curl_gssapi: refine the handling of CURLOPT_GSSAPI_DELEGATION

author Kamil Dudka <kdudka@redhat.com>

Mon, 25 Jul 2011 09:49:26 +0000 (11:49 +0200)

committer Kamil Dudka <kdudka@redhat.com>

Wed, 3 Aug 2011 08:56:41 +0000 (10:56 +0200)
author Kamil Dudka <kdudka@redhat.com>
Mon, 25 Jul 2011 09:49:26 +0000 (11:49 +0200)
committer Kamil Dudka <kdudka@redhat.com>
Wed, 3 Aug 2011 08:56:41 +0000 (10:56 +0200)
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3

index 2cdfcf8..1e5f3b6 100644 (file)
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -2110,8 +2110,12 @@ support for FTP.
  
  (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
  .IP CURLOPT_GSSAPI_DELEGATION
-Set the parameter to 1 to allow GSSAPI credential delegation.  The delegation
-is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI
+credential delegation.  The delegation is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if
+the OK-AS-DELEGATE flag is set in the service ticket in case this feature is
+supported by the GSSAPI implementation and the definition of
+GSS_C_DELEG_POLICY_FLAG was available at compile-time.
  (Added in 7.21.8)
  .SH SSH OPTIONS
  .IP CURLOPT_SSH_AUTH_TYPES
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions

index a91f4fb..a1d92aa 100644 (file)
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -187,6 +187,9 @@ CURLFTPSSL_TRY                  7.11.0        7.17.0
  CURLFTP_CREATE_DIR              7.19.4
  CURLFTP_CREATE_DIR_NONE         7.19.4
  CURLFTP_CREATE_DIR_RETRY        7.19.4
+CURLGSSAPI_DELEGATION_FLAG      7.21.8
+CURLGSSAPI_DELEGATION_NONE      7.21.8
+CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8
  CURLINFO_APPCONNECT_TIME        7.19.0
  CURLINFO_CERTINFO               7.19.1
  CURLINFO_CONDITION_UNMET        7.19.4
@@ -345,6 +348,7 @@ CURLOPT_FTP_SSL_CCC             7.16.1
  CURLOPT_FTP_USE_EPRT            7.10.5
  CURLOPT_FTP_USE_EPSV            7.9.2
  CURLOPT_FTP_USE_PRET            7.20.0
+CURLOPT_GSSAPI_DELEGATION       7.21.8
  CURLOPT_HEADER                  7.1
  CURLOPT_HEADERDATA              7.10
  CURLOPT_HEADERFUNCTION          7.7.2
diff --git a/include/curl/curl.h b/include/curl/curl.h

index 3a510e5..0dc934b 100644 (file)
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -615,6 +615,10 @@ typedef enum {
  #define CURLSSH_AUTH_KEYBOARD  (1<<3) /* keyboard interactive */
  #define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY
  
+#define CURLGSSAPI_DELEGATION_NONE        0      /* no delegation (default) */
+#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */
+#define CURLGSSAPI_DELEGATION_FLAG        (1<<1) /* delegate always */
+
  #define CURL_ERROR_SIZE 256
  
  struct curl_khkey {
diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c

index 6b47987..7c6f57a 100644 (file)
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@@ -36,10 +36,18 @@ OM_uint32 Curl_gss_init_sec_context(
      gss_buffer_t output_token,
      OM_uint32 * ret_flags)
  {
-  OM_uint32 req_flags;
+  OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
  
-  req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
-  if (data->set.gssapi_delegation)
+  if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
+#ifdef GSS_C_DELEG_POLICY_FLAG
+    req_flags |= GSS_C_DELEG_POLICY_FLAG;
+#else
+    infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "
+        "compiled in\n");
+#endif
+  }
+
+  if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
      req_flags |= GSS_C_DELEG_FLAG;
  
    return gss_init_sec_context(minor_status,
diff --git a/lib/url.c b/lib/url.c

index 050be2c..a3a475d 100644 (file)
--- a/lib/url.c
+++ b/lib/url.c
@@ -1977,9 +1977,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
      break;
    case CURLOPT_GSSAPI_DELEGATION:
      /*
-     * allow GSSAPI credential delegation
+     * GSSAPI credential delegation
       */
-    data->set.gssapi_delegation = (bool)(0 != va_arg(param, long));
+    data->set.gssapi_delegation = va_arg(param, long);
      break;
    case CURLOPT_SSL_VERIFYPEER:
      /*
diff --git a/lib/urldata.h b/lib/urldata.h

index 3db8e2f..d244f21 100644 (file)
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1526,7 +1526,8 @@ struct UserDefined {
                                      to pattern (e.g. if WILDCARDMATCH is on) */
    void *fnmatch_data;
  
-  bool gssapi_delegation;      /* allow GSSAPI credential delegation */
+  long gssapi_delegation; /* GSSAPI credential delegation, see the
+                             documentation of CURLOPT_GSSAPI_DELEGATION */
  };
  
  struct Names {
author	Kamil Dudka <kdudka@redhat.com>
	Mon, 25 Jul 2011 09:49:26 +0000 (11:49 +0200)
committer	Kamil Dudka <kdudka@redhat.com>
	Wed, 3 Aug 2011 08:56:41 +0000 (10:56 +0200)
docs/libcurl/curl_easy_setopt.3		patch \| blob \| history
docs/libcurl/symbols-in-versions		patch \| blob \| history
include/curl/curl.h		patch \| blob \| history
lib/curl_gssapi.c		patch \| blob \| history
lib/url.c		patch \| blob \| history
lib/urldata.h		patch \| blob \| history