Commit a78c61a4 authored by Steve Holme's avatar Steve Holme
Browse files

sasl: Don't use GSSAPI authentication when domain name not specified 

Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
parent 43dbd766

lib/curl_sasl.c

+2 −1
Original line number Diff line number Diff line
@@ -288,7 +288,8 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn, 
  }

  else if(conn->bits.user_passwd) {

#if defined(USE_KERBEROS5)

    if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported()) {

    if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported() &&

       Curl_auth_user_contains_domain(conn->user)) {

      sasl->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */

      mech = SASL_MECH_STRING_GSSAPI;

      state1 = SASL_GSSAPI;

lib/vauth/vauth.c

+41 −0
Original line number Diff line number Diff line
@@ -104,3 +104,44 @@ TCHAR *Curl_auth_build_spn(const char *service, const char *host, 
}

#endif /* USE_WINDOWS_SSPI */



/*

* Curl_auth_user_contains_domain()

*

* This is used to test if the specified user contains a Windows domain name as

* follows:

*

* User\Domain (Down-level Logon Name)

* User/Domain (curl Down-level format - for compatibility with existing code)

* User@Domain (User Principal Name)

*

* Note: The user name may be empty when using a GSS-API library or Windows SSPI

* as the user and domain are either obtained from the credientals cache when

* using GSS-API or via the currently logged in user's credientals when using

* Windows SSPI.

*

* Parameters:

*

* user  [in] - The user name.

*

* Returns TRUE on success; otherwise FALSE.

*/

bool Curl_auth_user_contains_domain(const char *user)

{

  bool valid = FALSE;



  if(user && *user) {

    /* Check we have a domain name or UPN present */

    char *p = strpbrk(user, "\\/@");



    valid = (p != NULL && p > user && p < user + strlen(user) - 1 ? TRUE :

                                                                    FALSE);

  }

#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)

  else

    /* User and domain are obtained from the GSS-API credientials cache or the

       currently logged in user from Windows */

    valid = TRUE;

#endif



  return valid;

}

lib/vauth/vauth.h

+3 −0
Original line number Diff line number Diff line
@@ -55,6 +55,9 @@ TCHAR *Curl_auth_build_spn(const char *service, const char *host, 
                           const char *realm);

#endif



/* This is used to test if the user contains a Windows domain name */

bool Curl_auth_user_contains_domain(const char *user);



/* This is used to generate a base64 encoded PLAIN cleartext message */

CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,

                                        const char *userp,