Add flag to not add gss-api INT|CONF to the negotiation
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22655 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
		| @@ -1,3 +1,7 @@ | |||||||
|  | 2008-02-26  Love H<>rnquist <20>strand  <lha@it.su.se> | ||||||
|  |  | ||||||
|  | 	* Add flag to krb5 to not add GSS-API INT|CONF to the negotiation | ||||||
|  |  | ||||||
| 2008-02-21  Love H<>rnquist <20>strand  <lha@it.su.se> | 2008-02-21  Love H<>rnquist <20>strand  <lha@it.su.se> | ||||||
|  |  | ||||||
| 	* make the SPNEGO mech store the error itself instead, works for | 	* make the SPNEGO mech store the error itself instead, works for | ||||||
|   | |||||||
| @@ -80,6 +80,7 @@ extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X; | |||||||
| /* Extensions creds */ | /* Extensions creds */ | ||||||
| extern gss_OID GSS_KRB5_IMPORT_CRED_X; | extern gss_OID GSS_KRB5_IMPORT_CRED_X; | ||||||
| extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X; | extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X; | ||||||
|  | extern gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X; | ||||||
|  |  | ||||||
| /* | /* | ||||||
|  * kerberos mechanism specific functions |  * kerberos mechanism specific functions | ||||||
|   | |||||||
| @@ -86,6 +86,7 @@ typedef struct { | |||||||
|   krb5_principal principal; |   krb5_principal principal; | ||||||
|   int cred_flags; |   int cred_flags; | ||||||
| #define GSS_CF_DESTROY_CRED_ON_RELEASE	1 | #define GSS_CF_DESTROY_CRED_ON_RELEASE	1 | ||||||
|  | #define GSS_CF_NO_CI_FLAGS		2 | ||||||
|   struct krb5_keytab_data *keytab; |   struct krb5_keytab_data *keytab; | ||||||
|   OM_uint32 lifetime; |   OM_uint32 lifetime; | ||||||
|   gss_cred_usage_t usage; |   gss_cred_usage_t usage; | ||||||
|   | |||||||
| @@ -1,5 +1,5 @@ | |||||||
| /* | /* | ||||||
|  * Copyright (c) 1997 - 2007 Kungliga Tekniska H<>gskolan |  * Copyright (c) 1997 - 2008 Kungliga Tekniska H<>gskolan | ||||||
|  * (Royal Institute of Technology, Stockholm, Sweden).  |  * (Royal Institute of Technology, Stockholm, Sweden).  | ||||||
|  * All rights reserved.  |  * All rights reserved.  | ||||||
|  * |  * | ||||||
| @@ -326,7 +326,7 @@ do_delegation (krb5_context context, | |||||||
| static OM_uint32 | static OM_uint32 | ||||||
| init_auth | init_auth | ||||||
| (OM_uint32 * minor_status, | (OM_uint32 * minor_status, | ||||||
|  gsskrb5_cred initiator_cred_handle, |  gsskrb5_cred cred, | ||||||
|  gsskrb5_ctx ctx, |  gsskrb5_ctx ctx, | ||||||
|  krb5_context context, |  krb5_context context, | ||||||
|  krb5_const_principal name, |  krb5_const_principal name, | ||||||
| @@ -344,7 +344,7 @@ init_auth | |||||||
|     OM_uint32 ret = GSS_S_FAILURE; |     OM_uint32 ret = GSS_S_FAILURE; | ||||||
|     krb5_error_code kret; |     krb5_error_code kret; | ||||||
|     krb5_flags ap_options; |     krb5_flags ap_options; | ||||||
|     krb5_creds *cred = NULL; |     krb5_creds *kcred = NULL; | ||||||
|     krb5_data outbuf; |     krb5_data outbuf; | ||||||
|     krb5_ccache ccache = NULL; |     krb5_ccache ccache = NULL; | ||||||
|     uint32_t flags; |     uint32_t flags; | ||||||
| @@ -362,7 +362,7 @@ init_auth | |||||||
|     if (actual_mech_type) |     if (actual_mech_type) | ||||||
| 	*actual_mech_type = GSS_KRB5_MECHANISM; | 	*actual_mech_type = GSS_KRB5_MECHANISM; | ||||||
|  |  | ||||||
|     if (initiator_cred_handle == NULL) { |     if (cred == NULL) { | ||||||
| 	kret = krb5_cc_default (context, &ccache); | 	kret = krb5_cc_default (context, &ccache); | ||||||
| 	if (kret) { | 	if (kret) { | ||||||
| 	    *minor_status = kret; | 	    *minor_status = kret; | ||||||
| @@ -370,7 +370,7 @@ init_auth | |||||||
| 	    goto failure; | 	    goto failure; | ||||||
| 	} | 	} | ||||||
|     } else |     } else | ||||||
| 	ccache = initiator_cred_handle->ccache; | 	ccache = cred->ccache; | ||||||
|  |  | ||||||
|     kret = krb5_cc_get_principal (context, ccache, &ctx->source); |     kret = krb5_cc_get_principal (context, ccache, &ctx->source); | ||||||
|     if (kret) { |     if (kret) { | ||||||
| @@ -400,8 +400,8 @@ init_auth | |||||||
|     { |     { | ||||||
| 	krb5_enctype *enctypes = NULL; | 	krb5_enctype *enctypes = NULL; | ||||||
|  |  | ||||||
| 	if (initiator_cred_handle && initiator_cred_handle->enctypes) | 	if (cred && cred->enctypes) | ||||||
| 	    enctypes = initiator_cred_handle->enctypes; | 	    enctypes = cred->enctypes; | ||||||
| 	krb5_set_default_in_tkt_etypes(context, enctypes); | 	krb5_set_default_in_tkt_etypes(context, enctypes); | ||||||
|     } |     } | ||||||
|  |  | ||||||
| @@ -412,11 +412,11 @@ init_auth | |||||||
| 			    ctx->target, | 			    ctx->target, | ||||||
| 			    time_req, | 			    time_req, | ||||||
| 			    time_rec, | 			    time_rec, | ||||||
| 			    &cred); | 			    &kcred); | ||||||
|     if (ret) |     if (ret) | ||||||
| 	goto failure; | 	goto failure; | ||||||
|  |  | ||||||
|     ctx->lifetime = cred->times.endtime; |     ctx->lifetime = kcred->times.endtime; | ||||||
|  |  | ||||||
|     ret = _gsskrb5_lifetime_left(minor_status, |     ret = _gsskrb5_lifetime_left(minor_status, | ||||||
| 				 context, | 				 context, | ||||||
| @@ -434,11 +434,11 @@ init_auth | |||||||
|  |  | ||||||
|     krb5_auth_con_setkey(context,  |     krb5_auth_con_setkey(context,  | ||||||
| 			 ctx->auth_context,  | 			 ctx->auth_context,  | ||||||
| 			 &cred->session); | 			 &kcred->session); | ||||||
|  |  | ||||||
|     kret = krb5_auth_con_generatelocalsubkey(context,  |     kret = krb5_auth_con_generatelocalsubkey(context,  | ||||||
| 					     ctx->auth_context, | 					     ctx->auth_context, | ||||||
| 					     &cred->session); | 					     &kcred->session); | ||||||
|     if(kret) { |     if(kret) { | ||||||
| 	*minor_status = kret; | 	*minor_status = kret; | ||||||
| 	ret = GSS_S_FAILURE; | 	ret = GSS_S_FAILURE; | ||||||
| @@ -452,7 +452,7 @@ init_auth | |||||||
|      * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the |      * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the | ||||||
|      * KDC doesn't set ok-as-delegate. |      * KDC doesn't set ok-as-delegate. | ||||||
|      */ |      */ | ||||||
|     if (!cred->flags.b.ok_as_delegate) { |     if (!kcred->flags.b.ok_as_delegate) { | ||||||
| 	krb5_boolean delegate; | 	krb5_boolean delegate; | ||||||
|      |      | ||||||
| 	krb5_appdefault_boolean(context, | 	krb5_appdefault_boolean(context, | ||||||
| @@ -467,7 +467,7 @@ init_auth | |||||||
|     if (req_flags & GSS_C_DELEG_FLAG) |     if (req_flags & GSS_C_DELEG_FLAG) | ||||||
| 	do_delegation (context, | 	do_delegation (context, | ||||||
| 		       ctx->auth_context, | 		       ctx->auth_context, | ||||||
| 		       ccache, cred, name, &fwd_data, &flags); | 		       ccache, kcred, name, &fwd_data, &flags); | ||||||
|      |      | ||||||
|     if (req_flags & GSS_C_MUTUAL_FLAG) { |     if (req_flags & GSS_C_MUTUAL_FLAG) { | ||||||
| 	flags |= GSS_C_MUTUAL_FLAG; | 	flags |= GSS_C_MUTUAL_FLAG; | ||||||
| @@ -490,8 +490,10 @@ init_auth | |||||||
|     if (req_flags & GSS_C_EXTENDED_ERROR_FLAG) |     if (req_flags & GSS_C_EXTENDED_ERROR_FLAG) | ||||||
| 	flags |= GSS_C_EXTENDED_ERROR_FLAG; | 	flags |= GSS_C_EXTENDED_ERROR_FLAG; | ||||||
|  |  | ||||||
|     flags |= GSS_C_CONF_FLAG; |     if (cred == NULL || !(cred->cred_flags & GSS_CF_NO_CI_FLAGS)) { | ||||||
|     flags |= GSS_C_INTEG_FLAG; | 	flags |= GSS_C_CONF_FLAG; | ||||||
|  | 	flags |= GSS_C_INTEG_FLAG; | ||||||
|  |     } | ||||||
|     flags |= GSS_C_TRANS_FLAG; |     flags |= GSS_C_TRANS_FLAG; | ||||||
|      |      | ||||||
|     if (ret_flags) |     if (ret_flags) | ||||||
| @@ -513,7 +515,7 @@ init_auth | |||||||
|     kret = krb5_build_authenticator (context, |     kret = krb5_build_authenticator (context, | ||||||
| 				     ctx->auth_context, | 				     ctx->auth_context, | ||||||
| 				     enctype, | 				     enctype, | ||||||
| 				     cred, | 				     kcred, | ||||||
| 				     &cksum, | 				     &cksum, | ||||||
| 				     NULL, | 				     NULL, | ||||||
| 				     &authenticator, | 				     &authenticator, | ||||||
| @@ -527,7 +529,7 @@ init_auth | |||||||
|  |  | ||||||
|     kret = krb5_build_ap_req (context, |     kret = krb5_build_ap_req (context, | ||||||
| 			      enctype, | 			      enctype, | ||||||
| 			      cred, | 			      kcred, | ||||||
| 			      ap_options, | 			      ap_options, | ||||||
| 			      authenticator, | 			      authenticator, | ||||||
| 			      &outbuf); | 			      &outbuf); | ||||||
| @@ -544,9 +546,9 @@ init_auth | |||||||
| 	goto failure; | 	goto failure; | ||||||
|  |  | ||||||
|     krb5_data_free (&outbuf); |     krb5_data_free (&outbuf); | ||||||
|     krb5_free_creds(context, cred); |     krb5_free_creds(context, kcred); | ||||||
|     free_Checksum(&cksum); |     free_Checksum(&cksum); | ||||||
|     if (initiator_cred_handle == NULL) |     if (cred == NULL) | ||||||
| 	krb5_cc_close(context, ccache); | 	krb5_cc_close(context, ccache); | ||||||
|  |  | ||||||
|     if (flags & GSS_C_MUTUAL_FLAG) { |     if (flags & GSS_C_MUTUAL_FLAG) { | ||||||
| @@ -557,8 +559,8 @@ init_auth | |||||||
|     return gsskrb5_initiator_ready(minor_status, ctx, context); |     return gsskrb5_initiator_ready(minor_status, ctx, context); | ||||||
| failure: | failure: | ||||||
|     if(cred) |     if(cred) | ||||||
| 	krb5_free_creds(context, cred); | 	krb5_free_creds(context, kcred); | ||||||
|     if (ccache && initiator_cred_handle == NULL) |     if (ccache && cred == NULL) | ||||||
| 	krb5_cc_close(context, ccache); | 	krb5_cc_close(context, ccache); | ||||||
|  |  | ||||||
|     return ret; |     return ret; | ||||||
| @@ -682,7 +684,7 @@ repl_mutual | |||||||
|  |  | ||||||
| OM_uint32 _gsskrb5_init_sec_context | OM_uint32 _gsskrb5_init_sec_context | ||||||
| (OM_uint32 * minor_status, | (OM_uint32 * minor_status, | ||||||
|  const gss_cred_id_t initiator_cred_handle, |  const gss_cred_id_t cred_handle, | ||||||
|  gss_ctx_id_t * context_handle, |  gss_ctx_id_t * context_handle, | ||||||
|  const gss_name_t target_name, |  const gss_name_t target_name, | ||||||
|  const gss_OID mech_type, |  const gss_OID mech_type, | ||||||
| @@ -697,7 +699,7 @@ OM_uint32 _gsskrb5_init_sec_context | |||||||
|     ) |     ) | ||||||
| { | { | ||||||
|     krb5_context context; |     krb5_context context; | ||||||
|     gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle; |     gsskrb5_cred cred = (gsskrb5_cred)cred_handle; | ||||||
|     krb5_const_principal name = (krb5_const_principal)target_name; |     krb5_const_principal name = (krb5_const_principal)target_name; | ||||||
|     gsskrb5_ctx ctx; |     gsskrb5_ctx ctx; | ||||||
|     OM_uint32 ret; |     OM_uint32 ret; | ||||||
|   | |||||||
| @@ -34,11 +34,20 @@ | |||||||
|  |  | ||||||
| RCSID("$Id$"); | RCSID("$Id$"); | ||||||
|  |  | ||||||
|  | /* 1.2.752.43.13.17 */ | ||||||
|  | static gss_OID_desc gss_krb5_ccache_name_x_oid_desc = | ||||||
|  | {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")}; | ||||||
|  |  | ||||||
|  | gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X = &gss_krb5_ccache_name_x_oid_desc; | ||||||
|  |  | ||||||
|  | /* 1.2.752.43.13.18 */ | ||||||
| static gss_OID_desc gss_krb5_import_cred_x_oid_desc = | static gss_OID_desc gss_krb5_import_cred_x_oid_desc = | ||||||
| {9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */ | {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")}; | ||||||
|  |  | ||||||
| gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc; | gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc; | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| static OM_uint32 | static OM_uint32 | ||||||
| import_cred(OM_uint32 *minor_status, | import_cred(OM_uint32 *minor_status, | ||||||
| 	    krb5_context context, | 	    krb5_context context, | ||||||
| @@ -201,6 +210,27 @@ out: | |||||||
|     return major_stat; |     return major_stat; | ||||||
| } | } | ||||||
|  |  | ||||||
|  | static OM_uint32 | ||||||
|  | no_ci_flags(OM_uint32 *minor_status, | ||||||
|  | 	    krb5_context context, | ||||||
|  | 	    gss_cred_id_t *cred_handle, | ||||||
|  | 	    const gss_buffer_t value) | ||||||
|  | { | ||||||
|  |     gsskrb5_cred cred; | ||||||
|  |  | ||||||
|  |     if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) { | ||||||
|  | 	*minor_status = 0; | ||||||
|  | 	return GSS_S_FAILURE; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     cred = (gsskrb5_cred)*cred_handle; | ||||||
|  |     cred->cred_flags |= GSS_CF_NO_CI_FLAGS; | ||||||
|  | 	 | ||||||
|  |     *minor_status = 0; | ||||||
|  |     return GSS_S_COMPLETE; | ||||||
|  |  | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
| OM_uint32 | OM_uint32 | ||||||
| _gsskrb5_set_cred_option | _gsskrb5_set_cred_option | ||||||
| @@ -224,6 +254,11 @@ _gsskrb5_set_cred_option | |||||||
|     if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X)) |     if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X)) | ||||||
| 	return allowed_enctypes(minor_status, context, cred_handle, value); | 	return allowed_enctypes(minor_status, context, cred_handle, value); | ||||||
|  |  | ||||||
|  |     if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) { | ||||||
|  | 	return no_ci_flags(minor_status, context, cred_handle, value); | ||||||
|  |     } | ||||||
|  | 	 | ||||||
|  |  | ||||||
|     *minor_status = EINVAL; |     *minor_status = EINVAL; | ||||||
|     return GSS_S_FAILURE; |     return GSS_S_FAILURE; | ||||||
| } | } | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Love Hörnquist Åstrand
					Love Hörnquist Åstrand