diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 2cdfcf86b..1e5f3b641 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -2110,8 +2110,12 @@ support for FTP. (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3) .IP CURLOPT_GSSAPI_DELEGATION -Set the parameter to 1 to allow GSSAPI credential delegation. The delegation -is disabled by default since 7.21.7. +Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI +credential delegation. The delegation is disabled by default since 7.21.7. +Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if +the OK-AS-DELEGATE flag is set in the service ticket in case this feature is +supported by the GSSAPI implementation and the definition of +GSS_C_DELEG_POLICY_FLAG was available at compile-time. (Added in 7.21.8) .SH SSH OPTIONS .IP CURLOPT_SSH_AUTH_TYPES diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index a91f4fb00..a1d92aa06 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -187,6 +187,9 @@ CURLFTPSSL_TRY 7.11.0 7.17.0 CURLFTP_CREATE_DIR 7.19.4 CURLFTP_CREATE_DIR_NONE 7.19.4 CURLFTP_CREATE_DIR_RETRY 7.19.4 +CURLGSSAPI_DELEGATION_FLAG 7.21.8 +CURLGSSAPI_DELEGATION_NONE 7.21.8 +CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8 CURLINFO_APPCONNECT_TIME 7.19.0 CURLINFO_CERTINFO 7.19.1 CURLINFO_CONDITION_UNMET 7.19.4 @@ -345,6 +348,7 @@ CURLOPT_FTP_SSL_CCC 7.16.1 CURLOPT_FTP_USE_EPRT 7.10.5 CURLOPT_FTP_USE_EPSV 7.9.2 CURLOPT_FTP_USE_PRET 7.20.0 +CURLOPT_GSSAPI_DELEGATION 7.21.8 CURLOPT_HEADER 7.1 CURLOPT_HEADERDATA 7.10 CURLOPT_HEADERFUNCTION 7.7.2 diff --git a/include/curl/curl.h b/include/curl/curl.h index 3a510e58e..0dc934bfb 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -615,6 +615,10 @@ typedef enum { #define CURLSSH_AUTH_KEYBOARD (1<<3) /* keyboard interactive */ #define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY +#define CURLGSSAPI_DELEGATION_NONE 0 /* no delegation (default) */ +#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */ +#define CURLGSSAPI_DELEGATION_FLAG (1<<1) /* delegate always */ + #define CURL_ERROR_SIZE 256 struct curl_khkey { diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c index 6b47987dd..7c6f57ad4 100644 --- a/lib/curl_gssapi.c +++ b/lib/curl_gssapi.c @@ -36,10 +36,18 @@ OM_uint32 Curl_gss_init_sec_context( gss_buffer_t output_token, OM_uint32 * ret_flags) { - OM_uint32 req_flags; + OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; - req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; - if (data->set.gssapi_delegation) + if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) { +#ifdef GSS_C_DELEG_POLICY_FLAG + req_flags |= GSS_C_DELEG_POLICY_FLAG; +#else + infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not " + "compiled in\n"); +#endif + } + + if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG) req_flags |= GSS_C_DELEG_FLAG; return gss_init_sec_context(minor_status, diff --git a/lib/url.c b/lib/url.c index 050be2c1d..a3a475dfd 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1977,9 +1977,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, break; case CURLOPT_GSSAPI_DELEGATION: /* - * allow GSSAPI credential delegation + * GSSAPI credential delegation */ - data->set.gssapi_delegation = (bool)(0 != va_arg(param, long)); + data->set.gssapi_delegation = va_arg(param, long); break; case CURLOPT_SSL_VERIFYPEER: /* diff --git a/lib/urldata.h b/lib/urldata.h index 3db8e2f13..d244f2113 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1526,7 +1526,8 @@ struct UserDefined { to pattern (e.g. if WILDCARDMATCH is on) */ void *fnmatch_data; - bool gssapi_delegation; /* allow GSSAPI credential delegation */ + long gssapi_delegation; /* GSSAPI credential delegation, see the + documentation of CURLOPT_GSSAPI_DELEGATION */ }; struct Names {