Return unwrapped delegated credentials if the actual mech is not the called mech

Assumes that pseudo mechs are are of how mechglue credentails look like and return credentials like that. Pointed out on krbdev by Nicolas Williams
2009-08-26 22:32:50 -07:00
parent 559103b218
commit 022e7d4319
7 changed files with 44 additions and 155 deletions
--- a/lib/gssapi/spnego/accept_sec_context.c
+++ b/lib/gssapi/spnego/accept_sec_context.c
@@ -496,7 +496,6 @@ acceptor_start
    gss_buffer_desc mech_buf;
    gss_OID preferred_mech_type = GSS_C_NO_OID;
    gssspnego_ctx ctx;
-    gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle;
    int get_mic = 0;
    int first_ok = 0;

@@ -564,25 +563,18 @@ acceptor_start
 		      &preferred_mech_type);

    if (ret == 0 && ni->mechToken != NULL) {
-	gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL;
-	gss_cred_id_t mech_cred;
 	gss_buffer_desc ibuf;

 	ibuf.length = ni->mechToken->length;
 	ibuf.value = ni->mechToken->data;
 	mech_input_token = &ibuf;

-	if (acceptor_cred != NULL)
-	    mech_cred = acceptor_cred->negotiated_cred_id;
-	else
-	    mech_cred = GSS_C_NO_CREDENTIAL;
-	
 	if (ctx->mech_src_name != GSS_C_NO_NAME)
 	    gss_release_name(&junk, &ctx->mech_src_name);
 	
 	ret = gss_accept_sec_context(minor_status,
 				     &ctx->negotiated_ctx_id,
-				     mech_cred,
+				     acceptor_cred_handle,
 				     mech_input_token,
 				     input_chan_bindings,
 				     &ctx->mech_src_name,
@@ -590,18 +582,10 @@ acceptor_start
 				     &mech_output_token,
 				     &ctx->mech_flags,
 				     &ctx->mech_time_rec,
-				     &mech_delegated_cred);
-
-	if (mech_delegated_cred && delegated_cred_handle) {
-	    _gss_spnego_alloc_cred(&junk,
-				   mech_delegated_cred,
-				   delegated_cred_handle);
-	} else if (mech_delegated_cred != GSS_C_NO_CREDENTIAL)
-	    gss_release_cred(&junk, &mech_delegated_cred);
+				     delegated_cred_handle);

 	if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
 	    ctx->preferred_mech_type = preferred_mech_type;
-	    ctx->negotiated_mech_type = preferred_mech_type;
 	    if (ret == GSS_S_COMPLETE)
 		ctx->open = 1;

@@ -646,7 +630,6 @@ acceptor_start
 	}

 	ctx->preferred_mech_type = preferred_mech_type;
-	ctx->negotiated_mech_type = preferred_mech_type;
    }

    /*
@@ -719,7 +702,7 @@ acceptor_continue
 	    gss_cred_id_t *delegated_cred_handle
 	   )
 {
-    OM_uint32 ret, ret2, minor, junk;
+    OM_uint32 ret, ret2, minor;
    NegotiationToken nt;
    size_t nt_len;
    NegTokenResp *na;
@@ -728,7 +711,6 @@ acceptor_continue
    gss_buffer_t mech_output_token = GSS_C_NO_BUFFER;
    gss_buffer_desc mech_buf;
    gssspnego_ctx ctx;
-    gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle;

    mech_buf.value = NULL;

@@ -774,20 +756,13 @@ acceptor_continue
 	}

 	if (mech_input_token != GSS_C_NO_BUFFER) {
-	    gss_cred_id_t mech_cred;
-	    gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL;
-
-	    if (acceptor_cred != NULL)
-		mech_cred = acceptor_cred->negotiated_cred_id;
-	    else
-		mech_cred = GSS_C_NO_CREDENTIAL;

 	    if (ctx->mech_src_name != GSS_C_NO_NAME)
 		gss_release_name(&minor, &ctx->mech_src_name);

 	    ret = gss_accept_sec_context(&minor,
 					 &ctx->negotiated_ctx_id,
-					 mech_cred,
+					 acceptor_cred_handle,
 					 mech_input_token,
 					 input_chan_bindings,
 					 &ctx->mech_src_name,
@@ -795,14 +770,7 @@ acceptor_continue
 					 &obuf,
 					 &ctx->mech_flags,
 					 &ctx->mech_time_rec,
-					 &mech_delegated_cred);
-
-	    if (mech_delegated_cred && delegated_cred_handle) {
-		_gss_spnego_alloc_cred(&junk,
-				       mech_delegated_cred,
-				       delegated_cred_handle);
-	    } else if (mech_delegated_cred != GSS_C_NO_CREDENTIAL)
-		gss_release_cred(&junk, &mech_delegated_cred);
+					 delegated_cred_handle);

 	    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
 		mech_output_token = &obuf;