Add flag to not add gss-api INT|CONF to the negotiation
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22655 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -86,6 +86,7 @@ typedef struct {
|
||||
krb5_principal principal;
|
||||
int cred_flags;
|
||||
#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
|
||||
#define GSS_CF_NO_CI_FLAGS 2
|
||||
struct krb5_keytab_data *keytab;
|
||||
OM_uint32 lifetime;
|
||||
gss_cred_usage_t usage;
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997 - 2007 Kungliga Tekniska H<>gskolan
|
||||
* Copyright (c) 1997 - 2008 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@@ -326,7 +326,7 @@ do_delegation (krb5_context context,
|
||||
static OM_uint32
|
||||
init_auth
|
||||
(OM_uint32 * minor_status,
|
||||
gsskrb5_cred initiator_cred_handle,
|
||||
gsskrb5_cred cred,
|
||||
gsskrb5_ctx ctx,
|
||||
krb5_context context,
|
||||
krb5_const_principal name,
|
||||
@@ -344,7 +344,7 @@ init_auth
|
||||
OM_uint32 ret = GSS_S_FAILURE;
|
||||
krb5_error_code kret;
|
||||
krb5_flags ap_options;
|
||||
krb5_creds *cred = NULL;
|
||||
krb5_creds *kcred = NULL;
|
||||
krb5_data outbuf;
|
||||
krb5_ccache ccache = NULL;
|
||||
uint32_t flags;
|
||||
@@ -362,7 +362,7 @@ init_auth
|
||||
if (actual_mech_type)
|
||||
*actual_mech_type = GSS_KRB5_MECHANISM;
|
||||
|
||||
if (initiator_cred_handle == NULL) {
|
||||
if (cred == NULL) {
|
||||
kret = krb5_cc_default (context, &ccache);
|
||||
if (kret) {
|
||||
*minor_status = kret;
|
||||
@@ -370,7 +370,7 @@ init_auth
|
||||
goto failure;
|
||||
}
|
||||
} else
|
||||
ccache = initiator_cred_handle->ccache;
|
||||
ccache = cred->ccache;
|
||||
|
||||
kret = krb5_cc_get_principal (context, ccache, &ctx->source);
|
||||
if (kret) {
|
||||
@@ -400,8 +400,8 @@ init_auth
|
||||
{
|
||||
krb5_enctype *enctypes = NULL;
|
||||
|
||||
if (initiator_cred_handle && initiator_cred_handle->enctypes)
|
||||
enctypes = initiator_cred_handle->enctypes;
|
||||
if (cred && cred->enctypes)
|
||||
enctypes = cred->enctypes;
|
||||
krb5_set_default_in_tkt_etypes(context, enctypes);
|
||||
}
|
||||
|
||||
@@ -412,11 +412,11 @@ init_auth
|
||||
ctx->target,
|
||||
time_req,
|
||||
time_rec,
|
||||
&cred);
|
||||
&kcred);
|
||||
if (ret)
|
||||
goto failure;
|
||||
|
||||
ctx->lifetime = cred->times.endtime;
|
||||
ctx->lifetime = kcred->times.endtime;
|
||||
|
||||
ret = _gsskrb5_lifetime_left(minor_status,
|
||||
context,
|
||||
@@ -434,11 +434,11 @@ init_auth
|
||||
|
||||
krb5_auth_con_setkey(context,
|
||||
ctx->auth_context,
|
||||
&cred->session);
|
||||
&kcred->session);
|
||||
|
||||
kret = krb5_auth_con_generatelocalsubkey(context,
|
||||
ctx->auth_context,
|
||||
&cred->session);
|
||||
&kcred->session);
|
||||
if(kret) {
|
||||
*minor_status = kret;
|
||||
ret = GSS_S_FAILURE;
|
||||
@@ -452,7 +452,7 @@ init_auth
|
||||
* requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
|
||||
* KDC doesn't set ok-as-delegate.
|
||||
*/
|
||||
if (!cred->flags.b.ok_as_delegate) {
|
||||
if (!kcred->flags.b.ok_as_delegate) {
|
||||
krb5_boolean delegate;
|
||||
|
||||
krb5_appdefault_boolean(context,
|
||||
@@ -467,7 +467,7 @@ init_auth
|
||||
if (req_flags & GSS_C_DELEG_FLAG)
|
||||
do_delegation (context,
|
||||
ctx->auth_context,
|
||||
ccache, cred, name, &fwd_data, &flags);
|
||||
ccache, kcred, name, &fwd_data, &flags);
|
||||
|
||||
if (req_flags & GSS_C_MUTUAL_FLAG) {
|
||||
flags |= GSS_C_MUTUAL_FLAG;
|
||||
@@ -490,8 +490,10 @@ init_auth
|
||||
if (req_flags & GSS_C_EXTENDED_ERROR_FLAG)
|
||||
flags |= GSS_C_EXTENDED_ERROR_FLAG;
|
||||
|
||||
flags |= GSS_C_CONF_FLAG;
|
||||
flags |= GSS_C_INTEG_FLAG;
|
||||
if (cred == NULL || !(cred->cred_flags & GSS_CF_NO_CI_FLAGS)) {
|
||||
flags |= GSS_C_CONF_FLAG;
|
||||
flags |= GSS_C_INTEG_FLAG;
|
||||
}
|
||||
flags |= GSS_C_TRANS_FLAG;
|
||||
|
||||
if (ret_flags)
|
||||
@@ -513,7 +515,7 @@ init_auth
|
||||
kret = krb5_build_authenticator (context,
|
||||
ctx->auth_context,
|
||||
enctype,
|
||||
cred,
|
||||
kcred,
|
||||
&cksum,
|
||||
NULL,
|
||||
&authenticator,
|
||||
@@ -527,7 +529,7 @@ init_auth
|
||||
|
||||
kret = krb5_build_ap_req (context,
|
||||
enctype,
|
||||
cred,
|
||||
kcred,
|
||||
ap_options,
|
||||
authenticator,
|
||||
&outbuf);
|
||||
@@ -544,9 +546,9 @@ init_auth
|
||||
goto failure;
|
||||
|
||||
krb5_data_free (&outbuf);
|
||||
krb5_free_creds(context, cred);
|
||||
krb5_free_creds(context, kcred);
|
||||
free_Checksum(&cksum);
|
||||
if (initiator_cred_handle == NULL)
|
||||
if (cred == NULL)
|
||||
krb5_cc_close(context, ccache);
|
||||
|
||||
if (flags & GSS_C_MUTUAL_FLAG) {
|
||||
@@ -557,8 +559,8 @@ init_auth
|
||||
return gsskrb5_initiator_ready(minor_status, ctx, context);
|
||||
failure:
|
||||
if(cred)
|
||||
krb5_free_creds(context, cred);
|
||||
if (ccache && initiator_cred_handle == NULL)
|
||||
krb5_free_creds(context, kcred);
|
||||
if (ccache && cred == NULL)
|
||||
krb5_cc_close(context, ccache);
|
||||
|
||||
return ret;
|
||||
@@ -682,7 +684,7 @@ repl_mutual
|
||||
|
||||
OM_uint32 _gsskrb5_init_sec_context
|
||||
(OM_uint32 * minor_status,
|
||||
const gss_cred_id_t initiator_cred_handle,
|
||||
const gss_cred_id_t cred_handle,
|
||||
gss_ctx_id_t * context_handle,
|
||||
const gss_name_t target_name,
|
||||
const gss_OID mech_type,
|
||||
@@ -697,7 +699,7 @@ OM_uint32 _gsskrb5_init_sec_context
|
||||
)
|
||||
{
|
||||
krb5_context context;
|
||||
gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle;
|
||||
gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
|
||||
krb5_const_principal name = (krb5_const_principal)target_name;
|
||||
gsskrb5_ctx ctx;
|
||||
OM_uint32 ret;
|
||||
|
||||
@@ -34,11 +34,20 @@
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
/* 1.2.752.43.13.17 */
|
||||
static gss_OID_desc gss_krb5_ccache_name_x_oid_desc =
|
||||
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")};
|
||||
|
||||
gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X = &gss_krb5_ccache_name_x_oid_desc;
|
||||
|
||||
/* 1.2.752.43.13.18 */
|
||||
static gss_OID_desc gss_krb5_import_cred_x_oid_desc =
|
||||
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */
|
||||
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")};
|
||||
|
||||
gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc;
|
||||
|
||||
|
||||
|
||||
static OM_uint32
|
||||
import_cred(OM_uint32 *minor_status,
|
||||
krb5_context context,
|
||||
@@ -201,6 +210,27 @@ out:
|
||||
return major_stat;
|
||||
}
|
||||
|
||||
static OM_uint32
|
||||
no_ci_flags(OM_uint32 *minor_status,
|
||||
krb5_context context,
|
||||
gss_cred_id_t *cred_handle,
|
||||
const gss_buffer_t value)
|
||||
{
|
||||
gsskrb5_cred cred;
|
||||
|
||||
if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
cred = (gsskrb5_cred)*cred_handle;
|
||||
cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
|
||||
|
||||
*minor_status = 0;
|
||||
return GSS_S_COMPLETE;
|
||||
|
||||
}
|
||||
|
||||
|
||||
OM_uint32
|
||||
_gsskrb5_set_cred_option
|
||||
@@ -224,6 +254,11 @@ _gsskrb5_set_cred_option
|
||||
if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X))
|
||||
return allowed_enctypes(minor_status, context, cred_handle, value);
|
||||
|
||||
if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
|
||||
return no_ci_flags(minor_status, context, cred_handle, value);
|
||||
}
|
||||
|
||||
|
||||
*minor_status = EINVAL;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user