From b6821dbb91a7433d7451c1ad4cbd49cc4b8a71a9 Mon Sep 17 00:00:00 2001 From: Steve Holme Date: Sun, 2 Nov 2014 00:24:32 +0000 Subject: sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used Typically the USE_WINDOWS_SSPI definition would not be used when the CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication data structures and functions would incorrectly be used when they shouldn't be. Introduced a new USE_KRB5 definition that takes into account the use of CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do. --- lib/curl_sasl.c | 4 ++-- lib/curl_sasl.h | 6 +++--- lib/curl_sasl_sspi.c | 5 ++++- lib/curl_setup.h | 8 +++++++- lib/imap.c | 6 +++--- lib/pop3.c | 6 +++--- lib/smtp.c | 6 +++--- lib/urldata.h | 4 ++-- 8 files changed, 27 insertions(+), 18 deletions(-) diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index 7e2b8afaf..3bf973d95 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -53,7 +53,7 @@ /* The last #include file should be: */ #include "memdebug.h" -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) extern void Curl_sasl_gssapi_cleanup(struct kerberos5data *krb5); #endif @@ -722,7 +722,7 @@ CURLcode Curl_sasl_create_xoauth2_message(struct SessionHandle *data, */ void Curl_sasl_cleanup(struct connectdata *conn, unsigned int authused) { -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) /* Cleanup the gssapi structure */ if(authused == SASL_MECH_GSSAPI) { Curl_sasl_gssapi_cleanup(&conn->krb5); diff --git a/lib/curl_sasl.h b/lib/curl_sasl.h index e56fa1a5f..68ef5526c 100644 --- a/lib/curl_sasl.h +++ b/lib/curl_sasl.h @@ -28,7 +28,7 @@ struct SessionHandle; struct connectdata; struct ntlmdata; -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) struct kerberos5data; #endif @@ -123,7 +123,7 @@ CURLcode Curl_sasl_create_ntlm_type3_message(struct SessionHandle *data, #endif /* USE_NTLM */ -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) /* This is used to generate a base64 encoded GSSAPI (Kerberos V5) user token message */ CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data, @@ -142,7 +142,7 @@ CURLcode Curl_sasl_create_gssapi_security_message(struct SessionHandle *data, struct kerberos5data *krb5, char **outptr, size_t *outlen); -#endif +#endif /* USE_KRB5 */ /* This is used to generate a base64 encoded XOAUTH2 authentication message containing the user name and bearer token */ diff --git a/lib/curl_sasl_sspi.c b/lib/curl_sasl_sspi.c index 21edcd65d..9ae6f5d91 100644 --- a/lib/curl_sasl_sspi.c +++ b/lib/curl_sasl_sspi.c @@ -44,7 +44,9 @@ /* The last #include file should be: */ #include "memdebug.h" +#if defined(USE_KRB5) void Curl_sasl_gssapi_cleanup(struct kerberos5data *krb5); +#endif /* * Curl_sasl_build_spn() @@ -269,9 +271,9 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, return result; } - #endif /* !CURL_DISABLE_CRYPTO_AUTH */ +#if defined(USE_KRB5) /* * Curl_sasl_create_gssapi_user_message() * @@ -703,5 +705,6 @@ void Curl_sasl_gssapi_cleanup(struct kerberos5data *krb5) /* Reset any variables */ krb5->token_max = 0; } +#endif /* USE_KRB5 */ #endif /* USE_WINDOWS_SSPI */ diff --git a/lib/curl_setup.h b/lib/curl_setup.h index 353b15fcb..a20aab19b 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -608,12 +608,18 @@ int netware_init(void); #define USE_SSL /* SSL support has been enabled */ #endif +/* Single point where USE_SPNEGO definition might be defined */ #if !defined(CURL_DISABLE_CRYPTO_AUTH) && \ (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)) #define USE_SPNEGO #endif -/* Single point where USE_NTLM definition might be done */ +/* Single point where USE_KRB5 definition might be defined */ +#if !defined(CURL_DISABLE_CRYPTO_AUTH) && defined(USE_WINDOWS_SSPI) +#define USE_KRB5 +#endif + +/* Single point where USE_NTLM definition might be defined */ #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_NTLM) && \ !defined(CURL_DISABLE_CRYPTO_AUTH) #if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI) || \ diff --git a/lib/imap.c b/lib/imap.c index ee1bad295..4a0419a18 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -1300,7 +1300,7 @@ static CURLcode imap_state_auth_ntlm_type2msg_resp(struct connectdata *conn, } #endif -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) /* For AUTHENTICATE GSSAPI (without initial response) responses */ static CURLcode imap_state_auth_gssapi_resp(struct connectdata *conn, int imapcode, @@ -1911,7 +1911,7 @@ static CURLcode imap_statemach_act(struct connectdata *conn) break; #endif -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) case IMAP_AUTHENTICATE_GSSAPI: result = imap_state_auth_gssapi_resp(conn, imapcode, imapc->state); break; @@ -2803,7 +2803,7 @@ static CURLcode imap_calc_sasl_details(struct connectdata *conn, /* Calculate the supported authentication mechanism, by decreasing order of security, as well as the initial response where appropriate */ -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) if((imapc->authmechs & SASL_MECH_GSSAPI) && (imapc->prefmech & SASL_MECH_GSSAPI)) { imapc->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */ diff --git a/lib/pop3.c b/lib/pop3.c index 13528e3d5..03d737ef2 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -1131,7 +1131,7 @@ static CURLcode pop3_state_auth_ntlm_type2msg_resp(struct connectdata *conn, } #endif -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) /* For AUTH GSSAPI (without initial response) responses */ static CURLcode pop3_state_auth_gssapi_resp(struct connectdata *conn, int pop3code, @@ -1591,7 +1591,7 @@ static CURLcode pop3_statemach_act(struct connectdata *conn) break; #endif -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) case POP3_AUTH_GSSAPI: result = pop3_state_auth_gssapi_resp(conn, pop3code, pop3c->state); break; @@ -2121,7 +2121,7 @@ static CURLcode pop3_calc_sasl_details(struct connectdata *conn, /* Calculate the supported authentication mechanism, by decreasing order of security, as well as the initial response where appropriate */ -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) if((pop3c->authmechs & SASL_MECH_GSSAPI) && (pop3c->prefmech & SASL_MECH_GSSAPI)) { pop3c->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */ diff --git a/lib/smtp.c b/lib/smtp.c index 6d1aa0120..448b040c7 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -1150,7 +1150,7 @@ static CURLcode smtp_state_auth_ntlm_type2msg_resp(struct connectdata *conn, } #endif -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) /* For AUTH GSSAPI (without initial response) responses */ static CURLcode smtp_state_auth_gssapi_resp(struct connectdata *conn, int smtpcode, @@ -1630,7 +1630,7 @@ static CURLcode smtp_statemach_act(struct connectdata *conn) break; #endif -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) case SMTP_AUTH_GSSAPI: result = smtp_state_auth_gssapi_resp(conn, smtpcode, smtpc->state); break; @@ -2221,7 +2221,7 @@ static CURLcode smtp_calc_sasl_details(struct connectdata *conn, /* Calculate the supported authentication mechanism, by decreasing order of security, as well as the initial response where appropriate */ -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) if((smtpc->authmechs & SASL_MECH_GSSAPI) && (smtpc->prefmech & SASL_MECH_GSSAPI)) { smtpc->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */ diff --git a/lib/urldata.h b/lib/urldata.h index 83d190453..5a65c4a74 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -419,7 +419,7 @@ typedef enum { #endif /* Struct used for GSSAPI (Kerberos V5) authentication */ -#if defined(USE_WINDOWS_SSPI) +#if defined(USE_KRB5) struct kerberos5data { CredHandle *credentials; CtxtHandle *context; @@ -980,7 +980,7 @@ struct connectdata { struct sockaddr_in local_addr; #endif -#if defined(USE_WINDOWS_SSPI) /* Consider moving some of the above GSS-API */ +#if defined(USE_KRB5) /* Consider moving some of the above GSS-API */ struct kerberos5data krb5; /* variables into the structure definition, */ #endif /* however, some of them are ftp specific. */ -- cgit v1.2.3