From 0b164a2c002452d6660d0f745d60686f77060c2d Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Wed, 3 Aug 2011 12:48:49 +0200

Subject: [PATCH] curl - rhbz #719939

---

 docs/libcurl/curl_easy_setopt.3  |    8 ++++++

 docs/libcurl/symbols-in-versions |    4 +++

 include/curl/curl.h              |    7 +++++

 lib/Makefile.in                  |    7 +++++

 lib/Makefile.inc                 |    4 +-

 lib/curl_gssapi.c                |   45 +++++++++++++++++++++++++++++++++++++

 lib/curl_gssapi.h                |   46 ++++++++++++++++++++++++++++++++++++++

 lib/http_negotiate.c             |    6 ++++-

 lib/krb5.c                       |    6 ++++-

 lib/socks_gssapi.c               |    7 ++++-

 lib/url.c                        |    6 +++++

 lib/urldata.h                    |    3 ++

 12 files changed, 143 insertions(+), 6 deletions(-)

 create mode 100644 lib/curl_gssapi.c

 create mode 100644 lib/curl_gssapi.h

diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3

index a26898f..3c20d29 100644

--- a/docs/libcurl/curl_easy_setopt.3

+++ b/docs/libcurl/curl_easy_setopt.3

@@ -1972,6 +1972,14 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos

 support for FTP.

 (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)

+.IP CURLOPT_GSSAPI_DELEGATION

+Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI

+credential delegation.  The delegation is disabled by default since 7.21.7.

+Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if

+the OK-AS-DELEGATE flag is set in the service ticket in case this feature is

+supported by the GSSAPI implementation and the definition of

+GSS_C_DELEG_POLICY_FLAG was available at compile-time.

+(Added in 7.21.8)

 .SH SSH OPTIONS

 .IP CURLOPT_SSH_AUTH_TYPES

 Pass a long set to a bitmask consisting of one or more of

diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions

index a02ead4..75c709d 100644

--- a/docs/libcurl/symbols-in-versions

+++ b/docs/libcurl/symbols-in-versions

@@ -131,6 +131,9 @@ CURLFTPSSL_TRY                  7.11.0        7.17.0

 CURLFTP_CREATE_DIR              7.19.4

 CURLFTP_CREATE_DIR_NONE         7.19.4

 CURLFTP_CREATE_DIR_RETRY        7.19.4

+CURLGSSAPI_DELEGATION_FLAG      7.21.8

+CURLGSSAPI_DELEGATION_NONE      7.21.8

+CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8

 CURLINFO_APPCONNECT_TIME        7.19.0

 CURLINFO_CERTINFO               7.19.1

 CURLINFO_CONDITION_UNMET        7.19.4

@@ -244,6 +247,7 @@ CURLOPT_FTP_SSL_CCC             7.16.1

 CURLOPT_FTP_USE_EPRT            7.10.5

 CURLOPT_FTP_USE_EPSV            7.9.2

 CURLOPT_FTP_USE_PRET            7.20.0

+CURLOPT_GSSAPI_DELEGATION       7.21.8

 CURLOPT_HEADER                  7.1

 CURLOPT_HEADERDATA              7.10

 CURLOPT_HEADERFUNCTION          7.7.2

diff --git a/include/curl/curl.h b/include/curl/curl.h

index b19828f..0a0c0b3 100644

--- a/include/curl/curl.h

+++ b/include/curl/curl.h

@@ -596,6 +596,10 @@ typedef enum {

 #define CURLSSH_AUTH_KEYBOARD  (1<<3) /* keyboard interactive */

 #define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY

+#define CURLGSSAPI_DELEGATION_NONE        0      /* no delegation (default) */

+#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */

+#define CURLGSSAPI_DELEGATION_FLAG        (1<<1) /* delegate always */

+

 #define CURL_ERROR_SIZE 256

 struct curl_khkey {

@@ -1435,6 +1439,9 @@ typedef enum {

   /* FNMATCH_FUNCTION user pointer */

   CINIT(FNMATCH_DATA, OBJECTPOINT, 202),

+  /* allow GSSAPI credential delegation */

+  CINIT(GSSAPI_DELEGATION, LONG, 210),

+

   CURLOPT_LASTENTRY /* the last unused */

 } CURLoption;

diff --git a/lib/Makefile.in b/lib/Makefile.in

index e7d451a..a27a417 100644

--- a/lib/Makefile.in

+++ b/lib/Makefile.in

@@ -612,6 +612,13 @@ distclean-compile:

 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<

+libcurlu_la-curl_gssapi.lo: curl_gssapi.c

+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libcurlu_la-curl_gssapi.lo -MD -MP -MF $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c

+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo $(DEPDIR)/libcurlu_la-curl_gssapi.Plo

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='curl_gssapi.c' object='libcurlu_la-curl_gssapi.lo' libtool=yes @AMDEPBACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c

+

 mostlyclean-libtool:

 	-rm -f *.lo

diff --git a/lib/Makefile.inc b/lib/Makefile.inc

index a502e8f..d9360a3 100644

--- a/lib/Makefile.inc

+++ b/lib/Makefile.inc

@@ -13,7 +13,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\

   strdup.c socks.c ssh.c nss.c qssl.c rawstr.c curl_addrinfo.c          \

   socks_gssapi.c socks_sspi.c curl_sspi.c slist.c nonblock.c		\

   curl_memrchr.c imap.c pop3.c smtp.c pingpong.c rtsp.c curl_threads.c	\

-  warnless.c hmac.c polarssl.c curl_rtmp.c openldap.c

+  warnless.c hmac.c polarssl.c curl_rtmp.c openldap.c curl_gssapi.c

 HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\

   progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h	\

@@ -27,4 +27,4 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\

   tftp.h sockaddr.h splay.h strdup.h setup_once.h socks.h ssh.h nssg.h	\

   curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h	\

   curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h	\

-  warnless.h curl_hmac.h polarssl.h curl_rtmp.h

+  warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gssapi.h

diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c

new file mode 100644

index 0000000..914d1a0

--- /dev/null

+++ b/lib/curl_gssapi.c

@@ -0,0 +1,45 @@

+/***************************************************************************

+ *                                  _   _ ____  _

+ *  Project                     ___| | | |  _ \| |

+ *                             / __| | | | |_) | |

+ *                            | (__| |_| |  _ <| |___

+ *                             \___|\___/|_| \_\_____|

+ *

+ * Copyright (C) 2011, Daniel Stenberg, <daniel@haxx.se>, et al.

+ *

+ * This software is licensed as described in the file COPYING, which

+ * you should have received as part of this distribution. The terms

+ * are also available at http://curl.haxx.se/docs/copyright.html.

+ *

+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell

+ * copies of the Software, and permit persons to whom the Software is

+ * furnished to do so, under the terms of the COPYING file.

+ *

+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY

+ * KIND, either express or implied.

+ *

+ ***************************************************************************/

+

+#include "setup.h"

+

+#ifdef HAVE_GSSAPI

+

+#include "curl_gssapi.h"

+#include "sendf.h"

+

+void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data)

+{

+  if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {

+#ifdef GSS_C_DELEG_POLICY_FLAG

+    *req_flags |= GSS_C_DELEG_POLICY_FLAG;

+#else

+    infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "

+        "compiled in\n");

+#endif

+  }

+

+  if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)

+    *req_flags |= GSS_C_DELEG_FLAG;

+}

+

+#endif /* HAVE_GSSAPI */

diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h

new file mode 100644

index 0000000..c8ffefc

--- /dev/null

+++ b/lib/curl_gssapi.h

@@ -0,0 +1,46 @@

+#ifndef HEADER_CURL_GSSAPI_H

+#define HEADER_CURL_GSSAPI_H

+/***************************************************************************

+ *                                  _   _ ____  _

+ *  Project                     ___| | | |  _ \| |

+ *                             / __| | | | |_) | |

+ *                            | (__| |_| |  _ <| |___

+ *                             \___|\___/|_| \_\_____|

+ *

+ * Copyright (C) 2011, Daniel Stenberg, <daniel@haxx.se>, et al.

+ *

+ * This software is licensed as described in the file COPYING, which

+ * you should have received as part of this distribution. The terms

+ * are also available at http://curl.haxx.se/docs/copyright.html.

+ *

+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell

+ * copies of the Software, and permit persons to whom the Software is

+ * furnished to do so, under the terms of the COPYING file.

+ *

+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY

+ * KIND, either express or implied.

+ *

+ ***************************************************************************/

+

+#include "setup.h"

+#include "urldata.h"

+

+#ifdef HAVE_GSSAPI

+

+#ifdef HAVE_GSSGNU

+#  include <gss.h>

+#elif defined HAVE_GSSMIT

+   /* MIT style */

+#  include <gssapi/gssapi.h>

+#  include <gssapi/gssapi_generic.h>

+#  include <gssapi/gssapi_krb5.h>

+#else

+   /* Heimdal-style */

+#  include <gssapi.h>

+#endif

+

+void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data);

+

+#endif /* HAVE_GSSAPI */

+

+#endif /* HEADER_CURL_GSSAPI_H */

diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c

index 4b2b254..c33669c 100644

--- a/lib/http_negotiate.c

+++ b/lib/http_negotiate.c

@@ -40,6 +40,7 @@

 #include "curl_base64.h"

 #include "http_negotiate.h"

 #include "curl_memory.h"

+#include "curl_gssapi.h"

 #ifdef HAVE_SPNEGO

 #  include <spnegohelp.h>

@@ -143,6 +144,9 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,

   bool gss;

   const char* protocol;

+  OM_uint32 req_flags = 0;

+  Curl_gss_req_flags(&req_flags, conn->data);

+

   while(*header && ISSPACE(*header))

     header++;

   if(checkprefix("GSS-Negotiate", header)) {

@@ -242,7 +246,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,

                                       &neg_ctx->context,

                                       neg_ctx->server_name,

                                       GSS_C_NO_OID,

-                                      0,

+                                      req_flags,

                                       0,

                                       GSS_C_NO_CHANNEL_BINDINGS,

                                       &input_token,

diff --git a/lib/krb5.c b/lib/krb5.c

index 9fb44f2..7e234d1 100644

--- a/lib/krb5.c

+++ b/lib/krb5.c

@@ -65,6 +65,7 @@

 #include "sendf.h"

 #include "krb4.h"

 #include "curl_memory.h"

+#include "curl_gssapi.h"

 #define _MPRINTF_REPLACE /* use our functions only */

 #include <curl/mprintf.h>

@@ -175,6 +176,9 @@ krb5_auth(void *app_data, struct connectdata *conn)

   gss_ctx_id_t *context = app_data;

   struct gss_channel_bindings_struct chan;

+  OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;

+  Curl_gss_req_flags(&req_flags, data);

+

   if(getsockname(conn->sock[FIRSTSOCKET],

                  (struct sockaddr *)LOCAL_ADDR, &l) < 0)

     perror("getsockname()");

@@ -233,7 +237,7 @@ krb5_auth(void *app_data, struct connectdata *conn)

                                  context,

                                  gssname,

                                  GSS_C_NO_OID,

-                                 GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,

+                                 req_flags,

                                  0,

                                  &chan,

                                  gssresp,

diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c

index 1ff6f60..bc7ed85 100644

--- a/lib/socks_gssapi.c

+++ b/lib/socks_gssapi.c

@@ -42,6 +42,7 @@

 #include "connect.h"

 #include "timeval.h"

 #include "socks.h"

+#include "curl_gssapi.h"

 static gss_ctx_id_t     gss_context = GSS_C_NO_CONTEXT;

@@ -138,6 +139,9 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,

   unsigned char socksreq[4]; /* room for gssapi exchange header only */

   char *serviceptr = data->set.str[STRING_SOCKS5_GSSAPI_SERVICE];

+  OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;

+  Curl_gss_req_flags(&req_flags, data);

+

   /* get timeout */

   timeout = Curl_timeleft(conn, NULL, TRUE);

@@ -188,8 +192,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,

                                             GSS_C_NO_CREDENTIAL,

                                             &gss_context, server,

                                             GSS_C_NULL_OID,

-                                            GSS_C_MUTUAL_FLAG |

-                                            GSS_C_REPLAY_FLAG,

+                                            req_flags,

                                             0,

                                             NULL,

                                             gss_token,

diff --git a/lib/url.c b/lib/url.c

index 432dac8..ad343ef 100644

--- a/lib/url.c

+++ b/lib/url.c

@@ -1987,6 +1987,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,

                        va_arg(param, char *));

     data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]);

     break;

+  case CURLOPT_GSSAPI_DELEGATION:

+    /*

+     * GSSAPI credential delegation

+     */

+    data->set.gssapi_delegation = va_arg(param, long);

+    break;

   case CURLOPT_SSL_VERIFYPEER:

     /*

      * Enable peer SSL verifying.

diff --git a/lib/urldata.h b/lib/urldata.h

index 7763278..a7df1f2 100644

--- a/lib/urldata.h

+++ b/lib/urldata.h

@@ -1431,6 +1431,9 @@ struct UserDefined {

   curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds

                                     to pattern (e.g. if WILDCARDMATCH is on) */

   void *fnmatch_data;

+

+  long gssapi_delegation; /* GSSAPI credential delegation, see the

+                             documentation of CURLOPT_GSSAPI_DELEGATION */

 };

 struct Names {

-- 

1.7.4.4