sasl_gssapi: Fixed honouring of no mutual authentication

750203bd · Steve Holme · 0fcd74b8 · 750203bd · 750203bd · 750203bd
Commit 750203bd authored 10 years ago by Steve Holme
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@@ -41,9 +41,13 @@ OM_uint32 Curl_gss_init_sec_context(
    gss_channel_bindings_t input_chan_bindings,
    gss_buffer_t input_token,
    gss_buffer_t output_token,
+    const bool mutual_auth,
    OM_uint32 *ret_flags)
 {
-  OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
+  OM_uint32 req_flags = GSS_C_REPLAY_FLAG;
+
+  if(mutual_auth)
+    req_flags |= GSS_C_MUTUAL_FLAG;

  if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
 #ifdef GSS_C_DELEG_POLICY_FLAG

--- a/lib/curl_gssapi.h
+++ b/lib/curl_gssapi.h
@@ -53,6 +53,7 @@ OM_uint32 Curl_gss_init_sec_context(
    gss_channel_bindings_t input_chan_bindings,
    gss_buffer_t input_token,
    gss_buffer_t output_token,
+    const bool mutual_auth,
    OM_uint32 *ret_flags);

 /* Helper to log a GSS - API error status */

--- a/lib/curl_sasl_gssapi.c
+++ b/lib/curl_sasl_gssapi.c
@@ -107,7 +107,6 @@ CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data,

  (void) userp;
  (void) passwdp;
-  (void) mutual_auth;

  if(krb5->context == GSS_C_NO_CONTEXT) {
    /* Generate our SPN */
@@ -155,6 +154,7 @@ CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data,
                                               GSS_C_NO_CHANNEL_BINDINGS,
                                               &input_token,
                                               &output_token,
+                                               mutual_auth,
                                               NULL);

  Curl_safefree(input_token.value);

--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -122,6 +122,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                                           GSS_C_NO_CHANNEL_BINDINGS,
                                           &input_token,
                                           &output_token,
+                                           TRUE,
                                           NULL);
  Curl_safefree(input_token.value);


--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -236,6 +236,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
                                      &chan,
                                      gssresp,
                                      &output_buffer,
+                                      TRUE,
                                      NULL);

      if(gssresp) {

--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@@ -185,6 +185,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
                                                 NULL,
                                                 gss_token,
                                                 &gss_send_token,
+                                                 TRUE,
                                                 &gss_ret_flags);

    if(gss_token != GSS_C_NO_BUFFER)