sasl_gssapi: Fixed honouring of no mutual authentication

diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
index 7c961c9f27b4b037b18df81232ec0db69b05eb81..2cd14fff0a0585dbd0785f81c2bb879fb0f28a33 100644 (file)
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@@ -41,9 +41,13 @@ OM_uint32 Curl_gss_init_sec_context(
     gss_channel_bindings_t input_chan_bindings,
     gss_buffer_t input_token,
     gss_buffer_t output_token,
+    const bool mutual_auth,
     OM_uint32 *ret_flags)
 {
-  OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
+  OM_uint32 req_flags = GSS_C_REPLAY_FLAG;
+
+  if(mutual_auth)
+    req_flags |= GSS_C_MUTUAL_FLAG;
 
   if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
 #ifdef GSS_C_DELEG_POLICY_FLAG

diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h
index bd7e35c32caad8939476e41d81697b0a489fab2e..aaab78461ab21f39f4d57eb6edcc0fd6427f8757 100644 (file)
--- a/lib/curl_gssapi.h
+++ b/lib/curl_gssapi.h
@@ -53,6 +53,7 @@ OM_uint32 Curl_gss_init_sec_context(
     gss_channel_bindings_t input_chan_bindings,
     gss_buffer_t input_token,
     gss_buffer_t output_token,
+    const bool mutual_auth,
     OM_uint32 *ret_flags);
 
 /* Helper to log a GSS - API error status */

diff --git a/lib/curl_sasl_gssapi.c b/lib/curl_sasl_gssapi.c
index 5d044210cc3385fa4fab10ca10edca45235aeb60..2bbbc590dceed8f0e1a5e3b3658acd4a1763e2a8 100644 (file)
--- a/lib/curl_sasl_gssapi.c
+++ b/lib/curl_sasl_gssapi.c
@@ -107,7 +107,6 @@ CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data,
 
   (void) userp;
   (void) passwdp;
-  (void) mutual_auth;
 
   if(krb5->context == GSS_C_NO_CONTEXT) {
     /* Generate our SPN */
@@ -155,6 +154,7 @@ CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data,
                                                GSS_C_NO_CHANNEL_BINDINGS,
                                                &input_token,
                                                &output_token,
+                                               mutual_auth,
                                                NULL);
 
   Curl_safefree(input_token.value);

diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index de009a49f152a22bd28d6c7d9b86a3a9bffb5b92..97d0cb7625bbec6869a72416bd61d197911bd824 100644 (file)
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -122,6 +122,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                                            GSS_C_NO_CHANNEL_BINDINGS,
                                            &input_token,
                                            &output_token,
+                                           TRUE,
                                            NULL);
   Curl_safefree(input_token.value);
 

diff --git a/lib/krb5.c b/lib/krb5.c
index bc90c121879bd1a5c8297ab6e9fa16556c98435d..a0d7bb4f07cd0dda161554d95dc91700be008cf1 100644 (file)
--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -236,6 +236,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
                                       &chan,
                                       gssresp,
                                       &output_buffer,
+                                      TRUE,
                                       NULL);
 
       if(gssresp) {

diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
index 831b8f6550811572e026498fea46dd07433bf017..f195c1a0e4d99c102125636c653b144957294acc 100644 (file)
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@@ -185,6 +185,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
                                                  NULL,
                                                  gss_token,
                                                  &gss_send_token,
+                                                 TRUE,
                                                  &gss_ret_flags);
 
     if(gss_token != GSS_C_NO_BUFFER)