From 85d002123e5dea3de2499617d619253023335d8e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 12 Aug 2011 14:48:32 +0200 Subject: [PATCH 1/2] added --delegation Using this option with an argument being set to one of none/policy/always instructs libcurl how to deal with GSS credentials. Or rather how it tells the server that delegation is fine or not. Signed-off-by: Kamil Dudka --- src/main.c | 24 ++++++++++++++++++++++++ 1 files changed, 24 insertions(+), 0 deletions(-) diff --git a/src/main.c b/src/main.c index 44dd2c4..0753429 100644 --- a/src/main.c +++ b/src/main.c @@ -359,6 +359,7 @@ struct Configurable { int ftp_filemethod; bool ignorecl; /* --ignore-content-length */ + long gssapi_delegation; }; #define WARN_PREFIX "Warning: " @@ -489,6 +490,7 @@ static void help(void) " --data-ascii HTTP POST ASCII data (H)", " --data-binary HTTP POST binary data (H)", " --negotiate Use HTTP Negotiate Authentication (H)", + " --delegation STRING GSS-API delegation permission", " --digest Use HTTP Digest Authentication (H)", " --disable-eprt Inhibit using EPRT or LPRT (F)", " --disable-epsv Inhibit using EPSV (F)", @@ -1097,6 +1099,18 @@ static int formparse(struct Configurable *config, return 0; } +static long delegation(struct Configurable *config, + char *str) +{ + if(!strcasecmp("none", str)) + return CURLGSSAPI_DELEGATION_NONE; + if(!strcasecmp("policy", str)) + return CURLGSSAPI_DELEGATION_POLICY_FLAG; + if(!strcasecmp("always", str)) + return CURLGSSAPI_DELEGATION_FLAG; + warnf(config, "unrecognized delegation method '%s', using none\n", str); + return CURLGSSAPI_DELEGATION_NONE; +} typedef enum { PARAM_OK, @@ -1351,6 +1365,8 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ {"$v", "ftp-ssl-reqd", FALSE}, {"$w", "proxy-negotiate", FALSE}, + {"$G", "delegation", TRUE}, + {"0", "http1.0", FALSE}, {"1", "tlsv1", FALSE}, {"2", "sslv2", FALSE}, @@ -1798,6 +1814,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ else return PARAM_LIBCURL_DOESNT_SUPPORT; break; + case 'G': /* --delegation LEVEL */ + config->gssapi_delegation = delegation(config, nextarg); + break; } break; case '#': /* --progress-bar */ @@ -4029,6 +4048,11 @@ operate(struct Configurable *config, int argc, char *argv[]) /* curl x.xx.x */ curl_easy_setopt(curl, CURLOPT_FTP_ALTERNATIVE_TO_USER, config->ftp_alternative_to_user); + /* new in 7.22.0 */ + if(config->gssapi_delegation) + curl_easy_setopt(curl, CURLOPT_GSSAPI_DELEGATION, + config->gssapi_delegation); + retry_numretries = config->req_retry; retrystart = curlx_tvnow(); -- 1.7.1 From 1a5566b1e84d0143899538f469596caf8f10d666 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 12 Aug 2011 23:51:41 +0200 Subject: [PATCH 2/2] docs: --delegation Signed-off-by: Kamil Dudka --- docs/curl.1 | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) diff --git a/docs/curl.1 b/docs/curl.1 index 2658954..61bd4e9 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -256,6 +256,18 @@ the \fI--data-ascii\fP option, this is for you. If this option is used several times, the ones following the first will append data. +.IP "--delegation LEVEL" +Set \fILEVEL\fP to tell the server what it is allowed to delegate when it +comes to user credentials. Used with GSS/kerberos. +.RS +.IP "none" +Don't allow any delegation. +.IP "policy" +Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos +service ticket, which is a matter of realm policy. +.IP "always" +Unconditionally allow the server to delegate. +.RE .IP "--digest" (HTTP) Enables HTTP Digest authentication. This is a authentication that prevents the password from being sent over the wire in clear text. Use this in -- 1.7.1