Make mech glue layer aware of composite mechs that uses mech glue layer credentials

This make it possible to use krb5/ntlm credentials with SPNEGO.
Needs some more work to avoid double fetching credentials.

lib/gssapi/gssapi_mech.h

@@ -356,10 +356,15 @@ _gss_import_cred_t(OM_uint32 * minor_status,
 
 #define GMI_VERSION 2
 
+/* gm_flags */
+#define GM_USE_MG_CRED      	1	/* uses mech glue credentials */
+
+
 typedef struct gssapi_mech_interface_desc {
 	unsigned			gm_version;
 	const char			*gm_name;
 	gss_OID_desc			gm_mech_oid;
+        unsigned			gm_flags;
 	_gss_acquire_cred_t		*gm_acquire_cred;
 	_gss_release_cred_t		*gm_release_cred;
 	_gss_init_sec_context_t		*gm_init_sec_context;

lib/gssapi/krb5/external.c

@@ -434,6 +434,7 @@ static gssapi_mech_interface_desc krb5_mech = {
     GMI_VERSION,
     "kerberos 5",
     {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
+    0,
     _gsskrb5_acquire_cred,
     _gsskrb5_release_cred,
     _gsskrb5_init_sec_context,

lib/gssapi/mech/gss_init_sec_context.c

@@ -119,7 +119,10 @@ gss_init_sec_context(OM_uint32 * minor_status,
 	/*
 	 * If we have a cred, find the cred for this mechanism.
 	 */
-	cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type);
+	if (m->gm_flags & GM_USE_MG_CRED)
+		cred_handle = initiator_cred_handle;
+	else
+		cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type);
 
 	major_status = m->gm_init_sec_context(minor_status,
 	    cred_handle,

lib/gssapi/ntlm/external.c

@@ -39,6 +39,7 @@ static gssapi_mech_interface_desc ntlm_mech = {
     GMI_VERSION,
     "ntlm",
     {10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") },
+    0,
     _gss_ntlm_acquire_cred,
     _gss_ntlm_release_cred,
     _gss_ntlm_init_sec_context,

lib/gssapi/spnego/cred_stubs.c

@@ -171,41 +171,6 @@ OM_uint32 _gss_spnego_inquire_cred
     return ret;
 }
 
-OM_uint32 _gss_spnego_add_cred (
-            OM_uint32 * minor_status,
-            const gss_cred_id_t input_cred_handle,
-            const gss_name_t desired_name,
-            const gss_OID desired_mech,
-            gss_cred_usage_t cred_usage,
-            OM_uint32 initiator_time_req,
-            OM_uint32 acceptor_time_req,
-            gss_cred_id_t * output_cred_handle,
-            gss_OID_set * actual_mechs,
-            OM_uint32 * initiator_time_rec,
-            OM_uint32 * acceptor_time_rec
-           )
-{
-    OM_uint32 ret, tmp;
-
-    *output_cred_handle = GSS_C_NO_CREDENTIAL;
-
-    ret = gss_add_cred(minor_status,
-		       input_cred_handle,
-		       desired_name,
-		       desired_mech,
-		       cred_usage,
-		       initiator_time_req,
-		       acceptor_time_req,
-		       output_cred_handle,
-		       actual_mechs,
-		       initiator_time_rec,
-		       acceptor_time_rec);
-    if (ret)
-	return ret;
-
-    return GSS_S_COMPLETE;
-}
-
 OM_uint32 _gss_spnego_inquire_cred_by_mech (
             OM_uint32 * minor_status,
             const gss_cred_id_t cred_handle,

lib/gssapi/spnego/external.c

@@ -46,6 +46,7 @@ static gssapi_mech_interface_desc spnego_mech = {
     GMI_VERSION,
     "spnego",
     {6, (void *)"\x2b\x06\x01\x05\x05\x02"},
+    0,
     _gss_spnego_acquire_cred,
     _gss_spnego_release_cred,
     _gss_spnego_init_sec_context,
@@ -67,7 +68,7 @@ static gssapi_mech_interface_desc spnego_mech = {
     _gss_spnego_inquire_cred,
     _gss_spnego_inquire_context,
     _gss_spnego_wrap_size_limit,
-    _gss_spnego_add_cred,
+    gss_add_cred,
     _gss_spnego_inquire_cred_by_mech,
     _gss_spnego_export_sec_context,
     _gss_spnego_import_sec_context,

lib/gssapi/test_context.c

@@ -773,6 +773,9 @@ main(int argc, char **argv)
 	gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL;
 	gss_buffer_desc cb;
 
+	if (verbose_flag)
+	    printf("checking actual mech (%s) on delegated cred\n", 
+		   oid_to_string(actual_mech));
 	loop(actual_mech, nameoid, argv[0], deleg_cred, &cctx, &sctx, &actual_mech2, &cred2);
 
 	gss_delete_sec_context(&min_stat, &cctx, NULL);
@@ -780,6 +783,17 @@ main(int argc, char **argv)
 
 	gss_release_cred(&min_stat, &cred2);
 
+	/* try again using SPNEGO */
+	if (verbose_flag)
+	    printf("checking spnego on delegated cred\n");
+	loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &cctx, &sctx,
+	     &actual_mech2, &cred2);
+
+	gss_delete_sec_context(&min_stat, &cctx, NULL);
+	gss_delete_sec_context(&min_stat, &sctx, NULL);
+
+	gss_release_cred(&min_stat, &cred2);
+
 	/* check export/import */
 	if (ei_flag) {
 
@@ -787,6 +801,7 @@ main(int argc, char **argv)
 	    if (maj_stat != GSS_S_COMPLETE)
 		errx(1, "export failed: %s",
 		     gssapi_err(maj_stat, min_stat, NULL));
+
 	    maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
 	    if (maj_stat != GSS_S_COMPLETE)
 		errx(1, "import failed: %s",
@@ -795,16 +810,34 @@ main(int argc, char **argv)
 	    gss_release_buffer(&min_stat, &cb);
 	    gss_release_cred(&min_stat, &deleg_cred);
 	    
-	    loop(actual_mech, nameoid, argv[0], cred2, &cctx, &sctx, &actual_mech2, &deleg_cred);
+	    if (verbose_flag)
+		printf("checking actual mech (%s) on export/imported cred\n", 
+		       oid_to_string(actual_mech));
+	    loop(actual_mech, nameoid, argv[0], cred2, &cctx, &sctx,
+		 &actual_mech2, &deleg_cred);
+
+	    gss_release_cred(&min_stat, &deleg_cred);
+
+	    gss_delete_sec_context(&min_stat, &cctx, NULL);
+	    gss_delete_sec_context(&min_stat, &sctx, NULL);
+
+	    /* try again using SPNEGO */
+	    if (verbose_flag)
+		printf("checking SPNEGO on export/imported cred\n");
+	    loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &cctx, &sctx,
+		 &actual_mech2, &deleg_cred);
+
+	    gss_release_cred(&min_stat, &deleg_cred);
+	    
+	    gss_delete_sec_context(&min_stat, &cctx, NULL);
+	    gss_delete_sec_context(&min_stat, &sctx, NULL);
 
 	    gss_release_cred(&min_stat, &cred2);
+
+	} else  {
+	    gss_release_cred(&min_stat, &deleg_cred);
 	}
 
-	gss_delete_sec_context(&min_stat, &cctx, NULL);
-	gss_delete_sec_context(&min_stat, &sctx, NULL);
-
-	gss_release_cred(&min_stat, &deleg_cred);
-
     }