oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Add flag to not add gss-api INT|CONF to the negotiation

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22655 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-02-26 12:40:35 +00:00
parent c4e1402fd8
commit 27a3ca100e
5 changed files with 67 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/gssapi/ChangeLog
View File

@@ -1,3 +1,7 @@
2008-02-26 Love H<>rnquist <20>strand <lha@it.su.se>
* Add flag to krb5 to not add GSS-API INT|CONF to the negotiation
2008-02-21 Love H<>rnquist <20>strand <lha@it.su.se> 2008-02-21 Love H<>rnquist <20>strand <lha@it.su.se>
* make the SPNEGO mech store the error itself instead, works for * make the SPNEGO mech store the error itself instead, works for

1
lib/gssapi/gssapi/gssapi_krb5.h
View File

@@ -80,6 +80,7 @@ extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
/* Extensions creds */ /* Extensions creds */
extern gss_OID GSS_KRB5_IMPORT_CRED_X; extern gss_OID GSS_KRB5_IMPORT_CRED_X;
extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X; extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
extern gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;
/* /*
* kerberos mechanism specific functions * kerberos mechanism specific functions

1
lib/gssapi/krb5/gsskrb5_locl.h
View File

@@ -86,6 +86,7 @@ typedef struct {
krb5_principal principal; krb5_principal principal;
int cred_flags; int cred_flags;
#define GSS_CF_DESTROY_CRED_ON_RELEASE 1 #define GSS_CF_DESTROY_CRED_ON_RELEASE 1
#define GSS_CF_NO_CI_FLAGS 2
struct krb5_keytab_data *keytab; struct krb5_keytab_data *keytab;
OM_uint32 lifetime; OM_uint32 lifetime;
gss_cred_usage_t usage; gss_cred_usage_t usage;

48
lib/gssapi/krb5/init_sec_context.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1997 - 2007 Kungliga Tekniska H<>gskolan * Copyright (c) 1997 - 2008 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden). * (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved. * All rights reserved.
* *
@@ -326,7 +326,7 @@ do_delegation (krb5_context context,
static OM_uint32 static OM_uint32
init_auth init_auth
(OM_uint32 * minor_status, (OM_uint32 * minor_status,
gsskrb5_cred initiator_cred_handle, gsskrb5_cred cred,
gsskrb5_ctx ctx, gsskrb5_ctx ctx,
krb5_context context, krb5_context context,
krb5_const_principal name, krb5_const_principal name,
@@ -344,7 +344,7 @@ init_auth
OM_uint32 ret = GSS_S_FAILURE; OM_uint32 ret = GSS_S_FAILURE;
krb5_error_code kret; krb5_error_code kret;
krb5_flags ap_options; krb5_flags ap_options;
krb5_creds *cred = NULL; krb5_creds *kcred = NULL;
krb5_data outbuf; krb5_data outbuf;
krb5_ccache ccache = NULL; krb5_ccache ccache = NULL;
uint32_t flags; uint32_t flags;
@@ -362,7 +362,7 @@ init_auth
if (actual_mech_type) if (actual_mech_type)
*actual_mech_type = GSS_KRB5_MECHANISM; *actual_mech_type = GSS_KRB5_MECHANISM;
if (initiator_cred_handle == NULL) { if (cred == NULL) {
kret = krb5_cc_default (context, &ccache); kret = krb5_cc_default (context, &ccache);
if (kret) { if (kret) {
*minor_status = kret; *minor_status = kret;
@@ -370,7 +370,7 @@ init_auth
goto failure; goto failure;
} }
} else } else
ccache = initiator_cred_handle->ccache; ccache = cred->ccache;
kret = krb5_cc_get_principal (context, ccache, &ctx->source); kret = krb5_cc_get_principal (context, ccache, &ctx->source);
if (kret) { if (kret) {
@@ -400,8 +400,8 @@ init_auth
{ {
krb5_enctype *enctypes = NULL; krb5_enctype *enctypes = NULL;
if (initiator_cred_handle && initiator_cred_handle->enctypes) if (cred && cred->enctypes)
enctypes = initiator_cred_handle->enctypes; enctypes = cred->enctypes;
krb5_set_default_in_tkt_etypes(context, enctypes); krb5_set_default_in_tkt_etypes(context, enctypes);
} }
@@ -412,11 +412,11 @@ init_auth
ctx->target, ctx->target,
time_req, time_req,
time_rec, time_rec,
&cred); &kcred);
if (ret) if (ret)
goto failure; goto failure;
ctx->lifetime = cred->times.endtime; ctx->lifetime = kcred->times.endtime;
ret = _gsskrb5_lifetime_left(minor_status, ret = _gsskrb5_lifetime_left(minor_status,
context, context,
@@ -434,11 +434,11 @@ init_auth
krb5_auth_con_setkey(context, krb5_auth_con_setkey(context,
ctx->auth_context, ctx->auth_context,
&cred->session); &kcred->session);
kret = krb5_auth_con_generatelocalsubkey(context, kret = krb5_auth_con_generatelocalsubkey(context,
ctx->auth_context, ctx->auth_context,
&cred->session); &kcred->session);
if(kret) { if(kret) {
*minor_status = kret; *minor_status = kret;
ret = GSS_S_FAILURE; ret = GSS_S_FAILURE;
@@ -452,7 +452,7 @@ init_auth
* requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
* KDC doesn't set ok-as-delegate. * KDC doesn't set ok-as-delegate.
*/ */
if (!cred->flags.b.ok_as_delegate) { if (!kcred->flags.b.ok_as_delegate) {
krb5_boolean delegate; krb5_boolean delegate;
krb5_appdefault_boolean(context, krb5_appdefault_boolean(context,
@@ -467,7 +467,7 @@ init_auth
if (req_flags & GSS_C_DELEG_FLAG) if (req_flags & GSS_C_DELEG_FLAG)
do_delegation (context, do_delegation (context,
ctx->auth_context, ctx->auth_context,
ccache, cred, name, &fwd_data, &flags); ccache, kcred, name, &fwd_data, &flags);
if (req_flags & GSS_C_MUTUAL_FLAG) { if (req_flags & GSS_C_MUTUAL_FLAG) {
flags |= GSS_C_MUTUAL_FLAG; flags |= GSS_C_MUTUAL_FLAG;
@@ -490,8 +490,10 @@ init_auth
if (req_flags & GSS_C_EXTENDED_ERROR_FLAG) if (req_flags & GSS_C_EXTENDED_ERROR_FLAG)
flags |= GSS_C_EXTENDED_ERROR_FLAG; flags |= GSS_C_EXTENDED_ERROR_FLAG;
flags |= GSS_C_CONF_FLAG; if (cred == NULL || !(cred->cred_flags & GSS_CF_NO_CI_FLAGS)) {
flags |= GSS_C_INTEG_FLAG; flags |= GSS_C_CONF_FLAG;
flags |= GSS_C_INTEG_FLAG;
}
flags |= GSS_C_TRANS_FLAG; flags |= GSS_C_TRANS_FLAG;
if (ret_flags) if (ret_flags)
@@ -513,7 +515,7 @@ init_auth
kret = krb5_build_authenticator (context, kret = krb5_build_authenticator (context,
ctx->auth_context, ctx->auth_context,
enctype, enctype,
cred, kcred,
&cksum, &cksum,
NULL, NULL,
&authenticator, &authenticator,
@@ -527,7 +529,7 @@ init_auth
kret = krb5_build_ap_req (context, kret = krb5_build_ap_req (context,
enctype, enctype,
cred, kcred,
ap_options, ap_options,
authenticator, authenticator,
&outbuf); &outbuf);
@@ -544,9 +546,9 @@ init_auth
goto failure; goto failure;
krb5_data_free (&outbuf); krb5_data_free (&outbuf);
krb5_free_creds(context, cred); krb5_free_creds(context, kcred);
free_Checksum(&cksum); free_Checksum(&cksum);
if (initiator_cred_handle == NULL) if (cred == NULL)
krb5_cc_close(context, ccache); krb5_cc_close(context, ccache);
if (flags & GSS_C_MUTUAL_FLAG) { if (flags & GSS_C_MUTUAL_FLAG) {
@@ -557,8 +559,8 @@ init_auth
return gsskrb5_initiator_ready(minor_status, ctx, context); return gsskrb5_initiator_ready(minor_status, ctx, context);
failure: failure:
if(cred) if(cred)
krb5_free_creds(context, cred); krb5_free_creds(context, kcred);
if (ccache && initiator_cred_handle == NULL) if (ccache && cred == NULL)
krb5_cc_close(context, ccache); krb5_cc_close(context, ccache);
return ret; return ret;
@@ -682,7 +684,7 @@ repl_mutual
OM_uint32 _gsskrb5_init_sec_context OM_uint32 _gsskrb5_init_sec_context
(OM_uint32 * minor_status, (OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle, const gss_cred_id_t cred_handle,
gss_ctx_id_t * context_handle, gss_ctx_id_t * context_handle,
const gss_name_t target_name, const gss_name_t target_name,
const gss_OID mech_type, const gss_OID mech_type,
@@ -697,7 +699,7 @@ OM_uint32 _gsskrb5_init_sec_context
) )
{ {
krb5_context context; krb5_context context;
gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle; gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
krb5_const_principal name = (krb5_const_principal)target_name; krb5_const_principal name = (krb5_const_principal)target_name;
gsskrb5_ctx ctx; gsskrb5_ctx ctx;
OM_uint32 ret; OM_uint32 ret;

37
lib/gssapi/krb5/set_cred_option.c
View File

@@ -34,11 +34,20 @@
RCSID("$Id$"); RCSID("$Id$");
/* 1.2.752.43.13.17 */
static gss_OID_desc gss_krb5_ccache_name_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")};
gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X = &gss_krb5_ccache_name_x_oid_desc;
/* 1.2.752.43.13.18 */
static gss_OID_desc gss_krb5_import_cred_x_oid_desc = static gss_OID_desc gss_krb5_import_cred_x_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */ {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")};
gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc; gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc;
static OM_uint32 static OM_uint32
import_cred(OM_uint32 *minor_status, import_cred(OM_uint32 *minor_status,
krb5_context context, krb5_context context,
@@ -201,6 +210,27 @@ out:
return major_stat; return major_stat;
} }
static OM_uint32
no_ci_flags(OM_uint32 *minor_status,
krb5_context context,
gss_cred_id_t *cred_handle,
const gss_buffer_t value)
{
gsskrb5_cred cred;
if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
*minor_status = 0;
return GSS_S_FAILURE;
}
cred = (gsskrb5_cred)*cred_handle;
cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
*minor_status = 0;
return GSS_S_COMPLETE;
}
OM_uint32 OM_uint32
_gsskrb5_set_cred_option _gsskrb5_set_cred_option
@@ -224,6 +254,11 @@ _gsskrb5_set_cred_option
if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X)) if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X))
return allowed_enctypes(minor_status, context, cred_handle, value); return allowed_enctypes(minor_status, context, cred_handle, value);
if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
return no_ci_flags(minor_status, context, cred_handle, value);
}
*minor_status = EINVAL; *minor_status = EINVAL;
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }