summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKamil Dudka <kdudka@redhat.com>2011-07-25 11:49:26 +0200
committerKamil Dudka <kdudka@redhat.com>2011-08-03 10:56:41 +0200
commita7864c41db6ac12a1b67f2646f837174f75a240b (patch)
tree7419b11b1cbdac81bba4725c1ee9a62d246c1553
parentebf42c4be76df40ec6d3bf32f229bbb274e2c32f (diff)
downloadcurl-a7864c41db6ac12a1b67f2646f837174f75a240b.tar.gz
curl_gssapi: refine the handling of CURLOPT_GSSAPI_DELEGATION
Suggested by Richard Silverman.
-rw-r--r--docs/libcurl/curl_easy_setopt.38
-rw-r--r--docs/libcurl/symbols-in-versions4
-rw-r--r--include/curl/curl.h4
-rw-r--r--lib/curl_gssapi.c14
-rw-r--r--lib/url.c4
-rw-r--r--lib/urldata.h3
6 files changed, 29 insertions, 8 deletions
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 2cdfcf86b..1e5f3b641 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -2110,8 +2110,12 @@ support for FTP.
(This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
.IP CURLOPT_GSSAPI_DELEGATION
-Set the parameter to 1 to allow GSSAPI credential delegation. The delegation
-is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI
+credential delegation. The delegation is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if
+the OK-AS-DELEGATE flag is set in the service ticket in case this feature is
+supported by the GSSAPI implementation and the definition of
+GSS_C_DELEG_POLICY_FLAG was available at compile-time.
(Added in 7.21.8)
.SH SSH OPTIONS
.IP CURLOPT_SSH_AUTH_TYPES
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index a91f4fb00..a1d92aa06 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -187,6 +187,9 @@ CURLFTPSSL_TRY 7.11.0 7.17.0
CURLFTP_CREATE_DIR 7.19.4
CURLFTP_CREATE_DIR_NONE 7.19.4
CURLFTP_CREATE_DIR_RETRY 7.19.4
+CURLGSSAPI_DELEGATION_FLAG 7.21.8
+CURLGSSAPI_DELEGATION_NONE 7.21.8
+CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8
CURLINFO_APPCONNECT_TIME 7.19.0
CURLINFO_CERTINFO 7.19.1
CURLINFO_CONDITION_UNMET 7.19.4
@@ -345,6 +348,7 @@ CURLOPT_FTP_SSL_CCC 7.16.1
CURLOPT_FTP_USE_EPRT 7.10.5
CURLOPT_FTP_USE_EPSV 7.9.2
CURLOPT_FTP_USE_PRET 7.20.0
+CURLOPT_GSSAPI_DELEGATION 7.21.8
CURLOPT_HEADER 7.1
CURLOPT_HEADERDATA 7.10
CURLOPT_HEADERFUNCTION 7.7.2
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 3a510e58e..0dc934bfb 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -615,6 +615,10 @@ typedef enum {
#define CURLSSH_AUTH_KEYBOARD (1<<3) /* keyboard interactive */
#define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY
+#define CURLGSSAPI_DELEGATION_NONE 0 /* no delegation (default) */
+#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */
+#define CURLGSSAPI_DELEGATION_FLAG (1<<1) /* delegate always */
+
#define CURL_ERROR_SIZE 256
struct curl_khkey {
diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
index 6b47987dd..7c6f57ad4 100644
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@@ -36,10 +36,18 @@ OM_uint32 Curl_gss_init_sec_context(
gss_buffer_t output_token,
OM_uint32 * ret_flags)
{
- OM_uint32 req_flags;
+ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
- req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
- if (data->set.gssapi_delegation)
+ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
+#ifdef GSS_C_DELEG_POLICY_FLAG
+ req_flags |= GSS_C_DELEG_POLICY_FLAG;
+#else
+ infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "
+ "compiled in\n");
+#endif
+ }
+
+ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
req_flags |= GSS_C_DELEG_FLAG;
return gss_init_sec_context(minor_status,
diff --git a/lib/url.c b/lib/url.c
index 050be2c1d..a3a475dfd 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1977,9 +1977,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
break;
case CURLOPT_GSSAPI_DELEGATION:
/*
- * allow GSSAPI credential delegation
+ * GSSAPI credential delegation
*/
- data->set.gssapi_delegation = (bool)(0 != va_arg(param, long));
+ data->set.gssapi_delegation = va_arg(param, long);
break;
case CURLOPT_SSL_VERIFYPEER:
/*
diff --git a/lib/urldata.h b/lib/urldata.h
index 3db8e2f13..d244f2113 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1526,7 +1526,8 @@ struct UserDefined {
to pattern (e.g. if WILDCARDMATCH is on) */
void *fnmatch_data;
- bool gssapi_delegation; /* allow GSSAPI credential delegation */
+ long gssapi_delegation; /* GSSAPI credential delegation, see the
+ documentation of CURLOPT_GSSAPI_DELEGATION */
};
struct Names {