Add flag to not add gss-api INT|CONF to the negotiation

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22655 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-02-26 12:40:35 +00:00
parent c4e1402fd8
commit 27a3ca100e
5 changed files with 67 additions and 24 deletions
--- a/lib/gssapi/ChangeLog
+++ b/lib/gssapi/ChangeLog
@@ -1,3 +1,7 @@
+2008-02-26  Love H<>rnquist <20>strand  <lha@it.su.se>
+
+	* Add flag to krb5 to not add GSS-API INT|CONF to the negotiation
+
 2008-02-21  Love H<>rnquist <20>strand  <lha@it.su.se>

 	* make the SPNEGO mech store the error itself instead, works for
--- a/lib/gssapi/gssapi/gssapi_krb5.h
+++ b/lib/gssapi/gssapi/gssapi_krb5.h
@@ -80,6 +80,7 @@ extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
 /* Extensions creds */
 extern gss_OID GSS_KRB5_IMPORT_CRED_X;
 extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
+extern gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;

 /*
 * kerberos mechanism specific functions
--- a/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/lib/gssapi/krb5/gsskrb5_locl.h
@@ -86,6 +86,7 @@ typedef struct {
  krb5_principal principal;
  int cred_flags;
 #define GSS_CF_DESTROY_CRED_ON_RELEASE	1
+#define GSS_CF_NO_CI_FLAGS		2
  struct krb5_keytab_data *keytab;
  OM_uint32 lifetime;
  gss_cred_usage_t usage;
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2007 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 1997 - 2008 Kungliga Tekniska H<>gskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@@ -326,7 +326,7 @@ do_delegation (krb5_context context,
 static OM_uint32
 init_auth
 (OM_uint32 * minor_status,
- gsskrb5_cred initiator_cred_handle,
+ gsskrb5_cred cred,
 gsskrb5_ctx ctx,
 krb5_context context,
 krb5_const_principal name,
@@ -344,7 +344,7 @@ init_auth
    OM_uint32 ret = GSS_S_FAILURE;
    krb5_error_code kret;
    krb5_flags ap_options;
-    krb5_creds *cred = NULL;
+    krb5_creds *kcred = NULL;
    krb5_data outbuf;
    krb5_ccache ccache = NULL;
    uint32_t flags;
@@ -362,7 +362,7 @@ init_auth
    if (actual_mech_type)
 	*actual_mech_type = GSS_KRB5_MECHANISM;

-    if (initiator_cred_handle == NULL) {
+    if (cred == NULL) {
 	kret = krb5_cc_default (context, &ccache);
 	if (kret) {
 	    *minor_status = kret;
@@ -370,7 +370,7 @@ init_auth
 	    goto failure;
 	}
    } else
-	ccache = initiator_cred_handle->ccache;
+	ccache = cred->ccache;

    kret = krb5_cc_get_principal (context, ccache, &ctx->source);
    if (kret) {
@@ -400,8 +400,8 @@ init_auth
    {
 	krb5_enctype *enctypes = NULL;

-	if (initiator_cred_handle && initiator_cred_handle->enctypes)
-	    enctypes = initiator_cred_handle->enctypes;
+	if (cred && cred->enctypes)
+	    enctypes = cred->enctypes;
 	krb5_set_default_in_tkt_etypes(context, enctypes);
    }

@@ -412,11 +412,11 @@ init_auth
 			    ctx->target,
 			    time_req,
 			    time_rec,
-			    &cred);
+			    &kcred);
    if (ret)
 	goto failure;

-    ctx->lifetime = cred->times.endtime;
+    ctx->lifetime = kcred->times.endtime;

    ret = _gsskrb5_lifetime_left(minor_status,
 				 context,
@@ -434,11 +434,11 @@ init_auth

    krb5_auth_con_setkey(context, 
 			 ctx->auth_context, 
-			 &cred->session);
+			 &kcred->session);

    kret = krb5_auth_con_generatelocalsubkey(context, 
 					     ctx->auth_context,
-					     &cred->session);
+					     &kcred->session);
    if(kret) {
 	*minor_status = kret;
 	ret = GSS_S_FAILURE;
@@ -452,7 +452,7 @@ init_auth
     * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
     * KDC doesn't set ok-as-delegate.
     */
-    if (!cred->flags.b.ok_as_delegate) {
+    if (!kcred->flags.b.ok_as_delegate) {
 	krb5_boolean delegate;
    
 	krb5_appdefault_boolean(context,
@@ -467,7 +467,7 @@ init_auth
    if (req_flags & GSS_C_DELEG_FLAG)
 	do_delegation (context,
 		       ctx->auth_context,
-		       ccache, cred, name, &fwd_data, &flags);
+		       ccache, kcred, name, &fwd_data, &flags);
    
    if (req_flags & GSS_C_MUTUAL_FLAG) {
 	flags |= GSS_C_MUTUAL_FLAG;
@@ -490,8 +490,10 @@ init_auth
    if (req_flags & GSS_C_EXTENDED_ERROR_FLAG)
 	flags |= GSS_C_EXTENDED_ERROR_FLAG;

-    flags |= GSS_C_CONF_FLAG;
-    flags |= GSS_C_INTEG_FLAG;
+    if (cred == NULL || !(cred->cred_flags & GSS_CF_NO_CI_FLAGS)) {
+	flags |= GSS_C_CONF_FLAG;
+	flags |= GSS_C_INTEG_FLAG;
+    }
    flags |= GSS_C_TRANS_FLAG;
    
    if (ret_flags)
@@ -513,7 +515,7 @@ init_auth
    kret = krb5_build_authenticator (context,
 				     ctx->auth_context,
 				     enctype,
-				     cred,
+				     kcred,
 				     &cksum,
 				     NULL,
 				     &authenticator,
@@ -527,7 +529,7 @@ init_auth

    kret = krb5_build_ap_req (context,
 			      enctype,
-			      cred,
+			      kcred,
 			      ap_options,
 			      authenticator,
 			      &outbuf);
@@ -544,9 +546,9 @@ init_auth
 	goto failure;

    krb5_data_free (&outbuf);
-    krb5_free_creds(context, cred);
+    krb5_free_creds(context, kcred);
    free_Checksum(&cksum);
-    if (initiator_cred_handle == NULL)
+    if (cred == NULL)
 	krb5_cc_close(context, ccache);

    if (flags & GSS_C_MUTUAL_FLAG) {
@@ -557,8 +559,8 @@ init_auth
    return gsskrb5_initiator_ready(minor_status, ctx, context);
 failure:
    if(cred)
-	krb5_free_creds(context, cred);
-    if (ccache && initiator_cred_handle == NULL)
+	krb5_free_creds(context, kcred);
+    if (ccache && cred == NULL)
 	krb5_cc_close(context, ccache);

    return ret;
@@ -682,7 +684,7 @@ repl_mutual

 OM_uint32 _gsskrb5_init_sec_context
 (OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ const gss_cred_id_t cred_handle,
 gss_ctx_id_t * context_handle,
 const gss_name_t target_name,
 const gss_OID mech_type,
@@ -697,7 +699,7 @@ OM_uint32 _gsskrb5_init_sec_context
    )
 {
    krb5_context context;
-    gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle;
+    gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
    krb5_const_principal name = (krb5_const_principal)target_name;
    gsskrb5_ctx ctx;
    OM_uint32 ret;
--- a/lib/gssapi/krb5/set_cred_option.c
+++ b/lib/gssapi/krb5/set_cred_option.c
@@ -34,11 +34,20 @@

 RCSID("$Id$");

+/* 1.2.752.43.13.17 */
+static gss_OID_desc gss_krb5_ccache_name_x_oid_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")};
+
+gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X = &gss_krb5_ccache_name_x_oid_desc;
+
+/* 1.2.752.43.13.18 */
 static gss_OID_desc gss_krb5_import_cred_x_oid_desc =
-{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")};

 gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc;

+
+
 static OM_uint32
 import_cred(OM_uint32 *minor_status,
 	    krb5_context context,
@@ -201,6 +210,27 @@ out:
    return major_stat;
 }

+static OM_uint32
+no_ci_flags(OM_uint32 *minor_status,
+	    krb5_context context,
+	    gss_cred_id_t *cred_handle,
+	    const gss_buffer_t value)
+{
+    gsskrb5_cred cred;
+
+    if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    cred = (gsskrb5_cred)*cred_handle;
+    cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
+	
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+
+}
+

 OM_uint32
 _gsskrb5_set_cred_option
@@ -224,6 +254,11 @@ _gsskrb5_set_cred_option
    if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X))
 	return allowed_enctypes(minor_status, context, cred_handle, value);

+    if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
+	return no_ci_flags(minor_status, context, cred_handle, value);
+    }
+	
+
    *minor_status = EINVAL;
    return GSS_S_FAILURE;
 }