diff options
| -rw-r--r-- | RELEASE-NOTES | 3 | ||||
| -rw-r--r-- | docs/libcurl/curl_easy_setopt.3 | 4 | ||||
| -rw-r--r-- | include/curl/curl.h | 3 | ||||
| -rw-r--r-- | lib/curl_gssapi.c | 10 | ||||
| -rw-r--r-- | lib/curl_gssapi.h | 2 | ||||
| -rw-r--r-- | lib/http_negotiate.c | 16 | ||||
| -rw-r--r-- | lib/krb5.c | 3 | ||||
| -rw-r--r-- | lib/socks_gssapi.c | 3 | ||||
| -rw-r--r-- | lib/url.c | 6 | ||||
| -rw-r--r-- | lib/urldata.h | 2 |
10 files changed, 40 insertions, 12 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 23519d1e8..d4957276d 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -2,13 +2,14 @@ Curl and libcurl 7.21.8 Public curl releases: 124 Command line options: 144 - curl_easy_setopt() options: 186 + curl_easy_setopt() options: 187 Public functions in libcurl: 58 Known libcurl bindings: 39 Contributors: 868 This release includes the following changes: + o Added CURLOPT_GSSAPI_DELEGATION o This release includes the following bugfixes: diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 014269f4f..2cdfcf86b 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -2109,6 +2109,10 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos support for FTP. (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3) +.IP CURLOPT_GSSAPI_DELEGATION +Set the parameter to 1 to allow GSSAPI credential delegation. The delegation +is disabled by default since 7.21.7. +(Added in 7.21.8) .SH SSH OPTIONS .IP CURLOPT_SSH_AUTH_TYPES Pass a long set to a bitmask consisting of one or more of diff --git a/include/curl/curl.h b/include/curl/curl.h index 998c109b9..3a510e58e 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1484,6 +1484,9 @@ typedef enum { CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208), CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209), + /* allow GSSAPI credential delegation */ + CINIT(GSSAPI_DELEGATION, LONG, 210), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c index 3b6b189e4..6b47987dd 100644 --- a/lib/curl_gssapi.c +++ b/lib/curl_gssapi.c @@ -27,6 +27,7 @@ #include "curl_gssapi.h" OM_uint32 Curl_gss_init_sec_context( + const struct SessionHandle *data, OM_uint32 * minor_status, gss_ctx_id_t * context, gss_name_t target_name, @@ -35,13 +36,18 @@ OM_uint32 Curl_gss_init_sec_context( gss_buffer_t output_token, OM_uint32 * ret_flags) { + OM_uint32 req_flags; + + req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; + if (data->set.gssapi_delegation) + req_flags |= GSS_C_DELEG_FLAG; + return gss_init_sec_context(minor_status, GSS_C_NO_CREDENTIAL, /* cred_handle */ context, target_name, GSS_C_NO_OID, /* mech_type */ - /* req_flags */ - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, + req_flags, 0, /* time_req */ input_chan_bindings, input_token, diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h index 249e864fe..6103ff1ac 100644 --- a/lib/curl_gssapi.h +++ b/lib/curl_gssapi.h @@ -23,6 +23,7 @@ ***************************************************************************/ #include "setup.h" +#include "urldata.h" #ifdef HAVE_GSSAPI @@ -42,6 +43,7 @@ /* Common method for using gss api */ OM_uint32 Curl_gss_init_sec_context( + const struct SessionHandle *data, OM_uint32 * minor_status, gss_ctx_id_t * context, gss_name_t target_name, diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 695ab167e..b3d870c9c 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -131,8 +131,9 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) { - struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: - &conn->data->state.negotiate; + struct SessionHandle *data = conn->data; + struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg: + &data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; @@ -168,7 +169,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, /* We finished successfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we * can't invent anything better */ - Curl_cleanup_negotiate(conn->data); + Curl_cleanup_negotiate(data); return -1; } @@ -217,7 +218,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, NULL)) { free(spnegoToken); spnegoToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token failed\n"); + infof(data, "Parse SPNEGO Target Token failed\n"); } else { free(input_token.value); @@ -229,13 +230,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, input_token.length = mechTokenLength; free(mechToken); mechToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token succeeded\n"); + infof(data, "Parse SPNEGO Target Token succeeded\n"); } } #endif } - major_status = Curl_gss_init_sec_context(&minor_status, + major_status = Curl_gss_init_sec_context(data, + &minor_status, &neg_ctx->context, neg_ctx->server_name, GSS_C_NO_CHANNEL_BINDINGS, @@ -246,7 +248,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, gss_release_buffer(&minor_status2, &input_token); neg_ctx->status = major_status; if(GSS_ERROR(major_status)) { - /* Curl_cleanup_negotiate(conn->data) ??? */ + /* Curl_cleanup_negotiate(data) ??? */ log_gss_error(conn, minor_status, "gss_init_sec_context() failed: "); return -1; diff --git a/lib/krb5.c b/lib/krb5.c index 1f7038fd9..0422cda35 100644 --- a/lib/krb5.c +++ b/lib/krb5.c @@ -230,7 +230,8 @@ krb5_auth(void *app_data, struct connectdata *conn) taken care by a final gss_release_buffer. */ gss_release_buffer(&min, &output_buffer); ret = AUTH_OK; - maj = Curl_gss_init_sec_context(&min, + maj = Curl_gss_init_sec_context(data, + &min, context, gssname, &chan, diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c index 74b074ee1..c62bdc9c3 100644 --- a/lib/socks_gssapi.c +++ b/lib/socks_gssapi.c @@ -180,7 +180,8 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, /* As long as we need to keep sending some context info, and there's no */ /* errors, keep sending it... */ for(;;) { - gss_major_status = Curl_gss_init_sec_context(&gss_minor_status, + gss_major_status = Curl_gss_init_sec_context(data, + &gss_minor_status, &gss_context, server, NULL, @@ -1975,6 +1975,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, va_arg(param, char *)); data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]); break; + case CURLOPT_GSSAPI_DELEGATION: + /* + * allow GSSAPI credential delegation + */ + data->set.gssapi_delegation = (bool)(0 != va_arg(param, long)); + break; case CURLOPT_SSL_VERIFYPEER: /* * Enable peer SSL verifying. diff --git a/lib/urldata.h b/lib/urldata.h index 6f81153de..3db8e2f13 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1525,6 +1525,8 @@ struct UserDefined { curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds to pattern (e.g. if WILDCARDMATCH is on) */ void *fnmatch_data; + + bool gssapi_delegation; /* allow GSSAPI credential delegation */ }; struct Names { |