1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 07:38:49 -05:00

sasl: Don't use GSSAPI authentication when domain name not specified

Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
This commit is contained in:
Steve Holme 2016-08-21 11:56:23 +01:00
parent 43dbd76616
commit a78c61a4bf
3 changed files with 46 additions and 1 deletions

View File

@ -288,7 +288,8 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
}
else if(conn->bits.user_passwd) {
#if defined(USE_KERBEROS5)
if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported()) {
if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported() &&
Curl_auth_user_contains_domain(conn->user)) {
sasl->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */
mech = SASL_MECH_STRING_GSSAPI;
state1 = SASL_GSSAPI;

View File

@ -104,3 +104,44 @@ TCHAR *Curl_auth_build_spn(const char *service, const char *host,
}
#endif /* USE_WINDOWS_SSPI */
/*
* Curl_auth_user_contains_domain()
*
* This is used to test if the specified user contains a Windows domain name as
* follows:
*
* User\Domain (Down-level Logon Name)
* User/Domain (curl Down-level format - for compatibility with existing code)
* User@Domain (User Principal Name)
*
* Note: The user name may be empty when using a GSS-API library or Windows SSPI
* as the user and domain are either obtained from the credientals cache when
* using GSS-API or via the currently logged in user's credientals when using
* Windows SSPI.
*
* Parameters:
*
* user [in] - The user name.
*
* Returns TRUE on success; otherwise FALSE.
*/
bool Curl_auth_user_contains_domain(const char *user)
{
bool valid = FALSE;
if(user && *user) {
/* Check we have a domain name or UPN present */
char *p = strpbrk(user, "\\/@");
valid = (p != NULL && p > user && p < user + strlen(user) - 1 ? TRUE :
FALSE);
}
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
else
/* User and domain are obtained from the GSS-API credientials cache or the
currently logged in user from Windows */
valid = TRUE;
#endif
return valid;
}

View File

@ -55,6 +55,9 @@ TCHAR *Curl_auth_build_spn(const char *service, const char *host,
const char *realm);
#endif
/* This is used to test if the user contains a Windows domain name */
bool Curl_auth_user_contains_domain(const char *user);
/* This is used to generate a base64 encoded PLAIN cleartext message */
CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
const char *userp,