Add new CURLOPT_GSSAPI_DELEGATION option.

Curl_gss_init_sec_context got new parameter - SessionHandle. Signed-off-by: Adam Tkac <atkac@redhat.com>
2024-08-13 17:03:50 -04:00 · 2011-07-19 19:10:43 +02:00 · 2011-07-19 19:10:43 +02:00 · ebf42c4be7
commit ebf42c4be7
parent 7688a99bef
10 changed files with 40 additions and 12 deletions
--- a/3
+++ b/3
@ -2,13 +2,14 @@ Curl and libcurl 7.21.8

 Public curl releases:         124
 Command line options:         144
- curl_easy_setopt() options:   186
+ curl_easy_setopt() options:   187
 Public functions in libcurl:  58
 Known libcurl bindings:       39
 Contributors:                 868

 This release includes the following changes:

+ o Added CURLOPT_GSSAPI_DELEGATION
 o 

 This release includes the following bugfixes:
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@ -2109,6 +2109,10 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos
 support for FTP.

 (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
+.IP CURLOPT_GSSAPI_DELEGATION
+Set the parameter to 1 to allow GSSAPI credential delegation.  The delegation
+is disabled by default since 7.21.7.
+(Added in 7.21.8)
 .SH SSH OPTIONS
 .IP CURLOPT_SSH_AUTH_TYPES
 Pass a long set to a bitmask consisting of one or more of
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@ -1484,6 +1484,9 @@ typedef enum {
  CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208),
  CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209),

+  /* allow GSSAPI credential delegation */
+  CINIT(GSSAPI_DELEGATION, LONG, 210),
+
  CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;

--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@ -27,6 +27,7 @@
 #include "curl_gssapi.h"

 OM_uint32 Curl_gss_init_sec_context(
+    const struct SessionHandle *data,
    OM_uint32 * minor_status,
    gss_ctx_id_t * context,
    gss_name_t target_name,
@ -35,13 +36,18 @@ OM_uint32 Curl_gss_init_sec_context(
    gss_buffer_t output_token,
    OM_uint32 * ret_flags)
 {
+  OM_uint32 req_flags;
+
+  req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
+  if (data->set.gssapi_delegation)
+    req_flags |= GSS_C_DELEG_FLAG;
+
  return gss_init_sec_context(minor_status,
                              GSS_C_NO_CREDENTIAL, /* cred_handle */
                              context,
                              target_name,
                              GSS_C_NO_OID, /* mech_type */
-                              /* req_flags */
-                              GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
+                              req_flags,
                              0, /* time_req */
                              input_chan_bindings,
                              input_token,
--- a/lib/curl_gssapi.h
+++ b/lib/curl_gssapi.h
@ -23,6 +23,7 @@
 ***************************************************************************/

 #include "setup.h"
+#include "urldata.h"

 #ifdef HAVE_GSSAPI

@ -42,6 +43,7 @@
 /* Common method for using gss api */

 OM_uint32 Curl_gss_init_sec_context(
+    const struct SessionHandle *data,
    OM_uint32 * minor_status,
    gss_ctx_id_t * context,
    gss_name_t target_name,
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@ -131,8 +131,9 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status,
 int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                         const char *header)
 {
-  struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
-    &conn->data->state.negotiate;
+  struct SessionHandle *data = conn->data;
+  struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg:
+    &data->state.negotiate;
  OM_uint32 major_status, minor_status, minor_status2;
  gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
@ -168,7 +169,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
    /* We finished successfully our part of authentication, but server
     * rejected it (since we're again here). Exit with an error since we
     * can't invent anything better */
-    Curl_cleanup_negotiate(conn->data);
+    Curl_cleanup_negotiate(data);
    return -1;
  }

@ -217,7 +218,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                                 NULL)) {
        free(spnegoToken);
        spnegoToken = NULL;
-        infof(conn->data, "Parse SPNEGO Target Token failed\n");
+        infof(data, "Parse SPNEGO Target Token failed\n");
      }
      else {
        free(input_token.value);
@ -229,13 +230,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
        input_token.length = mechTokenLength;
        free(mechToken);
        mechToken = NULL;
-        infof(conn->data, "Parse SPNEGO Target Token succeeded\n");
+        infof(data, "Parse SPNEGO Target Token succeeded\n");
      }
    }
 #endif
  }

-  major_status = Curl_gss_init_sec_context(&minor_status,
+  major_status = Curl_gss_init_sec_context(data,
+                                           &minor_status,
                                           &neg_ctx->context,
                                           neg_ctx->server_name,
                                           GSS_C_NO_CHANNEL_BINDINGS,
@ -246,7 +248,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
    gss_release_buffer(&minor_status2, &input_token);
  neg_ctx->status = major_status;
  if(GSS_ERROR(major_status)) {
-    /* Curl_cleanup_negotiate(conn->data) ??? */
+    /* Curl_cleanup_negotiate(data) ??? */
    log_gss_error(conn, minor_status,
                  "gss_init_sec_context() failed: ");
    return -1;
--- a/lib/krb5.c
+++ b/lib/krb5.c
@ -230,7 +230,8 @@ krb5_auth(void *app_data, struct connectdata *conn)
         taken care by a final gss_release_buffer. */
      gss_release_buffer(&min, &output_buffer);
      ret = AUTH_OK;
-      maj = Curl_gss_init_sec_context(&min,
+      maj = Curl_gss_init_sec_context(data,
+                                      &min,
                                      context,
                                      gssname,
                                      &chan,
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@ -180,7 +180,8 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
  /* As long as we need to keep sending some context info, and there's no  */
  /* errors, keep sending it...                                            */
  for(;;) {
-    gss_major_status = Curl_gss_init_sec_context(&gss_minor_status,
+    gss_major_status = Curl_gss_init_sec_context(data,
+                                                 &gss_minor_status,
                                                 &gss_context,
                                                 server,
                                                 NULL,
--- a/lib/url.c
+++ b/lib/url.c
@ -1975,6 +1975,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
                       va_arg(param, char *));
    data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]);
    break;
+  case CURLOPT_GSSAPI_DELEGATION:
+    /*
+     * allow GSSAPI credential delegation
+     */
+    data->set.gssapi_delegation = (bool)(0 != va_arg(param, long));
+    break;
  case CURLOPT_SSL_VERIFYPEER:
    /*
     * Enable peer SSL verifying.
--- a/lib/urldata.h
+++ b/lib/urldata.h
@ -1525,6 +1525,8 @@ struct UserDefined {
  curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds
                                    to pattern (e.g. if WILDCARDMATCH is on) */
  void *fnmatch_data;
+
+  bool gssapi_delegation;	/* allow GSSAPI credential delegation */
 };

 struct Names {