New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spnego_gssapi: implement TLS channel bindings for openssl #13098
base: master
Are you sure you want to change the base?
Conversation
a0d34ca
to
7acadc0
Compare
"Linux / hyper" CI failed during |
lib/vtls/openssl.c
Outdated
algo_type = EVP_sha256(); | ||
} | ||
else { | ||
algo_type = EVP_get_digestbynid(algo_nid); | ||
if(!algo_type) { | ||
algo_name = OBJ_nid2sn(algo_nid); | ||
failf(data, "Could not find digest algorithm %s (NID %d)", | ||
algo_name ? algo_name : "(null)", algo_nid); | ||
return CURLE_SSL_INVALIDCERTSTATUS; | ||
} | ||
} | ||
|
||
if(!X509_digest(cert, algo_type, buf, &length)) { | ||
failf(data, "X509_digest() failed"); | ||
return CURLE_SSL_INVALIDCERTSTATUS; | ||
} | ||
|
||
*binding = malloc(sizeof(prefix) - 1 + length); | ||
if(!*binding) | ||
return CURLE_OUT_OF_MEMORY; | ||
memcpy(*binding, prefix, sizeof(prefix) - 1); | ||
memcpy(*binding + sizeof(prefix) - 1, buf, length); | ||
*len = sizeof(prefix) - 1 + length; | ||
|
||
return CURLE_OK; | ||
#else | ||
/* No X509_get_signature_nid support */ | ||
(void)data; /* unused */ | ||
(void)sockindex; /* unused */ | ||
*binding = NULL; | ||
*len = 0; | ||
return CURLE_OK; | ||
#endif | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to avoid APIs that perform implicit fetching?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @DemiMarie! Sorry, but what do you mean by "implicit fetching"? Do you have an alternative API in mind?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @DemiMarie 👋 Please let me know if there is any outstanding requested changes on this; either if you have any alternative API's in mind, or if I can mark this conversation as resolved.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
“Implicit fetching” means calls like EVP_sha256()
, as opposed to explicitly looking up the algorithm in a provider.
7acadc0
to
5b8c0eb
Compare
Rebased to bring PR up-to-date with master due to time passed. Minor changes
|
43c7a44
to
d916f49
Compare
Channel Bindings are used to tie the session context to a specific TLS channel. This is to provide additional proof of valid identity, mitigating authentication relay attacks. Major web servers have the ability to require (None/Accept/Require) GSSAPI channel binding, rendering Curl unable to connect to such websites unless support for channel bindings is implemented. IIS calls this feature Extended Protection (EPA), which is used in Enterprise environments using Kerberos for authentication. This change require krb5 >= 1.19, otherwise channel bindings won't be forwarded through SPNEGO. Co-Authored-By: Steffen Kieß <[email protected]>
d916f49
to
d776382
Compare
return CURLE_SSL_INVALIDCERTSTATUS; | ||
} | ||
} | ||
|
||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L | ||
algo_type = EVP_MD_fetch(NULL, algo_name, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It’s best to cache the result of this, for performance reasons.
Channel Bindings are used to tie the session context to a specific TLS channel. This is to provide additional proof of valid identity, mitigating authentication relay attacks.
Major web servers have the ability to require (None/Accept/Require) GSSAPI channel binding, rendering Curl unable to connect to such websites unless support for channel bindings is implemented.
IIS calls this feature Extended Protection (EPA), which is used in Enterprise environments using Kerberos for authentication.
This change require krb5 >= 1.19, otherwise channel bindings won't be forwarded through SPNEGO.