curl_gssapi: refine the handling of CURLOPT_GSSAPI_DELEGATION

Suggested by Richard Silverman.
2024-12-21 23:58:49 -05:00 · 2011-07-25 11:49:26 +02:00 · 2011-07-25 11:49:26 +02:00 · a7864c41db
commit a7864c41db
parent ebf42c4be7
6 changed files with 29 additions and 8 deletions
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@ -2110,8 +2110,12 @@ support for FTP.

 (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
 .IP CURLOPT_GSSAPI_DELEGATION
-Set the parameter to 1 to allow GSSAPI credential delegation.  The delegation
-is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI
+credential delegation.  The delegation is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if
+the OK-AS-DELEGATE flag is set in the service ticket in case this feature is
+supported by the GSSAPI implementation and the definition of
+GSS_C_DELEG_POLICY_FLAG was available at compile-time.
 (Added in 7.21.8)
 .SH SSH OPTIONS
 .IP CURLOPT_SSH_AUTH_TYPES
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@ -187,6 +187,9 @@ CURLFTPSSL_TRY                  7.11.0        7.17.0
 CURLFTP_CREATE_DIR              7.19.4
 CURLFTP_CREATE_DIR_NONE         7.19.4
 CURLFTP_CREATE_DIR_RETRY        7.19.4
+CURLGSSAPI_DELEGATION_FLAG      7.21.8
+CURLGSSAPI_DELEGATION_NONE      7.21.8
+CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8
 CURLINFO_APPCONNECT_TIME        7.19.0
 CURLINFO_CERTINFO               7.19.1
 CURLINFO_CONDITION_UNMET        7.19.4
@ -345,6 +348,7 @@ CURLOPT_FTP_SSL_CCC             7.16.1
 CURLOPT_FTP_USE_EPRT            7.10.5
 CURLOPT_FTP_USE_EPSV            7.9.2
 CURLOPT_FTP_USE_PRET            7.20.0
+CURLOPT_GSSAPI_DELEGATION       7.21.8
 CURLOPT_HEADER                  7.1
 CURLOPT_HEADERDATA              7.10
 CURLOPT_HEADERFUNCTION          7.7.2
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@ -615,6 +615,10 @@ typedef enum {
 #define CURLSSH_AUTH_KEYBOARD  (1<<3) /* keyboard interactive */
 #define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY

+#define CURLGSSAPI_DELEGATION_NONE        0      /* no delegation (default) */
+#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */
+#define CURLGSSAPI_DELEGATION_FLAG        (1<<1) /* delegate always */
+
 #define CURL_ERROR_SIZE 256

 struct curl_khkey {
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@ -36,10 +36,18 @@ OM_uint32 Curl_gss_init_sec_context(
    gss_buffer_t output_token,
    OM_uint32 * ret_flags)
 {
-  OM_uint32 req_flags;
+  OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;

-  req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
-  if (data->set.gssapi_delegation)
+  if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
+#ifdef GSS_C_DELEG_POLICY_FLAG
+    req_flags |= GSS_C_DELEG_POLICY_FLAG;
+#else
+    infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "
+        "compiled in\n");
+#endif
+  }
+
+  if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
    req_flags |= GSS_C_DELEG_FLAG;

  return gss_init_sec_context(minor_status,
--- a/lib/url.c
+++ b/lib/url.c
@ -1977,9 +1977,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
    break;
  case CURLOPT_GSSAPI_DELEGATION:
    /*
-     * allow GSSAPI credential delegation
+     * GSSAPI credential delegation
     */
-    data->set.gssapi_delegation = (bool)(0 != va_arg(param, long));
+    data->set.gssapi_delegation = va_arg(param, long);
    break;
  case CURLOPT_SSL_VERIFYPEER:
    /*
--- a/lib/urldata.h
+++ b/lib/urldata.h
@ -1526,7 +1526,8 @@ struct UserDefined {
                                    to pattern (e.g. if WILDCARDMATCH is on) */
  void *fnmatch_data;

-  bool gssapi_delegation;	/* allow GSSAPI credential delegation */
+  long gssapi_delegation; /* GSSAPI credential delegation, see the
+                             documentation of CURLOPT_GSSAPI_DELEGATION */
 };

 struct Names {