mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
Add new CURLOPT_GSSAPI_DELEGATION option.
Curl_gss_init_sec_context got new parameter - SessionHandle. Signed-off-by: Adam Tkac <atkac@redhat.com>
This commit is contained in:
parent
7688a99bef
commit
ebf42c4be7
@ -2,13 +2,14 @@ Curl and libcurl 7.21.8
|
||||
|
||||
Public curl releases: 124
|
||||
Command line options: 144
|
||||
curl_easy_setopt() options: 186
|
||||
curl_easy_setopt() options: 187
|
||||
Public functions in libcurl: 58
|
||||
Known libcurl bindings: 39
|
||||
Contributors: 868
|
||||
|
||||
This release includes the following changes:
|
||||
|
||||
o Added CURLOPT_GSSAPI_DELEGATION
|
||||
o
|
||||
|
||||
This release includes the following bugfixes:
|
||||
|
@ -2109,6 +2109,10 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos
|
||||
support for FTP.
|
||||
|
||||
(This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
|
||||
.IP CURLOPT_GSSAPI_DELEGATION
|
||||
Set the parameter to 1 to allow GSSAPI credential delegation. The delegation
|
||||
is disabled by default since 7.21.7.
|
||||
(Added in 7.21.8)
|
||||
.SH SSH OPTIONS
|
||||
.IP CURLOPT_SSH_AUTH_TYPES
|
||||
Pass a long set to a bitmask consisting of one or more of
|
||||
|
@ -1484,6 +1484,9 @@ typedef enum {
|
||||
CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208),
|
||||
CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209),
|
||||
|
||||
/* allow GSSAPI credential delegation */
|
||||
CINIT(GSSAPI_DELEGATION, LONG, 210),
|
||||
|
||||
CURLOPT_LASTENTRY /* the last unused */
|
||||
} CURLoption;
|
||||
|
||||
|
@ -27,6 +27,7 @@
|
||||
#include "curl_gssapi.h"
|
||||
|
||||
OM_uint32 Curl_gss_init_sec_context(
|
||||
const struct SessionHandle *data,
|
||||
OM_uint32 * minor_status,
|
||||
gss_ctx_id_t * context,
|
||||
gss_name_t target_name,
|
||||
@ -35,13 +36,18 @@ OM_uint32 Curl_gss_init_sec_context(
|
||||
gss_buffer_t output_token,
|
||||
OM_uint32 * ret_flags)
|
||||
{
|
||||
OM_uint32 req_flags;
|
||||
|
||||
req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
|
||||
if (data->set.gssapi_delegation)
|
||||
req_flags |= GSS_C_DELEG_FLAG;
|
||||
|
||||
return gss_init_sec_context(minor_status,
|
||||
GSS_C_NO_CREDENTIAL, /* cred_handle */
|
||||
context,
|
||||
target_name,
|
||||
GSS_C_NO_OID, /* mech_type */
|
||||
/* req_flags */
|
||||
GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
|
||||
req_flags,
|
||||
0, /* time_req */
|
||||
input_chan_bindings,
|
||||
input_token,
|
||||
|
@ -23,6 +23,7 @@
|
||||
***************************************************************************/
|
||||
|
||||
#include "setup.h"
|
||||
#include "urldata.h"
|
||||
|
||||
#ifdef HAVE_GSSAPI
|
||||
|
||||
@ -42,6 +43,7 @@
|
||||
/* Common method for using gss api */
|
||||
|
||||
OM_uint32 Curl_gss_init_sec_context(
|
||||
const struct SessionHandle *data,
|
||||
OM_uint32 * minor_status,
|
||||
gss_ctx_id_t * context,
|
||||
gss_name_t target_name,
|
||||
|
@ -131,8 +131,9 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status,
|
||||
int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
||||
const char *header)
|
||||
{
|
||||
struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
|
||||
&conn->data->state.negotiate;
|
||||
struct SessionHandle *data = conn->data;
|
||||
struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg:
|
||||
&data->state.negotiate;
|
||||
OM_uint32 major_status, minor_status, minor_status2;
|
||||
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
|
||||
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
|
||||
@ -168,7 +169,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
||||
/* We finished successfully our part of authentication, but server
|
||||
* rejected it (since we're again here). Exit with an error since we
|
||||
* can't invent anything better */
|
||||
Curl_cleanup_negotiate(conn->data);
|
||||
Curl_cleanup_negotiate(data);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -217,7 +218,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
||||
NULL)) {
|
||||
free(spnegoToken);
|
||||
spnegoToken = NULL;
|
||||
infof(conn->data, "Parse SPNEGO Target Token failed\n");
|
||||
infof(data, "Parse SPNEGO Target Token failed\n");
|
||||
}
|
||||
else {
|
||||
free(input_token.value);
|
||||
@ -229,13 +230,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
||||
input_token.length = mechTokenLength;
|
||||
free(mechToken);
|
||||
mechToken = NULL;
|
||||
infof(conn->data, "Parse SPNEGO Target Token succeeded\n");
|
||||
infof(data, "Parse SPNEGO Target Token succeeded\n");
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
major_status = Curl_gss_init_sec_context(&minor_status,
|
||||
major_status = Curl_gss_init_sec_context(data,
|
||||
&minor_status,
|
||||
&neg_ctx->context,
|
||||
neg_ctx->server_name,
|
||||
GSS_C_NO_CHANNEL_BINDINGS,
|
||||
@ -246,7 +248,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
||||
gss_release_buffer(&minor_status2, &input_token);
|
||||
neg_ctx->status = major_status;
|
||||
if(GSS_ERROR(major_status)) {
|
||||
/* Curl_cleanup_negotiate(conn->data) ??? */
|
||||
/* Curl_cleanup_negotiate(data) ??? */
|
||||
log_gss_error(conn, minor_status,
|
||||
"gss_init_sec_context() failed: ");
|
||||
return -1;
|
||||
|
@ -230,7 +230,8 @@ krb5_auth(void *app_data, struct connectdata *conn)
|
||||
taken care by a final gss_release_buffer. */
|
||||
gss_release_buffer(&min, &output_buffer);
|
||||
ret = AUTH_OK;
|
||||
maj = Curl_gss_init_sec_context(&min,
|
||||
maj = Curl_gss_init_sec_context(data,
|
||||
&min,
|
||||
context,
|
||||
gssname,
|
||||
&chan,
|
||||
|
@ -180,7 +180,8 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
|
||||
/* As long as we need to keep sending some context info, and there's no */
|
||||
/* errors, keep sending it... */
|
||||
for(;;) {
|
||||
gss_major_status = Curl_gss_init_sec_context(&gss_minor_status,
|
||||
gss_major_status = Curl_gss_init_sec_context(data,
|
||||
&gss_minor_status,
|
||||
&gss_context,
|
||||
server,
|
||||
NULL,
|
||||
|
@ -1975,6 +1975,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
|
||||
va_arg(param, char *));
|
||||
data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]);
|
||||
break;
|
||||
case CURLOPT_GSSAPI_DELEGATION:
|
||||
/*
|
||||
* allow GSSAPI credential delegation
|
||||
*/
|
||||
data->set.gssapi_delegation = (bool)(0 != va_arg(param, long));
|
||||
break;
|
||||
case CURLOPT_SSL_VERIFYPEER:
|
||||
/*
|
||||
* Enable peer SSL verifying.
|
||||
|
@ -1525,6 +1525,8 @@ struct UserDefined {
|
||||
curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds
|
||||
to pattern (e.g. if WILDCARDMATCH is on) */
|
||||
void *fnmatch_data;
|
||||
|
||||
bool gssapi_delegation; /* allow GSSAPI credential delegation */
|
||||
};
|
||||
|
||||
struct Names {
|
||||
|
Loading…
Reference in New Issue
Block a user