Adam Tkac | 20 Jul 10:43 2011
Picon

[PATCH] A new option CURLOPT_GSSAPI_DELEGATION

Hello all,

this message is continuation of the
http://article.gmane.org/gmane.comp.web.curl.library/32258 thread
(complete removal of the GSSAPI delegation).

Attached patch replaces Kamil's patch
(http://article.gmane.org/gmane.comp.web.curl.library/32265) and adds
new option called CURLOPT_GSSAPI_DELEGATION.

Comments are welcomed.

Regards, Adam
From 639becd177d0bc3f81eb4b7afb69c55e5031d898 Mon Sep 17 00:00:00 2001
From: Adam Tkac <atkac <at> redhat.com>
Date: Tue, 19 Jul 2011 19:10:43 +0200
Subject: [PATCH] Add new CURLOPT_GSSAPI_DELEGATION option.

Curl_gss_init_sec_context got new parameter - SessionHandle.

Signed-off-by: Adam Tkac <atkac <at> redhat.com>
---
 RELEASE-NOTES                   |    3 ++-
 docs/libcurl/curl_easy_setopt.3 |    4 ++++
 include/curl/curl.h             |    3 +++
 lib/curl_gssapi.c               |   10 ++++++++--
 lib/curl_gssapi.h               |    2 ++
 lib/http_negotiate.c            |   16 +++++++++-------
 lib/krb5.c                      |    3 ++-
 lib/socks_gssapi.c              |    3 ++-
 lib/url.c                       |    6 ++++++
 lib/urldata.h                   |    2 ++
 10 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 9ab8716..7272fa8 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
 <at>  <at>  -2,13 +2,14  <at>  <at>  Curl and libcurl 7.21.8

  Public curl releases:         124
  Command line options:         144
- curl_easy_setopt() options:   186
+ curl_easy_setopt() options:   187
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 868

 This release includes the following changes:

+ o Added CURLOPT_GSSAPI_DELEGATION
  o 

 This release includes the following bugfixes:
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 014269f..2cdfcf8 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
 <at>  <at>  -2109,6 +2109,10  <at>  <at>  of these, 'private' will be used. Set the string to NULL to disable kerberos
 support for FTP.

 (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
+.IP CURLOPT_GSSAPI_DELEGATION
+Set the parameter to 1 to allow GSSAPI credential delegation.  The delegation
+is disabled by default since 7.21.7.
+(Added in 7.21.8)
 .SH SSH OPTIONS
 .IP CURLOPT_SSH_AUTH_TYPES
 Pass a long set to a bitmask consisting of one or more of
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 998c109..3a510e5 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
 <at>  <at>  -1484,6 +1484,9  <at>  <at>  typedef enum {
   CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208),
   CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209),

+  /* allow GSSAPI credential delegation */
+  CINIT(GSSAPI_DELEGATION, LONG, 210),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;

diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
index 3b6b189..6b47987 100644
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
 <at>  <at>  -27,6 +27,7  <at>  <at> 
 #include "curl_gssapi.h"

 OM_uint32 Curl_gss_init_sec_context(
+    const struct SessionHandle *data,
     OM_uint32 * minor_status,
     gss_ctx_id_t * context,
     gss_name_t target_name,
 <at>  <at>  -35,13 +36,18  <at>  <at>  OM_uint32 Curl_gss_init_sec_context(
     gss_buffer_t output_token,
     OM_uint32 * ret_flags)
 {
+  OM_uint32 req_flags;
+
+  req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
+  if (data->set.gssapi_delegation)
+    req_flags |= GSS_C_DELEG_FLAG;
+
   return gss_init_sec_context(minor_status,
                               GSS_C_NO_CREDENTIAL, /* cred_handle */
                               context,
                               target_name,
                               GSS_C_NO_OID, /* mech_type */
-                              /* req_flags */
-                              GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
+                              req_flags,
                               0, /* time_req */
                               input_chan_bindings,
                               input_token,
diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h
index c5fbefe..6b04373 100644
--- a/lib/curl_gssapi.h
+++ b/lib/curl_gssapi.h
 <at>  <at>  -21,6 +21,7  <at>  <at> 
  ***************************************************************************/

 #include "setup.h"
+#include "urldata.h"

 #ifdef HAVE_GSSAPI

 <at>  <at>  -40,6 +41,7  <at>  <at> 
 /* Common method for using gss api */

 OM_uint32 Curl_gss_init_sec_context(
+    const struct SessionHandle *data,
     OM_uint32 * minor_status,
     gss_ctx_id_t * context,
     gss_name_t target_name,
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 36823f8..c2ba548 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
 <at>  <at>  -135,8 +135,9  <at>  <at>  log_gss_error(struct connectdata *conn, OM_uint32 error_status,
 int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                          const char *header)
 {
-  struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
-    &conn->data->state.negotiate;
+  struct SessionHandle *data = conn->data;
+  struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg:
+    &data->state.negotiate;
   OM_uint32 major_status, minor_status, minor_status2;
   gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
   gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
 <at>  <at>  -172,7 +173,7  <at>  <at>  int Curl_input_negotiate(struct connectdata *conn, bool proxy,
     /* We finished successfully our part of authentication, but server
      * rejected it (since we're again here). Exit with an error since we
      * can't invent anything better */
-    Curl_cleanup_negotiate(conn->data);
+    Curl_cleanup_negotiate(data);
     return -1;
   }

 <at>  <at>  -221,7 +222,7  <at>  <at>  int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                                  NULL)) {
         free(spnegoToken);
         spnegoToken = NULL;
-        infof(conn->data, "Parse SPNEGO Target Token failed\n");
+        infof(data, "Parse SPNEGO Target Token failed\n");
       }
       else {
         free(input_token.value);
 <at>  <at>  -233,13 +234,14  <at>  <at>  int Curl_input_negotiate(struct connectdata *conn, bool proxy,
         input_token.length = mechTokenLength;
         free(mechToken);
         mechToken = NULL;
-        infof(conn->data, "Parse SPNEGO Target Token succeeded\n");
+        infof(data, "Parse SPNEGO Target Token succeeded\n");
       }
     }
 #endif
   }

-  major_status = Curl_gss_init_sec_context(&minor_status,
+  major_status = Curl_gss_init_sec_context(data,
+                                           &minor_status,
                                            &neg_ctx->context,
                                            neg_ctx->server_name,
                                            GSS_C_NO_CHANNEL_BINDINGS,
 <at>  <at>  -250,7 +252,7  <at>  <at>  int Curl_input_negotiate(struct connectdata *conn, bool proxy,
     gss_release_buffer(&minor_status2, &input_token);
   neg_ctx->status = major_status;
   if(GSS_ERROR(major_status)) {
-    /* Curl_cleanup_negotiate(conn->data) ??? */
+    /* Curl_cleanup_negotiate(data) ??? */
     log_gss_error(conn, minor_status,
                   "gss_init_sec_context() failed: ");
     return -1;
diff --git a/lib/krb5.c b/lib/krb5.c
index 5c60c8d..83d20ee 100644
--- a/lib/krb5.c
+++ b/lib/krb5.c
 <at>  <at>  -231,7 +231,8  <at>  <at>  krb5_auth(void *app_data, struct connectdata *conn)
          taken care by a final gss_release_buffer. */
       gss_release_buffer(&min, &output_buffer);
       ret = AUTH_OK;
-      maj = Curl_gss_init_sec_context(&min,
+      maj = Curl_gss_init_sec_context(data,
+                                      &min,
                                       context,
                                       gssname,
                                       &chan,
diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
index 872efb0..27dcab2 100644
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
 <at>  <at>  -184,7 +184,8  <at>  <at>  CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
   /* As long as we need to keep sending some context info, and there's no  */
   /* errors, keep sending it...                                            */
   for(;;) {
-    gss_major_status = Curl_gss_init_sec_context(&gss_minor_status,
+    gss_major_status = Curl_gss_init_sec_context(data,
+                                                 &gss_minor_status,
                                                  &gss_context,
                                                  server,
                                                  NULL,
diff --git a/lib/url.c b/lib/url.c
index adb96c4..ce7a04f 100644
--- a/lib/url.c
+++ b/lib/url.c
 <at>  <at>  -1993,6 +1993,12  <at>  <at>  CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
                        va_arg(param, char *));
     data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]);
     break;
+  case CURLOPT_GSSAPI_DELEGATION:
+    /*
+     * allow GSSAPI credential delegation
+     */
+    data->set.gssapi_delegation = (bool)(0 != va_arg(param, long));
+    break;
   case CURLOPT_SSL_VERIFYPEER:
     /*
      * Enable peer SSL verifying.
diff --git a/lib/urldata.h b/lib/urldata.h
index d2638aa..f774a13 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
 <at>  <at>  -1526,6 +1526,8  <at>  <at>  struct UserDefined {
   curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds
                                     to pattern (e.g. if WILDCARDMATCH is on) */
   void *fnmatch_data;
+
+  bool gssapi_delegation;	/* allow GSSAPI credential delegation */
 };

 struct Names {
--

-- 
1.7.6

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Gmane