Curl_gss_init_sec_context got new parameter - SessionHandle.
Signed-off-by: Adam Tkac <atkac@redhat.com>
Public curl releases: 124
Command line options: 144
- curl_easy_setopt() options: 186
+ curl_easy_setopt() options: 187
Public functions in libcurl: 58
Known libcurl bindings: 39
Contributors: 868
This release includes the following changes:
+ o Added CURLOPT_GSSAPI_DELEGATION
o
This release includes the following bugfixes:
support for FTP.
(This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
+.IP CURLOPT_GSSAPI_DELEGATION
+Set the parameter to 1 to allow GSSAPI credential delegation. The delegation
+is disabled by default since 7.21.7.
+(Added in 7.21.8)
.SH SSH OPTIONS
.IP CURLOPT_SSH_AUTH_TYPES
Pass a long set to a bitmask consisting of one or more of
CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208),
CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209),
+ /* allow GSSAPI credential delegation */
+ CINIT(GSSAPI_DELEGATION, LONG, 210),
+
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
#include "curl_gssapi.h"
OM_uint32 Curl_gss_init_sec_context(
+ const struct SessionHandle *data,
OM_uint32 * minor_status,
gss_ctx_id_t * context,
gss_name_t target_name,
gss_buffer_t output_token,
OM_uint32 * ret_flags)
{
+ OM_uint32 req_flags;
+
+ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
+ if (data->set.gssapi_delegation)
+ req_flags |= GSS_C_DELEG_FLAG;
+
return gss_init_sec_context(minor_status,
GSS_C_NO_CREDENTIAL, /* cred_handle */
context,
target_name,
GSS_C_NO_OID, /* mech_type */
- /* req_flags */
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
+ req_flags,
0, /* time_req */
input_chan_bindings,
input_token,
***************************************************************************/
#include "setup.h"
+#include "urldata.h"
#ifdef HAVE_GSSAPI
/* Common method for using gss api */
OM_uint32 Curl_gss_init_sec_context(
+ const struct SessionHandle *data,
OM_uint32 * minor_status,
gss_ctx_id_t * context,
gss_name_t target_name,
int Curl_input_negotiate(struct connectdata *conn, bool proxy,
const char *header)
{
- struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
- &conn->data->state.negotiate;
+ struct SessionHandle *data = conn->data;
+ struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg:
+ &data->state.negotiate;
OM_uint32 major_status, minor_status, minor_status2;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
/* We finished successfully our part of authentication, but server
* rejected it (since we're again here). Exit with an error since we
* can't invent anything better */
- Curl_cleanup_negotiate(conn->data);
+ Curl_cleanup_negotiate(data);
return -1;
}
NULL)) {
free(spnegoToken);
spnegoToken = NULL;
- infof(conn->data, "Parse SPNEGO Target Token failed\n");
+ infof(data, "Parse SPNEGO Target Token failed\n");
}
else {
free(input_token.value);
input_token.length = mechTokenLength;
free(mechToken);
mechToken = NULL;
- infof(conn->data, "Parse SPNEGO Target Token succeeded\n");
+ infof(data, "Parse SPNEGO Target Token succeeded\n");
}
}
#endif
}
- major_status = Curl_gss_init_sec_context(&minor_status,
+ major_status = Curl_gss_init_sec_context(data,
+ &minor_status,
&neg_ctx->context,
neg_ctx->server_name,
GSS_C_NO_CHANNEL_BINDINGS,
gss_release_buffer(&minor_status2, &input_token);
neg_ctx->status = major_status;
if(GSS_ERROR(major_status)) {
- /* Curl_cleanup_negotiate(conn->data) ??? */
+ /* Curl_cleanup_negotiate(data) ??? */
log_gss_error(conn, minor_status,
"gss_init_sec_context() failed: ");
return -1;
taken care by a final gss_release_buffer. */
gss_release_buffer(&min, &output_buffer);
ret = AUTH_OK;
- maj = Curl_gss_init_sec_context(&min,
+ maj = Curl_gss_init_sec_context(data,
+ &min,
context,
gssname,
&chan,
/* As long as we need to keep sending some context info, and there's no */
/* errors, keep sending it... */
for(;;) {
- gss_major_status = Curl_gss_init_sec_context(&gss_minor_status,
+ gss_major_status = Curl_gss_init_sec_context(data,
+ &gss_minor_status,
&gss_context,
server,
NULL,
va_arg(param, char *));
data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]);
break;
+ case CURLOPT_GSSAPI_DELEGATION:
+ /*
+ * allow GSSAPI credential delegation
+ */
+ data->set.gssapi_delegation = (bool)(0 != va_arg(param, long));
+ break;
case CURLOPT_SSL_VERIFYPEER:
/*
* Enable peer SSL verifying.
curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds
to pattern (e.g. if WILDCARDMATCH is on) */
void *fnmatch_data;
+
+ bool gssapi_delegation; /* allow GSSAPI credential delegation */
};
struct Names {