git.ipfire.org Git - thirdparty/curl.git/commit

author	Max Faxälv <max.faxalv@sony.com>
	Thu, 29 Feb 2024 08:12:59 +0000 (09:12 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 12 Aug 2024 17:16:54 +0000 (19:16 +0200)
commit	0a5ea09a910e7883fd7a1c333e8a36fc782fe537
tree	096902d9170fcaedee86a200cecaade05956e15e	tree \| snapshot
parent	9dfdc6ff42ba045ec48056bb6d2072f2fcac2e9d	commit \| diff

spnego_gssapi: implement TLS channel bindings for openssl

Channel Bindings are used to tie the session context to a specific TLS
channel. This is to provide additional proof of valid identity,
mitigating authentication relay attacks.

Major web servers have the ability to require (None/Accept/Require)
GSSAPI channel binding, rendering Curl unable to connect to such
websites unless support for channel bindings is implemented.

IIS calls this feature Extended Protection (EPA), which is used in
Enterprise environments using Kerberos for authentication.

This change require krb5 >= 1.19, otherwise channel bindings won't be
forwarded through SPNEGO.

Co-Authored-By: Steffen Kieß <947515+steffen-kiess@users.noreply.github.com>
Closes #13098

lib/http_negotiate.c		diff \| blob \| blame \| history
lib/urldata.h		diff \| blob \| blame \| history
lib/vauth/spnego_gssapi.c		diff \| blob \| blame \| history
lib/vtls/bearssl.c		diff \| blob \| blame \| history
lib/vtls/gtls.c		diff \| blob \| blame \| history
lib/vtls/mbedtls.c		diff \| blob \| blame \| history
lib/vtls/openssl.c		diff \| blob \| blame \| history
lib/vtls/rustls.c		diff \| blob \| blame \| history
lib/vtls/schannel.c		diff \| blob \| blame \| history
lib/vtls/sectransp.c		diff \| blob \| blame \| history
lib/vtls/vtls.c		diff \| blob \| blame \| history
lib/vtls/vtls.h		diff \| blob \| blame \| history
lib/vtls/vtls_int.h		diff \| blob \| blame \| history
lib/vtls/wolfssl.c		diff \| blob \| blame \| history