
||||
--ssl-revoke-best-effort 7.70.0
|
||||
|
|
|
@ -888,6 +888,10 @@ typedef enum {
|
|||
operating system. Currently implemented under MS-Windows. */
|
||||
#define CURLSSLOPT_NATIVE_CA (1<<4)
|
||||
|
||||
/* - CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl to automatically locate and use
|
||||
a client certificate for authentication. (Schannel) */
|
||||
#define CURLSSLOPT_AUTO_CLIENT_CERT (1<<5)
|
||||
|
||||
/* The default connection attempt delay in milliseconds for happy eyeballs.
|
||||
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
|
||||
this value, keep them in sync. */
|
||||
|
|
|
@ -351,7 +351,10 @@ static CURLcode dohprobe(struct Curl_easy *data,
|
|||
(data->set.ssl.revoke_best_effort ?
|
||||
CURLSSLOPT_REVOKE_BEST_EFFORT : 0) |
|
||||
(data->set.ssl.native_ca_store ?
|
||||
CURLSSLOPT_NATIVE_CA : 0);
|
||||
CURLSSLOPT_NATIVE_CA : 0) |
|
||||
(data->set.ssl.auto_client_cert ?
|
||||
CURLSSLOPT_AUTO_CLIENT_CERT : 0);
|
||||
|
||||
curl_easy_setopt(doh, CURLOPT_SSL_OPTIONS, mask);
|
||||
}
|
||||
|
||||
|
|
|
@ -2290,6 +2290,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
|||
data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||||
data->set.ssl.revoke_best_effort = !!(arg & CURLSSLOPT_REVOKE_BEST_EFFORT);
|
||||
data->set.ssl.native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
|
||||
data->set.ssl.auto_client_cert = !!(arg & CURLSSLOPT_AUTO_CLIENT_CERT);
|
||||
/* If a setting is added here it should also be added in dohprobe()
|
||||
which sets its own CURLOPT_SSL_OPTIONS based on these settings. */
|
||||
break;
|
||||
|
@ -2301,9 +2302,11 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
|||
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
|
||||
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||
data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||||
data->set.proxy_ssl.native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
|
||||
data->set.proxy_ssl.revoke_best_effort =
|
||||
!!(arg & CURLSSLOPT_REVOKE_BEST_EFFORT);
|
||||
data->set.proxy_ssl.native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
|
||||
data->set.proxy_ssl.auto_client_cert =
|
||||
!!(arg & CURLSSLOPT_AUTO_CLIENT_CERT);
|
||||
break;
|
||||
#endif
|
||||
|
||||
|
|
|
@ -286,6 +286,8 @@ struct ssl_config_data {
|
|||
BIT(revoke_best_effort); /* ignore SSL revocation offline/missing revocation
|
||||
list errors */
|
||||
BIT(native_ca_store); /* use the native ca store of operating system */
|
||||
BIT(auto_client_cert); /* automatically locate and use a client
|
||||
certificate for authentication (Schannel) */
|
||||
};
|
||||
|
||||
struct ssl_general_config {
|
||||
|
|
|
@ -553,6 +553,20 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||
"names in server certificates.\n"));
|
||||
}
|
||||
|
||||
/* security request flags */
|
||||
BACKEND->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
|
||||
ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
|
||||
ISC_REQ_STREAM;
|
||||
|
||||
if(!SSL_SET_OPTION(auto_client_cert)) {
|
||||
schannel_cred.dwFlags &= ~SCH_CRED_USE_DEFAULT_CREDS;
|
||||
schannel_cred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;
|
||||
BACKEND->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
|
||||
infof(data, "schannel: disabled automatic use of client certificate\n");
|
||||
}
|
||||
else
|
||||
infof(data, "schannel: enabled automatic use of client certificate\n");
|
||||
|
||||
switch(conn->ssl_config.version) {
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
|
@ -886,11 +900,6 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||
InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
|
||||
InitSecBufferDesc(&outbuf_desc, &outbuf, 1);
|
||||
|
||||
/* setup request flags */
|
||||
BACKEND->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
|
||||
ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
|
||||
ISC_REQ_STREAM;
|
||||
|
||||
/* allocate memory for the security context handle */
|
||||
BACKEND->ctxt = (struct Curl_schannel_ctxt *)
|
||||
calloc(1, sizeof(struct Curl_schannel_ctxt));
|
||||
|
|
|
@ -870,6 +870,8 @@
|
|||
d c X'0008'
|
||||
d CURLSSLOPT_NATIVE_CA...
|
||||
d c X'0010'
|
||||
d CURLSSLOPT_AUTO_CLIENT_CERT...
|
||||
d c X'0020'
|
||||
*
|
||||
d CURL_HET_DEFAULT...
|
||||
d c 200
|
||||
|
|
|
@ -267,6 +267,9 @@ struct OperationConfig {
|
|||
revocation list errors */
|
||||
|
||||
bool native_ca_store; /* use the native os ca store */
|
||||
bool ssl_auto_client_cert; /* automatically locate and use a client
|
||||
certificate for authentication (Schannel) */
|
||||
bool proxy_ssl_auto_client_cert; /* proxy version of ssl_auto_client_cert */
|
||||
|
||||
bool use_metalink; /* process given URLs as metalink XML file */
|
||||
struct metalinkfile *metalinkfile_list; /* point to the first node */
|
||||
|
|
|
@ -247,7 +247,8 @@ static const struct LongShort aliases[]= {
|
|||
{"El", "tlspassword", ARG_STRING},
|
||||
{"Em", "tlsauthtype", ARG_STRING},
|
||||
{"En", "ssl-allow-beast", ARG_BOOL},
|
||||
/* Eo */
|
||||
{"Eo", "ssl-auto-client-cert", ARG_BOOL},
|
||||
{"EO", "proxy-ssl-auto-client-cert", ARG_BOOL},
|
||||
{"Ep", "pinnedpubkey", ARG_STRING},
|
||||
{"EP", "proxy-pinnedpubkey", ARG_STRING},
|
||||
{"Eq", "cert-status", ARG_BOOL},
|
||||
|
@ -1651,6 +1652,16 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
|
|||
config->ssl_allow_beast = toggle;
|
||||
break;
|
||||
|
||||
case 'o': /* --ssl-auto-client-cert */
|
||||
if(curlinfo->features & CURL_VERSION_SSL)
|
||||
config->ssl_auto_client_cert = toggle;
|
||||
break;
|
||||
|
||||
case 'O': /* --proxy-ssl-auto-client-cert */
|
||||
if(curlinfo->features & CURL_VERSION_SSL)
|
||||
config->proxy_ssl_auto_client_cert = toggle;
|
||||
break;
|
||||
|
||||
case 'p': /* Pinned public key DER file */
|
||||
GetStr(&config->pinnedpubkey, nextarg);
|
||||
break;
|
||||
|
|
|
@ -598,6 +598,9 @@ static const struct helptxt helptext[] = {
|
|||
{" --proxy-ssl-allow-beast",
|
||||
"Allow security flaw for interop for HTTPS proxy",
|
||||
CURLHELP_PROXY | CURLHELP_TLS},
|
||||
{" --proxy-ssl-auto-client-cert",
|
||||
"Use auto client certificate for proxy (Schannel)",
|
||||
CURLHELP_PROXY | CURLHELP_TLS},
|
||||
{" --proxy-tls13-ciphers <ciphersuite list>",
|
||||
"TLS 1.3 proxy cipher suites",
|
||||
CURLHELP_PROXY | CURLHELP_TLS},
|
||||
|
@ -727,6 +730,9 @@ static const struct helptxt helptext[] = {
|
|||
{" --ssl-allow-beast",
|
||||
"Allow security flaw to improve interop",
|
||||
CURLHELP_TLS},
|
||||
{" --ssl-auto-client-cert",
|
||||
"Use auto client certificate (Schannel)",
|
||||
CURLHELP_TLS},
|
||||
{" --ssl-no-revoke",
|
||||
"Disable cert revocation checks (Schannel)",
|
||||
CURLHELP_TLS},
|
||||
|
|
|
@ -1720,20 +1720,31 @@ static CURLcode single_transfer(struct GlobalConfig *global,
|
|||
|
||||
{
|
||||
long mask =
|
||||
(config->ssl_allow_beast ? CURLSSLOPT_ALLOW_BEAST : 0) |
|
||||
(config->ssl_allow_beast ?
|
||||
CURLSSLOPT_ALLOW_BEAST : 0) |
|
||||
(config->ssl_no_revoke ?
|
||||
CURLSSLOPT_NO_REVOKE : 0) |
|
||||
(config->ssl_revoke_best_effort ?
|
||||
CURLSSLOPT_REVOKE_BEST_EFFORT : 0) |
|
||||
(config->native_ca_store ?
|
||||
CURLSSLOPT_NATIVE_CA : 0) |
|
||||
(config->ssl_no_revoke ? CURLSSLOPT_NO_REVOKE : 0);
|
||||
(config->ssl_auto_client_cert ?
|
||||
CURLSSLOPT_AUTO_CLIENT_CERT : 0);
|
||||
|
||||
if(mask)
|
||||
my_setopt_bitmask(curl, CURLOPT_SSL_OPTIONS, mask);
|
||||
}
|
||||
|
||||
if(config->proxy_ssl_allow_beast)
|
||||
my_setopt(curl, CURLOPT_PROXY_SSL_OPTIONS,
|
||||
(long)CURLSSLOPT_ALLOW_BEAST);
|
||||
{
|
||||
long mask =
|
||||
(config->proxy_ssl_allow_beast ?
|
||||
CURLSSLOPT_ALLOW_BEAST : 0) |
|
||||
(config->proxy_ssl_auto_client_cert ?
|
||||
CURLSSLOPT_AUTO_CLIENT_CERT : 0);
|
||||
|
||||
if(mask)
|
||||
my_setopt_bitmask(curl, CURLOPT_PROXY_SSL_OPTIONS, mask);
|
||||
}
|
||||
}
|
||||
|
||||
if(config->path_as_is)
|
||||
|
|
|
@ -133,6 +133,7 @@ const struct NameValueUnsigned setopt_nv_CURLSSLOPT[] = {
|
|||
NV(CURLSSLOPT_NO_PARTIALCHAIN),
|
||||
NV(CURLSSLOPT_REVOKE_BEST_EFFORT),
|
||||
NV(CURLSSLOPT_NATIVE_CA),
|
||||
NV(CURLSSLOPT_AUTO_CLIENT_CERT),
|
||||
NVEND,
|
||||
};
|
||||
|
||||
|
|
|
@ -76,6 +76,7 @@ extern const struct NameValueUnsigned setopt_nv_CURLHSTS[];
|
|||
#define setopt_nv_CURLOPT_FTP_SSL_CCC setopt_nv_CURLFTPSSL_CCC
|
||||
#define setopt_nv_CURLOPT_USE_SSL setopt_nv_CURLUSESSL
|
||||
#define setopt_nv_CURLOPT_SSL_OPTIONS setopt_nv_CURLSSLOPT
|
||||
#define setopt_nv_CURLOPT_PROXY_SSL_OPTIONS setopt_nv_CURLSSLOPT
|
||||
#define setopt_nv_CURLOPT_NETRC setopt_nv_CURL_NETRC
|
||||
#define setopt_nv_CURLOPT_PROTOCOLS setopt_nv_CURLPROTO
|
||||
#define setopt_nv_CURLOPT_REDIR_PROTOCOLS setopt_nv_CURLPROTO
|
||||
|
|
Loading…
Reference in New Issue