From ebf42c4be76df40ec6d3bf32f229bbb274e2c32f Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Tue, 19 Jul 2011 19:10:43 +0200 Subject: Add new CURLOPT_GSSAPI_DELEGATION option. Curl_gss_init_sec_context got new parameter - SessionHandle. Signed-off-by: Adam Tkac --- lib/curl_gssapi.c | 10 ++++++++-- lib/curl_gssapi.h | 2 ++ lib/http_negotiate.c | 16 +++++++++------- lib/krb5.c | 3 ++- lib/socks_gssapi.c | 3 ++- lib/url.c | 6 ++++++ lib/urldata.h | 2 ++ 7 files changed, 31 insertions(+), 11 deletions(-) (limited to 'lib') diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c index 3b6b189e4..6b47987dd 100644 --- a/lib/curl_gssapi.c +++ b/lib/curl_gssapi.c @@ -27,6 +27,7 @@ #include "curl_gssapi.h" OM_uint32 Curl_gss_init_sec_context( + const struct SessionHandle *data, OM_uint32 * minor_status, gss_ctx_id_t * context, gss_name_t target_name, @@ -35,13 +36,18 @@ OM_uint32 Curl_gss_init_sec_context( gss_buffer_t output_token, OM_uint32 * ret_flags) { + OM_uint32 req_flags; + + req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; + if (data->set.gssapi_delegation) + req_flags |= GSS_C_DELEG_FLAG; + return gss_init_sec_context(minor_status, GSS_C_NO_CREDENTIAL, /* cred_handle */ context, target_name, GSS_C_NO_OID, /* mech_type */ - /* req_flags */ - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, + req_flags, 0, /* time_req */ input_chan_bindings, input_token, diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h index 249e864fe..6103ff1ac 100644 --- a/lib/curl_gssapi.h +++ b/lib/curl_gssapi.h @@ -23,6 +23,7 @@ ***************************************************************************/ #include "setup.h" +#include "urldata.h" #ifdef HAVE_GSSAPI @@ -42,6 +43,7 @@ /* Common method for using gss api */ OM_uint32 Curl_gss_init_sec_context( + const struct SessionHandle *data, OM_uint32 * minor_status, gss_ctx_id_t * context, gss_name_t target_name, diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 695ab167e..b3d870c9c 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -131,8 +131,9 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, int Curl_input_negotiate(struct connectdata *conn, bool proxy, const char *header) { - struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: - &conn->data->state.negotiate; + struct SessionHandle *data = conn->data; + struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg: + &data->state.negotiate; OM_uint32 major_status, minor_status, minor_status2; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; @@ -168,7 +169,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, /* We finished successfully our part of authentication, but server * rejected it (since we're again here). Exit with an error since we * can't invent anything better */ - Curl_cleanup_negotiate(conn->data); + Curl_cleanup_negotiate(data); return -1; } @@ -217,7 +218,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, NULL)) { free(spnegoToken); spnegoToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token failed\n"); + infof(data, "Parse SPNEGO Target Token failed\n"); } else { free(input_token.value); @@ -229,13 +230,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, input_token.length = mechTokenLength; free(mechToken); mechToken = NULL; - infof(conn->data, "Parse SPNEGO Target Token succeeded\n"); + infof(data, "Parse SPNEGO Target Token succeeded\n"); } } #endif } - major_status = Curl_gss_init_sec_context(&minor_status, + major_status = Curl_gss_init_sec_context(data, + &minor_status, &neg_ctx->context, neg_ctx->server_name, GSS_C_NO_CHANNEL_BINDINGS, @@ -246,7 +248,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, gss_release_buffer(&minor_status2, &input_token); neg_ctx->status = major_status; if(GSS_ERROR(major_status)) { - /* Curl_cleanup_negotiate(conn->data) ??? */ + /* Curl_cleanup_negotiate(data) ??? */ log_gss_error(conn, minor_status, "gss_init_sec_context() failed: "); return -1; diff --git a/lib/krb5.c b/lib/krb5.c index 1f7038fd9..0422cda35 100644 --- a/lib/krb5.c +++ b/lib/krb5.c @@ -230,7 +230,8 @@ krb5_auth(void *app_data, struct connectdata *conn) taken care by a final gss_release_buffer. */ gss_release_buffer(&min, &output_buffer); ret = AUTH_OK; - maj = Curl_gss_init_sec_context(&min, + maj = Curl_gss_init_sec_context(data, + &min, context, gssname, &chan, diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c index 74b074ee1..c62bdc9c3 100644 --- a/lib/socks_gssapi.c +++ b/lib/socks_gssapi.c @@ -180,7 +180,8 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, /* As long as we need to keep sending some context info, and there's no */ /* errors, keep sending it... */ for(;;) { - gss_major_status = Curl_gss_init_sec_context(&gss_minor_status, + gss_major_status = Curl_gss_init_sec_context(data, + &gss_minor_status, &gss_context, server, NULL, diff --git a/lib/url.c b/lib/url.c index 59da3e991..050be2c1d 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1975,6 +1975,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, va_arg(param, char *)); data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]); break; + case CURLOPT_GSSAPI_DELEGATION: + /* + * allow GSSAPI credential delegation + */ + data->set.gssapi_delegation = (bool)(0 != va_arg(param, long)); + break; case CURLOPT_SSL_VERIFYPEER: /* * Enable peer SSL verifying. diff --git a/lib/urldata.h b/lib/urldata.h index 6f81153de..3db8e2f13 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1525,6 +1525,8 @@ struct UserDefined { curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds to pattern (e.g. if WILDCARDMATCH is on) */ void *fnmatch_data; + + bool gssapi_delegation; /* allow GSSAPI credential delegation */ }; struct Names { -- cgit v1.2.3