Add support for gss_{import,export}_cred() as requested by metze
Works for krb5 and SPNEGO mechanisms. Kerberos credentials are passed as credential cache names, or if there are memory based credentials, inband in the protocol. This means that the credentials buffers must be keep secret. As documented by IBM (they have the wrong prototype though) and GGF (GSS-API Extensions) back in 2001
This commit is contained in:
Love Hornquist Astrand
@@ -354,3 +354,39 @@ _gss_spnego_set_cred_option (OM_uint32 *minor_status,
|
||||
value);
|
||||
}
|
||||
|
||||
|
||||
OM_uint32
|
||||
_gss_spnego_export_cred (OM_uint32 *minor_status,
|
||||
gss_cred_id_t cred_handle,
|
||||
gss_buffer_t value)
|
||||
{
|
||||
gssspnego_cred cred = (gssspnego_cred)cred_handle;
|
||||
|
||||
return gss_export_cred(minor_status, cred->negotiated_cred_id, value);
|
||||
}
|
||||
|
||||
OM_uint32
|
||||
_gss_spnego_import_cred (OM_uint32 *minor_status,
|
||||
gss_buffer_t value,
|
||||
gss_cred_id_t *cred_handle)
|
||||
{
|
||||
gssspnego_cred cred;
|
||||
OM_uint32 major;
|
||||
|
||||
*cred_handle = GSS_C_NO_CREDENTIAL;
|
||||
|
||||
cred = calloc(1, sizeof(*cred));
|
||||
if (cred == NULL) {
|
||||
*minor_status = ENOMEM;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
major = gss_import_cred(minor_status, value, &cred->negotiated_cred_id);
|
||||
if (major == GSS_S_COMPLETE)
|
||||
*cred_handle = (gss_cred_id_t)cred;
|
||||
else
|
||||
free(cred);
|
||||
|
||||
return major;
|
||||
}
|
||||
|
||||
|
||||
@@ -79,7 +79,13 @@ static gssapi_mech_interface_desc spnego_mech = {
|
||||
_gss_spnego_inquire_cred_by_oid,
|
||||
_gss_spnego_set_sec_context_option,
|
||||
_gss_spnego_set_cred_option,
|
||||
_gss_spnego_pseudo_random
|
||||
_gss_spnego_pseudo_random,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
_gss_spnego_export_cred,
|
||||
_gss_spnego_import_cred
|
||||
};
|
||||
|
||||
gssapi_mech_interface
|
||||
|
||||
Reference in New Issue
Block a user