oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Make mech glue layer aware of composite mechs that uses mech glue layer credentials

Browse Source 
This make it possible to use krb5/ntlm credentials with SPNEGO.
Needs some more work to avoid double fetching credentials.
This commit is contained in:
Love Hornquist Astrand
2009-08-27 12:12:44 -07:00
parent 32ee735d73
commit 1999c85670
7 changed files with 52 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/gssapi/gssapi_mech.h
View File

@@ -356,10 +356,15 @@ _gss_import_cred_t(OM_uint32 * minor_status,
#define GMI_VERSION 2
/* gm_flags */
#define GM_USE_MG_CRED 1 /* uses mech glue credentials */
typedef struct gssapi_mech_interface_desc {
unsigned gm_version;
const char *gm_name;
gss_OID_desc gm_mech_oid;
unsigned gm_flags;
_gss_acquire_cred_t *gm_acquire_cred;
_gss_release_cred_t *gm_release_cred;
_gss_init_sec_context_t *gm_init_sec_context;

1
lib/gssapi/krb5/external.c
View File

@@ -434,6 +434,7 @@ static gssapi_mech_interface_desc krb5_mech = {
GMI_VERSION,
"kerberos 5",
{9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
0,
_gsskrb5_acquire_cred,
_gsskrb5_release_cred,
_gsskrb5_init_sec_context,

5
lib/gssapi/mech/gss_init_sec_context.c
View File

@@ -119,7 +119,10 @@ gss_init_sec_context(OM_uint32 * minor_status,
/*
* If we have a cred, find the cred for this mechanism.
*/
cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type);
if (m->gm_flags & GM_USE_MG_CRED)
cred_handle = initiator_cred_handle;
else
cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type);
major_status = m->gm_init_sec_context(minor_status,
cred_handle,

1
lib/gssapi/ntlm/external.c
View File

@@ -39,6 +39,7 @@ static gssapi_mech_interface_desc ntlm_mech = {
GMI_VERSION,
"ntlm",
{10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") },
0,
_gss_ntlm_acquire_cred,
_gss_ntlm_release_cred,
_gss_ntlm_init_sec_context,

35
lib/gssapi/spnego/cred_stubs.c
View File

@@ -171,41 +171,6 @@ OM_uint32 _gss_spnego_inquire_cred
return ret;
}
OM_uint32 _gss_spnego_add_cred (
OM_uint32 * minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * initiator_time_rec,
OM_uint32 * acceptor_time_rec
)
{
OM_uint32 ret, tmp;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
ret = gss_add_cred(minor_status,
input_cred_handle,
desired_name,
desired_mech,
cred_usage,
initiator_time_req,
acceptor_time_req,
output_cred_handle,
actual_mechs,
initiator_time_rec,
acceptor_time_rec);
if (ret)
return ret;
return GSS_S_COMPLETE;
}
OM_uint32 _gss_spnego_inquire_cred_by_mech (
OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,

3
lib/gssapi/spnego/external.c
View File

@@ -46,6 +46,7 @@ static gssapi_mech_interface_desc spnego_mech = {
GMI_VERSION,
"spnego",
{6, (void *)"\x2b\x06\x01\x05\x05\x02"},
0,
_gss_spnego_acquire_cred,
_gss_spnego_release_cred,
_gss_spnego_init_sec_context,
@@ -67,7 +68,7 @@ static gssapi_mech_interface_desc spnego_mech = {
_gss_spnego_inquire_cred,
_gss_spnego_inquire_context,
_gss_spnego_wrap_size_limit,
_gss_spnego_add_cred,
gss_add_cred,
_gss_spnego_inquire_cred_by_mech,
_gss_spnego_export_sec_context,
_gss_spnego_import_sec_context,

45
lib/gssapi/test_context.c
View File

@@ -773,6 +773,9 @@ main(int argc, char **argv)
gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL;
gss_buffer_desc cb;
if (verbose_flag)
printf("checking actual mech (%s) on delegated cred\n",
oid_to_string(actual_mech));
loop(actual_mech, nameoid, argv[0], deleg_cred, &cctx, &sctx, &actual_mech2, &cred2);
gss_delete_sec_context(&min_stat, &cctx, NULL);
@@ -780,6 +783,17 @@ main(int argc, char **argv)
gss_release_cred(&min_stat, &cred2);
/* try again using SPNEGO */
if (verbose_flag)
printf("checking spnego on delegated cred\n");
loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &cctx, &sctx,
&actual_mech2, &cred2);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
/* check export/import */
if (ei_flag) {
@@ -787,6 +801,7 @@ main(int argc, char **argv)
if (maj_stat != GSS_S_COMPLETE)
errx(1, "export failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import failed: %s",
@@ -795,16 +810,34 @@ main(int argc, char **argv)
gss_release_buffer(&min_stat, &cb);
gss_release_cred(&min_stat, &deleg_cred);
loop(actual_mech, nameoid, argv[0], cred2, &cctx, &sctx, &actual_mech2, &deleg_cred);
if (verbose_flag)
printf("checking actual mech (%s) on export/imported cred\n",
oid_to_string(actual_mech));
loop(actual_mech, nameoid, argv[0], cred2, &cctx, &sctx,
&actual_mech2, &deleg_cred);
gss_release_cred(&min_stat, &deleg_cred);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
/* try again using SPNEGO */
if (verbose_flag)
printf("checking SPNEGO on export/imported cred\n");
loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &cctx, &sctx,
&actual_mech2, &deleg_cred);
gss_release_cred(&min_stat, &deleg_cred);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
} else {
gss_release_cred(&min_stat, &deleg_cred);
}
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &deleg_cred);
}