[curl/f15] add a new option CURLOPT_GSSAPI_DELEGATION (#719939)
Kamil Dudka
kdudka at fedoraproject.org
Wed Aug 3 18:49:34 UTC 2011
commit d4c0675e9e39c31d6bc1ae559857da9ba4188811
Author: Kamil Dudka <kdudka at redhat.com>
Date: Wed Aug 3 16:54:34 2011 +0200
add a new option CURLOPT_GSSAPI_DELEGATION (#719939)
0006-curl-7.21.3-a7864c4.patch | 392 ++++++++++++++++++++++++++++++++++++++++
curl.spec | 9 +-
2 files changed, 400 insertions(+), 1 deletions(-)
---
diff --git a/0006-curl-7.21.3-a7864c4.patch b/0006-curl-7.21.3-a7864c4.patch
new file mode 100644
index 0000000..652ee0a
--- /dev/null
+++ b/0006-curl-7.21.3-a7864c4.patch
@@ -0,0 +1,392 @@
+From fa2e098934cb3efa49db48eacd7b1ca3ca3e094e Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 3 Aug 2011 12:48:49 +0200
+Subject: [PATCH] curl - rhbz #719939
+
+---
+ docs/libcurl/curl_easy_setopt.3 | 8 ++++++
+ docs/libcurl/symbols-in-versions | 4 +++
+ include/curl/curl.h | 7 +++++
+ lib/Makefile.in | 14 +++++++++--
+ lib/Makefile.inc | 4 +-
+ lib/curl_gssapi.c | 45 +++++++++++++++++++++++++++++++++++++
+ lib/curl_gssapi.h | 46 ++++++++++++++++++++++++++++++++++++++
+ lib/http_negotiate.c | 6 ++++-
+ lib/krb5.c | 6 ++++-
+ lib/socks_gssapi.c | 7 ++++-
+ lib/url.c | 6 +++++
+ lib/urldata.h | 3 ++
+ 12 files changed, 147 insertions(+), 9 deletions(-)
+ create mode 100644 lib/curl_gssapi.c
+ create mode 100644 lib/curl_gssapi.h
+
+diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
+index 3d76b66..df3529c 100644
+--- a/docs/libcurl/curl_easy_setopt.3
++++ b/docs/libcurl/curl_easy_setopt.3
+@@ -2021,6 +2021,14 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos
+ support for FTP.
+
+ (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
++.IP CURLOPT_GSSAPI_DELEGATION
++Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI
++credential delegation. The delegation is disabled by default since 7.21.7.
++Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if
++the OK-AS-DELEGATE flag is set in the service ticket in case this feature is
++supported by the GSSAPI implementation and the definition of
++GSS_C_DELEG_POLICY_FLAG was available at compile-time.
++(Added in 7.21.8)
+ .SH SSH OPTIONS
+ .IP CURLOPT_SSH_AUTH_TYPES
+ Pass a long set to a bitmask consisting of one or more of
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index e22b625..3175d3d 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -186,6 +186,9 @@ CURLFTPSSL_TRY 7.11.0 7.17.0
+ CURLFTP_CREATE_DIR 7.19.4
+ CURLFTP_CREATE_DIR_NONE 7.19.4
+ CURLFTP_CREATE_DIR_RETRY 7.19.4
++CURLGSSAPI_DELEGATION_FLAG 7.21.8
++CURLGSSAPI_DELEGATION_NONE 7.21.8
++CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8
+ CURLINFO_APPCONNECT_TIME 7.19.0
+ CURLINFO_CERTINFO 7.19.1
+ CURLINFO_CONDITION_UNMET 7.19.4
+@@ -343,6 +346,7 @@ CURLOPT_FTP_SSL_CCC 7.16.1
+ CURLOPT_FTP_USE_EPRT 7.10.5
+ CURLOPT_FTP_USE_EPSV 7.9.2
+ CURLOPT_FTP_USE_PRET 7.20.0
++CURLOPT_GSSAPI_DELEGATION 7.21.8
+ CURLOPT_HEADER 7.1
+ CURLOPT_HEADERDATA 7.10
+ CURLOPT_HEADERFUNCTION 7.7.2
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index fbd0d9b..0ea1b72 100644
+--- a/include/curl/curl.h
++++ b/include/curl/curl.h
+@@ -599,6 +599,10 @@ typedef enum {
+ #define CURLSSH_AUTH_KEYBOARD (1<<3) /* keyboard interactive */
+ #define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY
+
++#define CURLGSSAPI_DELEGATION_NONE 0 /* no delegation (default) */
++#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */
++#define CURLGSSAPI_DELEGATION_FLAG (1<<1) /* delegate always */
++
+ #define CURL_ERROR_SIZE 256
+
+ struct curl_khkey {
+@@ -1442,6 +1446,9 @@ typedef enum {
+ /* send linked-list of name:port:address sets */
+ CINIT(RESOLVE, OBJECTPOINT, 203),
+
++ /* allow GSSAPI credential delegation */
++ CINIT(GSSAPI_DELEGATION, LONG, 210),
++
+ CURLOPT_LASTENTRY /* the last unused */
+ } CURLoption;
+
+diff --git a/lib/Makefile.in b/lib/Makefile.in
+index 1a86821..a79ee24 100644
+--- a/lib/Makefile.in
++++ b/lib/Makefile.in
+@@ -91,7 +91,7 @@ am__objects_1 = file.lo timeval.lo base64.lo hostip.lo progress.lo \
+ nonblock.lo curl_memrchr.lo imap.lo pop3.lo smtp.lo \
+ pingpong.lo rtsp.lo curl_threads.lo warnless.lo hmac.lo \
+ polarssl.lo curl_rtmp.lo openldap.lo curl_gethostname.lo \
+- gopher.lo
++ gopher.lo curl_gssapi.lo
+ am__objects_2 =
+ am_libcurl_la_OBJECTS = $(am__objects_1) $(am__objects_2)
+ libcurl_la_OBJECTS = $(am_libcurl_la_OBJECTS)
+@@ -411,7 +411,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
+ socks_gssapi.c socks_sspi.c curl_sspi.c slist.c nonblock.c \
+ curl_memrchr.c imap.c pop3.c smtp.c pingpong.c rtsp.c curl_threads.c \
+ warnless.c hmac.c polarssl.c curl_rtmp.c openldap.c curl_gethostname.c\
+- gopher.c
++ gopher.c curl_gssapi.c
+
+ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
+ progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \
+@@ -426,7 +426,7 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
+ curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h \
+ curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h \
+ warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h \
+- gopher.h
++ gopher.h curl_gssapi.h
+
+
+ # Makefile.inc provides the CSOURCES and HHEADERS defines
+@@ -529,6 +529,7 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curl_addrinfo.Plo at am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curl_fnmatch.Plo at am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curl_gethostname.Plo at am__quote@
++ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curl_gssapi.Plo at am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curl_memrchr.Plo at am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curl_rand.Plo at am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curl_rtmp.Plo at am__quote@
+@@ -634,6 +635,13 @@ distclean-compile:
+ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
++libcurlu_la-curl_gssapi.lo: curl_gssapi.c
++ at am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libcurlu_la-curl_gssapi.lo -MD -MP -MF $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c
++ at am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo $(DEPDIR)/libcurlu_la-curl_gssapi.Plo
++ at AMDEP_TRUE@@am__fastdepCC_FALSE@ source='curl_gssapi.c' object='libcurlu_la-curl_gssapi.lo' libtool=yes @AMDEPBACKSLASH@
++ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++ at am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c
++
+ mostlyclean-libtool:
+ -rm -f *.lo
+
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index 41ab827..be13031 100644
+--- a/lib/Makefile.inc
++++ b/lib/Makefile.inc
+@@ -21,7 +21,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
+ socks_gssapi.c socks_sspi.c curl_sspi.c slist.c nonblock.c \
+ curl_memrchr.c imap.c pop3.c smtp.c pingpong.c rtsp.c curl_threads.c \
+ warnless.c hmac.c polarssl.c curl_rtmp.c openldap.c curl_gethostname.c\
+- gopher.c
++ gopher.c curl_gssapi.c
+
+ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
+ progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \
+@@ -36,5 +36,5 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
+ curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h \
+ curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h \
+ warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h \
+- gopher.h
++ gopher.h curl_gssapi.h
+
+diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
+new file mode 100644
+index 0000000..914d1a0
+--- /dev/null
++++ b/lib/curl_gssapi.c
+@@ -0,0 +1,45 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 2011, Daniel Stenberg, <daniel at haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at http://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++
++#include "setup.h"
++
++#ifdef HAVE_GSSAPI
++
++#include "curl_gssapi.h"
++#include "sendf.h"
++
++void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data)
++{
++ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
++#ifdef GSS_C_DELEG_POLICY_FLAG
++ *req_flags |= GSS_C_DELEG_POLICY_FLAG;
++#else
++ infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "
++ "compiled in\n");
++#endif
++ }
++
++ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
++ *req_flags |= GSS_C_DELEG_FLAG;
++}
++
++#endif /* HAVE_GSSAPI */
+diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h
+new file mode 100644
+index 0000000..c8ffefc
+--- /dev/null
++++ b/lib/curl_gssapi.h
+@@ -0,0 +1,46 @@
++#ifndef HEADER_CURL_GSSAPI_H
++#define HEADER_CURL_GSSAPI_H
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 2011, Daniel Stenberg, <daniel at haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at http://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++
++#include "setup.h"
++#include "urldata.h"
++
++#ifdef HAVE_GSSAPI
++
++#ifdef HAVE_GSSGNU
++# include <gss.h>
++#elif defined HAVE_GSSMIT
++ /* MIT style */
++# include <gssapi/gssapi.h>
++# include <gssapi/gssapi_generic.h>
++# include <gssapi/gssapi_krb5.h>
++#else
++ /* Heimdal-style */
++# include <gssapi.h>
++#endif
++
++void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data);
++
++#endif /* HAVE_GSSAPI */
++
++#endif /* HEADER_CURL_GSSAPI_H */
+diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
+index 4b2b254..c33669c 100644
+--- a/lib/http_negotiate.c
++++ b/lib/http_negotiate.c
+@@ -40,6 +40,7 @@
+ #include "curl_base64.h"
+ #include "http_negotiate.h"
+ #include "curl_memory.h"
++#include "curl_gssapi.h"
+
+ #ifdef HAVE_SPNEGO
+ # include <spnegohelp.h>
+@@ -143,6 +144,9 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
+ bool gss;
+ const char* protocol;
+
++ OM_uint32 req_flags = 0;
++ Curl_gss_req_flags(&req_flags, conn->data);
++
+ while(*header && ISSPACE(*header))
+ header++;
+ if(checkprefix("GSS-Negotiate", header)) {
+@@ -242,7 +246,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
+ &neg_ctx->context,
+ neg_ctx->server_name,
+ GSS_C_NO_OID,
+- 0,
++ req_flags,
+ 0,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &input_token,
+diff --git a/lib/krb5.c b/lib/krb5.c
+index cedab16..9d8cfa5 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -65,6 +65,7 @@
+ #include "sendf.h"
+ #include "krb4.h"
+ #include "curl_memory.h"
++#include "curl_gssapi.h"
+
+ #define _MPRINTF_REPLACE /* use our functions only */
+ #include <curl/mprintf.h>
+@@ -184,6 +185,9 @@ krb5_auth(void *app_data, struct connectdata *conn)
+ gss_ctx_id_t *context = app_data;
+ struct gss_channel_bindings_struct chan;
+
++ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
++ Curl_gss_req_flags(&req_flags, data);
++
+ if(getsockname(conn->sock[FIRSTSOCKET],
+ (struct sockaddr *)LOCAL_ADDR, &l) < 0)
+ perror("getsockname()");
+@@ -245,7 +249,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
+ context,
+ gssname,
+ GSS_C_NO_OID,
+- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
++ req_flags,
+ 0,
+ &chan,
+ gssresp,
+diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
+index 1ff6f60..bc7ed85 100644
+--- a/lib/socks_gssapi.c
++++ b/lib/socks_gssapi.c
+@@ -42,6 +42,7 @@
+ #include "connect.h"
+ #include "timeval.h"
+ #include "socks.h"
++#include "curl_gssapi.h"
+
+ static gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
+
+@@ -138,6 +139,9 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
+ unsigned char socksreq[4]; /* room for gssapi exchange header only */
+ char *serviceptr = data->set.str[STRING_SOCKS5_GSSAPI_SERVICE];
+
++ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
++ Curl_gss_req_flags(&req_flags, data);
++
+ /* get timeout */
+ timeout = Curl_timeleft(conn, NULL, TRUE);
+
+@@ -188,8 +192,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
+ GSS_C_NO_CREDENTIAL,
+ &gss_context, server,
+ GSS_C_NULL_OID,
+- GSS_C_MUTUAL_FLAG |
+- GSS_C_REPLAY_FLAG,
++ req_flags,
+ 0,
+ NULL,
+ gss_token,
+diff --git a/lib/url.c b/lib/url.c
+index 29fd43a..427bbce 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2031,6 +2031,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
+ va_arg(param, char *));
+ data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]);
+ break;
++ case CURLOPT_GSSAPI_DELEGATION:
++ /*
++ * GSSAPI credential delegation
++ */
++ data->set.gssapi_delegation = va_arg(param, long);
++ break;
+ case CURLOPT_SSL_VERIFYPEER:
+ /*
+ * Enable peer SSL verifying.
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ab6b5be..5773099 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1467,6 +1467,9 @@ struct UserDefined {
+ curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds
+ to pattern (e.g. if WILDCARDMATCH is on) */
+ void *fnmatch_data;
++
++ long gssapi_delegation; /* GSSAPI credential delegation, see the
++ documentation of CURLOPT_GSSAPI_DELEGATION */
+ };
+
+ struct Names {
+--
+1.7.4.4
+
diff --git a/curl.spec b/curl.spec
index 0ca9eca..df464ba 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.21.3
-Release: 8%{?dist}
+Release: 9%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -23,6 +23,9 @@ Patch4: 0004-curl-7.21.3-5c314c6.patch
# Avoid buffer overflow report from glibc with FORTIFY_SOURCE
Patch5: 0005-curl-7.21.3-tftpd-buffer-overflow.patch
+# add a new option CURLOPT_GSSAPI_DELEGATION (#719939)
+Patch6: 0006-curl-7.21.3-a7864c4.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.21.1-multilib.patch
@@ -127,6 +130,7 @@ done
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
# Fedora patches
%patch101 -p1
@@ -240,6 +244,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Wed Aug 03 2011 Kamil Dudka <kdudka at redhat.com> 7.21.3-9
+- add a new option CURLOPT_GSSAPI_DELEGATION (#719939)
+
* Thu Jun 23 2011 Kamil Dudka <kdudka at redhat.com> 7.21.3-8
- do not delegate GSSAPI credentials (CVE-2011-2192)
More information about the scm-commits
mailing list