Attachment 632061 Details for Bug 864566 – [PATCH] http_negotiate: do not delegate GSSAPI credentials by default

[patch] [PATCH] http_negotiate: do not delegate GSSAPI credentials by default

0001-http_negotiate-do-not-delegate-GSSAPI-credentials-by.patch (text/plain), 3.13 KB, created by Kamil Dudka on 2012-10-23 12:20:22 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Kamil Dudka

Created: 2012-10-23 12:20:22 UTC

Size: 3.13 KB

patch

obsolete

>From 15d88301e51826ef6ece17e277d05ddeacd7f4d5 Mon Sep 17 00:00:00 2001
>From: Kamil Dudka <kdudka@redhat.com>
>Date: Tue, 23 Oct 2012 13:47:16 +0200
>Subject: [PATCH] http_negotiate: do not delegate GSSAPI credentials by default
>
>This patch introduces a new option protocol.http.gss_deleg that can be
>set to a wildcard pattern of GSSAPI delegation trusted URIs.  The GSSAPI
>credential delegation is allowed only for the URIs matching the pattern.
>---
> src/protocol/http/http.c           |    3 +++
> src/protocol/http/http_negotiate.c |   21 +++++++++++++++++----
> 2 files changed, 20 insertions(+), 4 deletions(-)
>
>diff --git a/src/protocol/http/http.c b/src/protocol/http/http.c
>index 98053c0..d4de941 100644
>--- a/src/protocol/http/http.c
>+++ b/src/protocol/http/http.c
>@@ -212,6 +212,9 @@ static struct option_info http_options[] = {
> 		"%t in the string means size of the terminal,\n"
> 		"%b in the string means number of bars displayed by ELinks.")),
> 
>+	INIT_OPT_STRING("protocol.http", N_("GSSAPI delegation trusted URIs"),
>+		"gss_deleg", 0, "",
>+		N_("Wildcard of URIs that GSSAPI delegation is allowed for.")),
> 
> 	INIT_OPT_TREE("protocol", N_("HTTPS"),
>   		"https", 0,
>diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
>index ca4c15a..26fe852 100644
>--- a/src/protocol/http/http_negotiate.c
>+++ b/src/protocol/http/http_negotiate.c
>@@ -23,7 +23,9 @@
> #include <gssapi/gssapi.h>
> 
> #include "elinks.h"
>+#include "config/options.h"
> #include "network/connection.h"
>+#include "network/ssl/match-hostname.h"
> #include "protocol/uri.h"
> #include "protocol/http/http.h"
> #include "protocol/http/http_negotiate.h"
>@@ -181,16 +183,27 @@ http_negotiate_parse_data(unsigned char *data, int type,
> }
> 
> static int
>-http_negotiate_create_context(struct negotiate *neg)
>+http_negotiate_deleg_allowed(struct uri *uri)
>+{
>+	const char *glob = get_opt_str("protocol.http.gss_deleg", NULL);
>+	const size_t glob_len = strlen(glob);
>+	return match_hostname_pattern(uri->host, uri->hostlen, glob, glob_len);
>+}
>+
>+static int
>+http_negotiate_create_context(struct negotiate *neg, struct uri *uri)
> {
> 	OM_uint32 major_status, minor_status;
> 
>+	const OM_uint32 req_flags = http_negotiate_deleg_allowed(uri) ?
>+		GSS_C_DELEG_FLAG : 0;
>+
> 	major_status = gss_init_sec_context(&minor_status,
> 					    GSS_C_NO_CREDENTIAL,
> 					    &neg->context,
> 					    neg->server_name,
> 					    GSS_C_NO_OID,
>-					    GSS_C_DELEG_FLAG,
>+					    req_flags,
> 					    0,
> 					    GSS_C_NO_CHANNEL_BINDINGS,
> 					    &neg->input_token,
>@@ -242,7 +255,7 @@ http_negotiate_input(struct connection *conn, struct uri *uri,
> 	if (data && http_negotiate_parse_data(data, type, &neg->input_token))
> 		return -1;
> 
>-	ret = http_negotiate_create_context(neg);
>+	ret = http_negotiate_create_context(neg, uri);
> 	if (ret == 0 && isnew)
> 		http_negotiate_save(neg);
> 
>@@ -264,7 +277,7 @@ http_negotiate_output(struct uri *uri, struct string *header)
> 		return -1;
> 
> 	if (neg->output_token.length == 0) {
>-		if (http_negotiate_create_context(neg) < 0) {
>+		if (http_negotiate_create_context(neg, uri) < 0) {
> 			/* full cleanup on error and ask for
> 			 * new WWW-Authenticate from server
> 			 */
>-- 
>1.7.1
>

Actions: View | Diff

Attachments on bug 864566: 624175 | 632061 | 633270 | 635073 | 635074