oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gssapi: honor initiator credential in SPNEGO (#506)

Browse Source 
SPNEGO uses the callback function initiator_approved() in order to determine
mechanism availability. Prior to this commit, is not passed in the initiator
credential, so it always uses a default credential. This breaks SPNEGO if a
non-default credential (such as one acquired with
gss_acquire_cred_with_password()) is used. This commit addresses this.
This commit is contained in:
Luke Howard
2019-01-03 23:16:03 +11:00
parent 2242b5bc5b
commit a7d42cdf6b
3 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/gssapi/spnego/accept_sec_context.c
View File

@@ -63,7 +63,9 @@ send_reject (OM_uint32 *minor_status,
} }
static OM_uint32 static OM_uint32
acceptor_approved(gss_name_t target_name, gss_OID mech) acceptor_approved(gss_const_cred_id_t cred_unused,
gss_name_t target_name,
gss_OID mech)
{ {
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
gss_OID_set oidset; gss_OID_set oidset;
@@ -393,7 +395,7 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
if (ret != GSS_S_COMPLETE) if (ret != GSS_S_COMPLETE)
return ret; return ret;
ret = acceptor_approved(name, *mech_p); ret = acceptor_approved(GSS_C_NO_CREDENTIAL, name, *mech_p);
gss_release_name(&junk, &name); gss_release_name(&junk, &name);
} }

6
lib/gssapi/spnego/compat.c
View File

@@ -232,7 +232,7 @@ add_mech_type(gss_OID mech_type,
OM_uint32 GSSAPI_CALLCONV OM_uint32 GSSAPI_CALLCONV
_gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status, _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
gss_name_t target_name, gss_name_t target_name,
OM_uint32 (*func)(gss_name_t, gss_OID), OM_uint32 (*func)(gss_const_cred_id_t, gss_name_t, gss_OID),
int includeMSCompatOID, int includeMSCompatOID,
gss_const_cred_id_t cred_handle, gss_const_cred_id_t cred_handle,
MechTypeList *mechtypelist, MechTypeList *mechtypelist,
@@ -267,7 +267,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
ret = (*func)(target_name, GSS_KRB5_MECHANISM); ret = (*func)(cred_handle, target_name, GSS_KRB5_MECHANISM);
if (ret == GSS_S_COMPLETE) { if (ret == GSS_S_COMPLETE) {
ret = add_mech_type(GSS_KRB5_MECHANISM, ret = add_mech_type(GSS_KRB5_MECHANISM,
includeMSCompatOID, includeMSCompatOID,
@@ -284,7 +284,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
if (gss_oid_equal(&supported_mechs->elements[i], GSS_KRB5_MECHANISM)) if (gss_oid_equal(&supported_mechs->elements[i], GSS_KRB5_MECHANISM))
continue; continue;
subret = (*func)(target_name, &supported_mechs->elements[i]); subret = (*func)(cred_handle, target_name, &supported_mechs->elements[i]);
if (subret != GSS_S_COMPLETE) if (subret != GSS_S_COMPLETE)
continue; continue;

6
lib/gssapi/spnego/init_sec_context.c
View File

@@ -38,14 +38,16 @@
*/ */
static OM_uint32 static OM_uint32
initiator_approved(gss_name_t target_name, gss_OID mech) initiator_approved(gss_const_cred_id_t cred,
gss_name_t target_name,
gss_OID mech)
{ {
OM_uint32 min_stat, maj_stat; OM_uint32 min_stat, maj_stat;
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
gss_buffer_desc out; gss_buffer_desc out;
maj_stat = gss_init_sec_context(&min_stat, maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL, cred,
&ctx, &ctx,
target_name, target_name,
mech, mech,