snpego_sspi: preserve distinction btw policy-only and uncond delegation#21583
snpego_sspi: preserve distinction btw policy-only and uncond delegation#21583bagder wants to merge 1 commit into
Conversation
CURLOPT_GSSAPI_DELEGATION exposes distinct modes: CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is unconditional. The new SSPI implementation checks for either bit and sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation is put on the same SSPI path as unconditional delegation. In addition, curl's existing protection that avoids reusing a connection when the GSS delegation setting differs was guarded only by HAVE_GSSAPI; SSPI-only builds now have an effective delegation option, but the connection's delegation setting was neither copied nor compared. This would cause Windows SSPI Negotiate/Kerberos authentication to delegate credentials contrary to the caller's selected policy or reuse an already-delegated authenticated connection for a transfer that requested no delegation. Follow-up to cc6777d Reported by Codex Security
|
Analysis of PR #21583 at 70800cdd: Test 1243 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 4 different CI jobs (the link just goes to one of them). Test 2004 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 4 different CI jobs (the link just goes to one of them). Test 2026 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 2 different CI jobs (the link just goes to one of them). Generated by Testclutch |
There was a problem hiding this comment.
Pull request overview
This PR fixes Windows SSPI (SPNEGO/Negotiate) handling of CURLOPT_GSSAPI_DELEGATION by restoring the documented distinction between policy-limited delegation vs unconditional delegation, and by preventing connection reuse across transfers with differing delegation settings in SSPI-only builds.
Changes:
- SSPI SPNEGO now requests delegation (
ISC_REQ_DELEGATE) only forCURLGSSAPI_DELEGATION_FLAG(unconditional), not forCURLGSSAPI_DELEGATION_POLICY_FLAG. - Connection reuse matching now considers
gssapi_delegationfor SSPI builds (and copies the setting into newly allocated connections), preventing cross-transfer delegation leakage via reuse.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| lib/vauth/spnego_sspi.c | Stop treating policy-only delegation as unconditional delegation in SSPI. |
| lib/url.c | Ensure delegation mode is copied/compared for connection allocation and reuse matching in SSPI builds. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CURLOPT_GSSAPI_DELEGATION exposes distinct modes: CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is unconditional. The new SSPI implementation checks for either bit and sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation is put on the same SSPI path as unconditional delegation. In addition, curl's existing protection that avoids reusing a connection when the GSS delegation setting differs was guarded only by HAVE_GSSAPI; SSPI-only builds now have an effective delegation option, but the connection's delegation setting was neither copied nor compared. This would cause Windows SSPI Negotiate/Kerberos authentication to delegate credentials contrary to the caller's selected policy or reuse an already-delegated authenticated connection for a transfer that requested no delegation. Follow-up to cc6777d Reported by Codex Security Closes curl#21583
CURLOPT_GSSAPI_DELEGATION exposes distinct modes:
CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is unconditional. The new SSPI implementation checks for either bit and sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation is put on the same SSPI path as unconditional delegation.
In addition, curl's existing protection that avoids reusing a connection when the GSS delegation setting differs was guarded only by HAVE_GSSAPI; SSPI-only builds now have an effective delegation option, but the connection's delegation setting was neither copied nor compared. This would cause Windows SSPI Negotiate/Kerberos authentication to delegate credentials contrary to the caller's selected policy or reuse an already-delegated authenticated connection for a transfer that requested no delegation.
Follow-up to cc6777d
Reported by Codex Security