Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

spnego sspi delegation [windows 7]

From: Claudio via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 3 Jul 2019 12:56:09 +0000

Hello Everyone,

I have a problem with curl lib in window which I have managed to quick fix it but I would need some further insight from experts.
I am using curllib (or curl command) with --negotiate authentication on Windows and "--delegation always" (or policy) parameter. We use Kerberos authentication for what I know.
The server I connect to will forward the request to a back end system and my credential must be provided to be authorized. In Linux seems to work out of the box but in windows I had always had an error like

"Could not impersonate INTRANET\XXXX as authentication token was not provided".

The ticket stored in my box for the server I connect to includes the following attribute

Ticket Flags -> forwardable renewable pre_authent ok_as_delegate

I have managed to make it work via adding the flag ISC_REQ_DELEGATE to the call in spnego_sspi.c (around line 250)

  nego->status = s_pSecFn->InitializeSecurityContext(nego->credentials,
                                                     chlg ? nego->context :
                                                     NULL,
                                                     nego->spn,
                                                     ISC_REQ_DELEGATE | ISC_REQ_CONFIDENTIALITY, // <== CODE CHANGE added flag ISC_REQ_DELEGATE
                                                      0, SECURITY_NATIVE_DREP,
                                                     chlg ? &chlg_desc : NULL,
                                                     0, nego->context,
                                                     &resp_desc, &attrs,
                                                     &expiry);

Now what I wanted to do is to handle the parameter --delegation properly.
First of all I wound need to see in the security package support DELEGATION. Hence I have checked if the

nego->status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
                                                           TEXT(SP_NAME_NEGOTIATE),
                                                                                                 &SecurityPackage);

unsigned long isc_flags = ISC_REQ_CONFIDENTIALITY;
if (SecurityPackage->fCapabilities & SECPKG_FLAG_DELEGATION)
{

      if (data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG)
      {
          isc_flags |= ISC_REQ_DELEGATE;
      }
      else if (data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
      {
          // error not supported ???
      }
  }

Of course is not a gssapi_delegation but I assume sspi should mimic the gssapi interface/functionality so we could in theory use the same flag.

Question 1: Is there a way to force the delegation using sspi ? or CURLGSSAPI_DELEGATION_FLAG is not supported e.g. there is no way to force if the Active directory does not allow it?
 
Question 2: When I Iook at the fCapability flags in the SecurityPackage structure for the loaded package (secur32) I have the info below back (which I have pretty printed). The SECPKG_FLAG_DELEGATION is false so I am a bit puzzled. I can make it work but the library tells me the delegation is not supported.

Now my knowledge in here is very limited.
If I want to reuse the delegation option what flag do I need to check to know If this functionality is supported ? If It is GSS COMPATIBLE ?

Thanks for any help you could provide.
        
Best Regards
Claudio Rinaldi

Security Package: Negotiate
Security Package supported flags: 83bb3
Comment: Microsoft Package Negotiator
============================================

    SUPPORTED [SECPKG_FLAG_INTEGRITY]
    SUPPORTED [SECPKG_FLAG_PRIVACY]
NOT SUPPORTED [SECPKG_FLAG_TOKEN_ONLY]
NOT SUPPORTED [SECPKG_FLAG_DATAGRAM]
    SUPPORTED [SECPKG_FLAG_CONNECTION]
    SUPPORTED [SECPKG_FLAG_MULTI_REQUIRED]
NOT SUPPORTED [SECPKG_FLAG_CLIENT_ONLY]
    SUPPORTED [SECPKG_FLAG_EXTENDED_ERROR]
    SUPPORTED [SECPKG_FLAG_IMPERSONATION]
    SUPPORTED [SECPKG_FLAG_ACCEPT_WIN32_NAME]
NOT SUPPORTED [SECPKG_FLAG_STREAM]
    SUPPORTED [SECPKG_FLAG_NEGOTIABLE]
    SUPPORTED [SECPKG_FLAG_GSS_COMPATIBLE]
    SUPPORTED [SECPKG_FLAG_LOGON]
NOT SUPPORTED [SECPKG_FLAG_ASCII_BUFFERS]
NOT SUPPORTED [SECPKG_FLAG_FRAGMENT]
NOT SUPPORTED [SECPKG_FLAG_MUTUAL_AUTH]

NOT SUPPORTED [SECPKG_FLAG_DELEGATION]

NOT SUPPORTED [SECPKG_FLAG_READONLY_WITH_CHECKSUM]
    SUPPORTED [SECPKG_FLAG_RESTRICTED_TOKENS]
NOT SUPPORTED [SECPKG_FLAG_NEGO_EXTENDER]
NOT SUPPORTED [SECPKG_FLAG_NEGOTIABLE2]
NOT SUPPORTED [SECPKG_FLAG_APPCONTAINER_PASSTHROUGH]
NOT SUPPORTED [SECPKG_FLAG_APPCONTAINER_CHECKS]

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-07-03