Suggested by Richard Silverman.
(This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
.IP CURLOPT_GSSAPI_DELEGATION
-Set the parameter to 1 to allow GSSAPI credential delegation. The delegation
-is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI
+credential delegation. The delegation is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if
+the OK-AS-DELEGATE flag is set in the service ticket in case this feature is
+supported by the GSSAPI implementation and the definition of
+GSS_C_DELEG_POLICY_FLAG was available at compile-time.
(Added in 7.21.8)
.SH SSH OPTIONS
.IP CURLOPT_SSH_AUTH_TYPES
CURLFTP_CREATE_DIR 7.19.4
CURLFTP_CREATE_DIR_NONE 7.19.4
CURLFTP_CREATE_DIR_RETRY 7.19.4
+CURLGSSAPI_DELEGATION_FLAG 7.21.8
+CURLGSSAPI_DELEGATION_NONE 7.21.8
+CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8
CURLINFO_APPCONNECT_TIME 7.19.0
CURLINFO_CERTINFO 7.19.1
CURLINFO_CONDITION_UNMET 7.19.4
CURLOPT_FTP_USE_EPRT 7.10.5
CURLOPT_FTP_USE_EPSV 7.9.2
CURLOPT_FTP_USE_PRET 7.20.0
+CURLOPT_GSSAPI_DELEGATION 7.21.8
CURLOPT_HEADER 7.1
CURLOPT_HEADERDATA 7.10
CURLOPT_HEADERFUNCTION 7.7.2
#define CURLSSH_AUTH_KEYBOARD (1<<3) /* keyboard interactive */
#define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY
+#define CURLGSSAPI_DELEGATION_NONE 0 /* no delegation (default) */
+#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */
+#define CURLGSSAPI_DELEGATION_FLAG (1<<1) /* delegate always */
+
#define CURL_ERROR_SIZE 256
struct curl_khkey {
gss_buffer_t output_token,
OM_uint32 * ret_flags)
{
- OM_uint32 req_flags;
+ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
- req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
- if (data->set.gssapi_delegation)
+ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
+#ifdef GSS_C_DELEG_POLICY_FLAG
+ req_flags |= GSS_C_DELEG_POLICY_FLAG;
+#else
+ infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "
+ "compiled in\n");
+#endif
+ }
+
+ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
req_flags |= GSS_C_DELEG_FLAG;
return gss_init_sec_context(minor_status,
break;
case CURLOPT_GSSAPI_DELEGATION:
/*
- * allow GSSAPI credential delegation
+ * GSSAPI credential delegation
*/
- data->set.gssapi_delegation = (bool)(0 != va_arg(param, long));
+ data->set.gssapi_delegation = va_arg(param, long);
break;
case CURLOPT_SSL_VERIFYPEER:
/*
to pattern (e.g. if WILDCARDMATCH is on) */
void *fnmatch_data;
- bool gssapi_delegation; /* allow GSSAPI credential delegation */
+ long gssapi_delegation; /* GSSAPI credential delegation, see the
+ documentation of CURLOPT_GSSAPI_DELEGATION */
};
struct Names {