curl-7.15.5-bz723643.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

From 5a40e781345ed1c6eb5ae8fd7103719ebacd66e8 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 3 Aug 2011 14:30:45 +0200
Subject: [PATCH] curl - rhbz #723643

---
 docs/libcurl/curl_easy_setopt.3 |    8 ++++++++
 include/curl/curl.h             |    7 +++++++
 lib/http_negotiate.c            |   15 ++++++++++++++-
 lib/url.c                       |    6 ++++++
 lib/urldata.h                   |    3 +++
 5 files changed, 38 insertions(+), 1 deletions(-)

diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 00a819b..c259c5a 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -1330,6 +1330,14 @@ krb4 awareness.  This is a string, 'clear', 'safe', 'confidential' or
 \&'private'.  If the string is set but doesn't match one of these, 'private'
 will be used. Set the string to NULL to disable kerberos4. The kerberos
 support only works for FTP.
+.IP CURLOPT_GSSAPI_DELEGATION
+Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI
+credential delegation.  The delegation is disabled by default since 7.21.7.
+Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if
+the OK-AS-DELEGATE flag is set in the service ticket in case this feature is
+supported by the GSSAPI implementation and the definition of
+GSS_C_DELEG_POLICY_FLAG was available at compile-time.
+(Added in 7.21.8)
 .SH OTHER OPTIONS
 .IP CURLOPT_PRIVATE
 Pass a char * as parameter, pointing to data that should be associated with
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 8ff213b..c4a0cab 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -388,6 +388,10 @@ typedef enum {
 #define CURLE_FTP_BAD_DOWNLOAD_RESUME CURLE_BAD_DOWNLOAD_RESUME
 #endif
 
+#define CURLGSSAPI_DELEGATION_NONE        0      /* no delegation (default) */
+#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */
+#define CURLGSSAPI_DELEGATION_FLAG        (1<<1) /* delegate always */
+
 #define CURL_ERROR_SIZE 256
 
 /* parameter for the CURLOPT_FTP_SSL option */
@@ -1012,6 +1016,9 @@ typedef enum {
      to CURLPROTO_ALL & ~CURLPROTO_FILE. */
   CINIT(REDIR_PROTOCOLS, LONG, 182),
 
+  /* allow GSSAPI credential delegation */
+  CINIT(GSSAPI_DELEGATION, LONG, 210),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 4015e2f..7758049 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -123,6 +123,19 @@ int Curl_input_negotiate(struct connectdata *conn, char *header)
   size_t len;
   bool gss;
   const char* protocol;
+  OM_uint32 req_flags = 0;
+
+  if(conn->data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
+#ifdef GSS_C_DELEG_POLICY_FLAG
+    req_flags |= GSS_C_DELEG_POLICY_FLAG;
+#else
+    infof(conn->data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG "
+        "not compiled in\n");
+#endif
+  }
+
+  if(conn->data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
+    req_flags |= GSS_C_DELEG_FLAG;
 
   while(*header && isspace((int)*header))
     header++;
@@ -216,7 +229,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header)
                                       &neg_ctx->context,
                                       neg_ctx->server_name,
                                       GSS_C_NO_OID,
-                                      0,
+                                      req_flags,
                                       0,
                                       GSS_C_NO_CHANNEL_BINDINGS,
                                       &input_token,
diff --git a/lib/url.c b/lib/url.c
index 0528605..1a0c206 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1322,6 +1322,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
     data->set.krb4_level = va_arg(param, char *);
     data->set.krb4=data->set.krb4_level?TRUE:FALSE;
     break;
+  case CURLOPT_GSSAPI_DELEGATION:
+    /*
+     * GSSAPI credential delegation
+     */
+    data->set.gssapi_delegation = va_arg(param, long);
+    break;
   case CURLOPT_SSL_VERIFYPEER:
     /*
      * Enable peer SSL verifying.
diff --git a/lib/urldata.h b/lib/urldata.h
index 0ef49d5..d092113 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1156,6 +1156,9 @@ struct UserDefined {
   bool connect_only;     /* make connection, let application use the socket */
   long allowed_protocols;
   long redir_protocols;
+
+  long gssapi_delegation; /* GSSAPI credential delegation, see the
+                             documentation of CURLOPT_GSSAPI_DELEGATION */
 };
 
 struct Names {
-- 
1.7.4.4