1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 21:15:08 -05:00

spnego_sspi: add support for channel binding

Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.

Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
This commit is contained in:
georgeok 2019-01-29 18:26:31 +01:00 committed by Marcel Raad
parent 463f16d188
commit a730432e59
No known key found for this signature in database
GPG Key ID: 33C416EFAE4D6F02
5 changed files with 49 additions and 8 deletions

View File

@ -89,6 +89,11 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
} }
} }
/* Supports SSL channel binding for Windows ISS extended protection */
#if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
neg_ctx->sslContext = conn->sslContext;
#endif
/* Initialize the security context and decode our challenge */ /* Initialize the security context and decode our challenge */
result = Curl_auth_decode_spnego_message(data, userp, passwdp, service, result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
host, header, neg_ctx); host, header, neg_ctx);

View File

@ -175,6 +175,9 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
if(s_hSecDll == NULL) if(s_hSecDll == NULL)
return err; return err;
} }
#ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
ntlm->sslContext = conn->sslContext;
#endif
#endif #endif
switch(ntlm->state) { switch(ntlm->state) {

View File

@ -364,6 +364,9 @@ struct negotiatedata {
gss_buffer_desc output_token; gss_buffer_desc output_token;
#else #else
#ifdef USE_WINDOWS_SSPI #ifdef USE_WINDOWS_SSPI
#ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
CtxtHandle *sslContext;
#endif
DWORD status; DWORD status;
CredHandle *credentials; CredHandle *credentials;
CtxtHandle *context; CtxtHandle *context;
@ -980,6 +983,9 @@ struct connectdata {
void *seek_client; /* pointer to pass to the seek() above */ void *seek_client; /* pointer to pass to the seek() above */
/*************** Request - specific items ************/ /*************** Request - specific items ************/
#if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
CtxtHandle *sslContext;
#endif
#if defined(USE_NTLM) #if defined(USE_NTLM)
struct ntlmdata ntlm; /* NTLM differs from other authentication schemes struct ntlmdata ntlm; /* NTLM differs from other authentication schemes

View File

@ -92,7 +92,7 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
size_t chlglen = 0; size_t chlglen = 0;
unsigned char *chlg = NULL; unsigned char *chlg = NULL;
PSecPkgInfo SecurityPackage; PSecPkgInfo SecurityPackage;
SecBuffer chlg_buf; SecBuffer chlg_buf[2];
SecBuffer resp_buf; SecBuffer resp_buf;
SecBufferDesc chlg_desc; SecBufferDesc chlg_desc;
SecBufferDesc resp_desc; SecBufferDesc resp_desc;
@ -191,10 +191,37 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data,
/* Setup the challenge "input" security buffer */ /* Setup the challenge "input" security buffer */
chlg_desc.ulVersion = SECBUFFER_VERSION; chlg_desc.ulVersion = SECBUFFER_VERSION;
chlg_desc.cBuffers = 1; chlg_desc.cBuffers = 1;
chlg_desc.pBuffers = &chlg_buf; chlg_desc.pBuffers = &chlg_buf[0];
chlg_buf.BufferType = SECBUFFER_TOKEN; chlg_buf[0].BufferType = SECBUFFER_TOKEN;
chlg_buf.pvBuffer = chlg; chlg_buf[0].pvBuffer = chlg;
chlg_buf.cbBuffer = curlx_uztoul(chlglen); chlg_buf[0].cbBuffer = curlx_uztoul(chlglen);
#ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
/* ssl context comes from Schannel.
* When extended protection is used in IIS server,
* we have to pass a second SecBuffer to the SecBufferDesc
* otherwise IIS will not pass the authentication (401 response).
* Minimum supported version is Windows 7.
* https://docs.microsoft.com/en-us/security-updates
* /SecurityAdvisories/2009/973811
*/
if(nego->sslContext) {
SEC_CHANNEL_BINDINGS channelBindings;
SecPkgContext_Bindings pkgBindings;
pkgBindings.Bindings = &channelBindings;
nego->status = s_pSecFn->QueryContextAttributes(
nego->sslContext,
SECPKG_ATTR_ENDPOINT_BINDINGS,
&pkgBindings
);
if(nego->status == SEC_E_OK) {
chlg_desc.cBuffers++;
chlg_buf[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
chlg_buf[1].cbBuffer = pkgBindings.BindingsLength;
chlg_buf[1].pvBuffer = pkgBindings.Bindings;
}
}
#endif
} }
/* Setup the response "output" security buffer */ /* Setup the response "output" security buffer */

View File

@ -1428,7 +1428,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex,
* binding to pass the IIS extended protection checks. * binding to pass the IIS extended protection checks.
* Available on Windows 7 or later. * Available on Windows 7 or later.
*/ */
conn->ntlm.sslContext = &BACKEND->ctxt->ctxt_handle; conn->sslContext = &BACKEND->ctxt->ctxt_handle;
#endif #endif
*done = TRUE; *done = TRUE;