Properly implement neg_mechs & GM_USE_MG_CRED

SPNEGO was already using union creds. Now make the mechglue know about it, delete all of the cred-related SPNEGO stubs that are now not called (lib/gssapi/spnego/cred_stubs.c), and implement gss_get/set_neg_mechs() by storing the OID set in the union cred. This commit was essentially authored as much if not more by Luke Howard <lukeh at padl.com> as much as by the listed author.
2020-04-18 22:15:00 -05:00
parent 2ec9e17042
commit a54761d68a
20 changed files with 397 additions and 418 deletions
--- a/lib/gssapi/mech/gss_inquire_cred.c
+++ b/lib/gssapi/mech/gss_inquire_cred.c
@@ -99,6 +99,9 @@ gss_inquire_cred(OM_uint32 *minor_status,
 			gss_name_t mc_name = GSS_C_NO_NAME;
 			OM_uint32 mc_lifetime = GSS_C_INDEFINITE;

+			heim_assert((mc->gmc_mech->gm_flags & GM_USE_MG_CRED) == 0,
+				    "should not have mech creds for GM_USE_MG_CRED mechs");
+
 			if (mc->gmc_mech->gm_inquire_cred == NULL)
 				continue;

@@ -137,7 +140,8 @@ gss_inquire_cred(OM_uint32 *minor_status,
 			gss_name_t mc_name;
 			OM_uint32 mc_lifetime;

-			if (m->gm_mech.gm_inquire_cred == NULL)
+			if (m->gm_mech.gm_inquire_cred == NULL ||
+			    (m->gm_mech.gm_flags & GM_USE_MG_CRED))
 				continue;

 			major_status = m->gm_mech.gm_inquire_cred(minor_status,
@@ -174,6 +178,17 @@ gss_inquire_cred(OM_uint32 *minor_status,
 		}
 	}

+	if (found && mechanisms) {
+		/* GM_USE_MG_CRED mechs (SPNEGO) always can be used */
+		HEIM_TAILQ_FOREACH(m, &_gss_mechs, gm_link) {
+			if ((m->gm_mech.gm_flags & GM_USE_MG_CRED) == 0)
+				continue;
+
+			gss_add_oid_set_member(minor_status,
+					       m->gm_mech_oid, mechanisms);
+		}
+	}
+
 	if (found == 0 || min_lifetime == 0) {
 		gss_name_t n = (gss_name_t)name;
 		if (n)