diff --git a/lib/gssapi/gssapi_mech.h b/lib/gssapi/gssapi_mech.h index 206a24ef7..65cabf54d 100644 --- a/lib/gssapi/gssapi_mech.h +++ b/lib/gssapi/gssapi_mech.h @@ -356,10 +356,15 @@ _gss_import_cred_t(OM_uint32 * minor_status, #define GMI_VERSION 2 +/* gm_flags */ +#define GM_USE_MG_CRED 1 /* uses mech glue credentials */ + + typedef struct gssapi_mech_interface_desc { unsigned gm_version; const char *gm_name; gss_OID_desc gm_mech_oid; + unsigned gm_flags; _gss_acquire_cred_t *gm_acquire_cred; _gss_release_cred_t *gm_release_cred; _gss_init_sec_context_t *gm_init_sec_context; diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c index fc835bd84..fd81f3ebe 100644 --- a/lib/gssapi/krb5/external.c +++ b/lib/gssapi/krb5/external.c @@ -434,6 +434,7 @@ static gssapi_mech_interface_desc krb5_mech = { GMI_VERSION, "kerberos 5", {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, + 0, _gsskrb5_acquire_cred, _gsskrb5_release_cred, _gsskrb5_init_sec_context, diff --git a/lib/gssapi/mech/gss_init_sec_context.c b/lib/gssapi/mech/gss_init_sec_context.c index 579000a7e..f2e6a66d5 100644 --- a/lib/gssapi/mech/gss_init_sec_context.c +++ b/lib/gssapi/mech/gss_init_sec_context.c @@ -119,7 +119,10 @@ gss_init_sec_context(OM_uint32 * minor_status, /* * If we have a cred, find the cred for this mechanism. */ - cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type); + if (m->gm_flags & GM_USE_MG_CRED) + cred_handle = initiator_cred_handle; + else + cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type); major_status = m->gm_init_sec_context(minor_status, cred_handle, diff --git a/lib/gssapi/ntlm/external.c b/lib/gssapi/ntlm/external.c index cd0292490..e52ac605b 100644 --- a/lib/gssapi/ntlm/external.c +++ b/lib/gssapi/ntlm/external.c @@ -39,6 +39,7 @@ static gssapi_mech_interface_desc ntlm_mech = { GMI_VERSION, "ntlm", {10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") }, + 0, _gss_ntlm_acquire_cred, _gss_ntlm_release_cred, _gss_ntlm_init_sec_context, diff --git a/lib/gssapi/spnego/cred_stubs.c b/lib/gssapi/spnego/cred_stubs.c index 8d6b1270d..b1eb0be6d 100644 --- a/lib/gssapi/spnego/cred_stubs.c +++ b/lib/gssapi/spnego/cred_stubs.c @@ -171,41 +171,6 @@ OM_uint32 _gss_spnego_inquire_cred return ret; } -OM_uint32 _gss_spnego_add_cred ( - OM_uint32 * minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * initiator_time_rec, - OM_uint32 * acceptor_time_rec - ) -{ - OM_uint32 ret, tmp; - - *output_cred_handle = GSS_C_NO_CREDENTIAL; - - ret = gss_add_cred(minor_status, - input_cred_handle, - desired_name, - desired_mech, - cred_usage, - initiator_time_req, - acceptor_time_req, - output_cred_handle, - actual_mechs, - initiator_time_rec, - acceptor_time_rec); - if (ret) - return ret; - - return GSS_S_COMPLETE; -} - OM_uint32 _gss_spnego_inquire_cred_by_mech ( OM_uint32 * minor_status, const gss_cred_id_t cred_handle, diff --git a/lib/gssapi/spnego/external.c b/lib/gssapi/spnego/external.c index f3edcba38..cd7508d24 100644 --- a/lib/gssapi/spnego/external.c +++ b/lib/gssapi/spnego/external.c @@ -46,6 +46,7 @@ static gssapi_mech_interface_desc spnego_mech = { GMI_VERSION, "spnego", {6, (void *)"\x2b\x06\x01\x05\x05\x02"}, + 0, _gss_spnego_acquire_cred, _gss_spnego_release_cred, _gss_spnego_init_sec_context, @@ -67,7 +68,7 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_inquire_cred, _gss_spnego_inquire_context, _gss_spnego_wrap_size_limit, - _gss_spnego_add_cred, + gss_add_cred, _gss_spnego_inquire_cred_by_mech, _gss_spnego_export_sec_context, _gss_spnego_import_sec_context, diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index e1d787fec..36e8a90b4 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -773,6 +773,9 @@ main(int argc, char **argv) gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL; gss_buffer_desc cb; + if (verbose_flag) + printf("checking actual mech (%s) on delegated cred\n", + oid_to_string(actual_mech)); loop(actual_mech, nameoid, argv[0], deleg_cred, &cctx, &sctx, &actual_mech2, &cred2); gss_delete_sec_context(&min_stat, &cctx, NULL); @@ -780,6 +783,17 @@ main(int argc, char **argv) gss_release_cred(&min_stat, &cred2); + /* try again using SPNEGO */ + if (verbose_flag) + printf("checking spnego on delegated cred\n"); + loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &cctx, &sctx, + &actual_mech2, &cred2); + + gss_delete_sec_context(&min_stat, &cctx, NULL); + gss_delete_sec_context(&min_stat, &sctx, NULL); + + gss_release_cred(&min_stat, &cred2); + /* check export/import */ if (ei_flag) { @@ -787,6 +801,7 @@ main(int argc, char **argv) if (maj_stat != GSS_S_COMPLETE) errx(1, "export failed: %s", gssapi_err(maj_stat, min_stat, NULL)); + maj_stat = gss_import_cred(&min_stat, &cb, &cred2); if (maj_stat != GSS_S_COMPLETE) errx(1, "import failed: %s", @@ -795,16 +810,34 @@ main(int argc, char **argv) gss_release_buffer(&min_stat, &cb); gss_release_cred(&min_stat, &deleg_cred); - loop(actual_mech, nameoid, argv[0], cred2, &cctx, &sctx, &actual_mech2, &deleg_cred); + if (verbose_flag) + printf("checking actual mech (%s) on export/imported cred\n", + oid_to_string(actual_mech)); + loop(actual_mech, nameoid, argv[0], cred2, &cctx, &sctx, + &actual_mech2, &deleg_cred); + + gss_release_cred(&min_stat, &deleg_cred); + + gss_delete_sec_context(&min_stat, &cctx, NULL); + gss_delete_sec_context(&min_stat, &sctx, NULL); + + /* try again using SPNEGO */ + if (verbose_flag) + printf("checking SPNEGO on export/imported cred\n"); + loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &cctx, &sctx, + &actual_mech2, &deleg_cred); + + gss_release_cred(&min_stat, &deleg_cred); + + gss_delete_sec_context(&min_stat, &cctx, NULL); + gss_delete_sec_context(&min_stat, &sctx, NULL); gss_release_cred(&min_stat, &cred2); + + } else { + gss_release_cred(&min_stat, &deleg_cred); } - gss_delete_sec_context(&min_stat, &cctx, NULL); - gss_delete_sec_context(&min_stat, &sctx, NULL); - - gss_release_cred(&min_stat, &deleg_cred); - }