From a78c61a4bf5b7eb90b0945d94568b7b3b1f23c6e Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Sun, 21 Aug 2016 11:56:23 +0100
Subject: sasl: Don't use GSSAPI authentication when domain name not specified

Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
---
 lib/curl_sasl.c   |  3 ++-
 lib/vauth/vauth.c | 41 +++++++++++++++++++++++++++++++++++++++++
 lib/vauth/vauth.h |  3 +++
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 68a0b9320..65fa52932 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -288,7 +288,8 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
   }
   else if(conn->bits.user_passwd) {
 #if defined(USE_KERBEROS5)
-    if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported()) {
+    if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported() &&
+       Curl_auth_user_contains_domain(conn->user)) {
       sasl->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */
       mech = SASL_MECH_STRING_GSSAPI;
       state1 = SASL_GSSAPI;
diff --git a/lib/vauth/vauth.c b/lib/vauth/vauth.c
index 702e2d4bc..b995f34e2 100644
--- a/lib/vauth/vauth.c
+++ b/lib/vauth/vauth.c
@@ -104,3 +104,44 @@ TCHAR *Curl_auth_build_spn(const char *service, const char *host,
 }
 #endif /* USE_WINDOWS_SSPI */
 
+/*
+* Curl_auth_user_contains_domain()
+*
+* This is used to test if the specified user contains a Windows domain name as
+* follows:
+*
+* User\Domain (Down-level Logon Name)
+* User/Domain (curl Down-level format - for compatibility with existing code)
+* User@Domain (User Principal Name)
+*
+* Note: The user name may be empty when using a GSS-API library or Windows SSPI
+* as the user and domain are either obtained from the credientals cache when
+* using GSS-API or via the currently logged in user's credientals when using
+* Windows SSPI.
+*
+* Parameters:
+*
+* user  [in] - The user name.
+*
+* Returns TRUE on success; otherwise FALSE.
+*/
+bool Curl_auth_user_contains_domain(const char *user)
+{
+  bool valid = FALSE;
+
+  if(user && *user) {
+    /* Check we have a domain name or UPN present */
+    char *p = strpbrk(user, "\\/@");
+
+    valid = (p != NULL && p > user && p < user + strlen(user) - 1 ? TRUE :
+                                                                    FALSE);
+  }
+#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
+  else
+    /* User and domain are obtained from the GSS-API credientials cache or the
+       currently logged in user from Windows */
+    valid = TRUE;
+#endif
+
+  return valid;
+}
diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h
index 3ad2139f9..9d61228c3 100644
--- a/lib/vauth/vauth.h
+++ b/lib/vauth/vauth.h
@@ -55,6 +55,9 @@ TCHAR *Curl_auth_build_spn(const char *service, const char *host,
                            const char *realm);
 #endif
 
+/* This is used to test if the user contains a Windows domain name */
+bool Curl_auth_user_contains_domain(const char *user);
+
 /* This is used to generate a base64 encoded PLAIN cleartext message */
 CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
                                         const char *userp,
-- 
cgit v1.2.3