oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gssapi: honor acceptor credential in SPNEGO (#506)

Browse Source 
SPNEGO uses the callback function acceptor_approved() in order to determine
which mechanisms to advertise to the initiator in the case that the initiator
sent an empty initial context token. Prior to this commit, that function was
not passed in the acceptor credential (if present), so always uses a default
credential. For correctness, we should only advertise the availability of
mechanisms for which we have a credential.
This commit is contained in:
Luke Howard
2019-01-04 15:47:29 +11:00
parent d5536d4dd3
commit dfaaf9c93f
1 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/gssapi/spnego/accept_sec_context.c
View File

@@ -63,7 +63,7 @@ send_reject (OM_uint32 *minor_status,
}
static OM_uint32
acceptor_approved(gss_const_cred_id_t cred_unused,
acceptor_approved(gss_const_cred_id_t input_cred,
gss_name_t target_name,
gss_OID mech)
{
@@ -74,6 +74,11 @@ acceptor_approved(gss_const_cred_id_t cred_unused,
if (target_name == GSS_C_NO_NAME)
return GSS_S_COMPLETE;
if (input_cred != GSS_C_NO_CREDENTIAL) {
return gss_inquire_cred_by_mech(&junk, input_cred, mech,
NULL, NULL, NULL, NULL);
}
gss_create_empty_oid_set(&junk, &oidset);
gss_add_oid_set_member(&junk, mech, &oidset);
@@ -89,6 +94,7 @@ acceptor_approved(gss_const_cred_id_t cred_unused,
static OM_uint32
send_supported_mechs (OM_uint32 *minor_status,
gss_const_cred_id_t acceptor_cred,
gss_buffer_t output_token)
{
NegotiationTokenWin nt;
@@ -104,7 +110,7 @@ send_supported_mechs (OM_uint32 *minor_status,
nt.u.negTokenInit.negHints = NULL;
ret = _gss_spnego_indicate_mechtypelist(minor_status, GSS_C_NO_NAME,
acceptor_approved, 1, NULL,
acceptor_approved, 1, acceptor_cred,
&nt.u.negTokenInit.mechTypes, NULL);
if (ret != GSS_S_COMPLETE) {
return ret;
@@ -501,7 +507,8 @@ acceptor_start
mech_buf.value = NULL;
if (input_token_buffer->length == 0)
return send_supported_mechs (minor_status, output_token);
return send_supported_mechs (minor_status,
acceptor_cred_handle, output_token);
ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
if (ret != GSS_S_COMPLETE)