oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gss: add some missing GM_USE_MG_CRED checks

Browse Source 
GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism
without additional wrapping. Although no extant mechanisms use this flag, the
flag had sporadic support in the mechanism glue already. In the interest of
consistency, add missing GM_USE_MG_CRED checks. If this functionality is not
desired, then all checks should be removed.
This commit is contained in:
Luke Howard
2019-12-28 16:35:04 +11:00
parent 340cc3f092
commit e80248ed36
4 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
lib/gssapi/mech/gss_accept_sec_context.c
View File

@@ -210,7 +210,9 @@ gss_accept_sec_context(OM_uint32 *minor_status,
m = ctx->gc_mech; m = ctx->gc_mech;
} }
if (cred) { if (m->gm_flags & GM_USE_MG_CRED) {
acceptor_mc = acceptor_cred_handle;
} else if (cred) {
HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link) HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link)
if (mc->gmc_mech == m) if (mc->gmc_mech == m)
break; break;
@@ -270,9 +272,18 @@ gss_accept_sec_context(OM_uint32 *minor_status,
if (mech_ret_flags & GSS_C_DELEG_FLAG) { if (mech_ret_flags & GSS_C_DELEG_FLAG) {
if (!delegated_cred_handle) { if (!delegated_cred_handle) {
m->gm_release_cred(minor_status, &delegated_mc); if (m->gm_flags & GM_USE_MG_CRED)
gss_release_cred(minor_status, &delegated_mc);
else
m->gm_release_cred(minor_status, &delegated_mc);
mech_ret_flags &= mech_ret_flags &=
~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
} else if ((m->gm_flags & GM_USE_MG_CRED) != 0) {
/*
* If credential is uses mechglue cred, assume it
* returns one too.
*/
*delegated_cred_handle = delegated_mc;
} else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) { } else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
/* /*
* If the returned mech_type is not the same * If the returned mech_type is not the same

2
lib/gssapi/mech/gss_acquire_cred_from.c
View File

@@ -200,7 +200,7 @@ gss_acquire_cred_from(OM_uint32 *minor_status,
OM_uint32 cred_time; OM_uint32 cred_time;
m = __gss_get_mechanism(&mechs->elements[i]); m = __gss_get_mechanism(&mechs->elements[i]);
if (m == NULL) if (m == NULL || (m->gm_flags & GM_USE_MG_CRED) != 0)
continue; continue;
if (desired_name != GSS_C_NO_NAME) { if (desired_name != GSS_C_NO_NAME) {

3
lib/gssapi/mech/gss_add_cred_from.c
View File

@@ -130,7 +130,8 @@ gss_add_cred_from(OM_uint32 *minor_status,
*acceptor_time_rec = 0; *acceptor_time_rec = 0;
if (actual_mechs) if (actual_mechs)
*actual_mechs = GSS_C_NO_OID_SET; *actual_mechs = GSS_C_NO_OID_SET;
if ((m = __gss_get_mechanism(desired_mech)) == NULL) if ((m = __gss_get_mechanism(desired_mech)) == NULL ||
(m->gm_flags & GM_USE_MG_CRED))
return GSS_S_BAD_MECH; return GSS_S_BAD_MECH;
if (input_cred_handle == GSS_C_NO_CREDENTIAL && if (input_cred_handle == GSS_C_NO_CREDENTIAL &&
output_cred_handle == NULL) { output_cred_handle == NULL) {

2
lib/gssapi/mech/gss_store_cred_into.c
View File

@@ -110,7 +110,7 @@ gss_store_cred_into(OM_uint32 *minor_status,
HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link) { HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link) {
gssapi_mech_interface m = mc->gmc_mech; gssapi_mech_interface m = mc->gmc_mech;
if (m == NULL) if (m == NULL || (m->gm_flags & GM_USE_MG_CRED) != 0)
continue; continue;
if (desired_mech != GSS_C_NO_OID && if (desired_mech != GSS_C_NO_OID &&