diff options
author | Tom Yu <tlyu@mit.edu> | 2008-10-20 19:39:52 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2008-10-20 19:39:52 +0000 |
commit | fd80796ebfd98e762293c298f5d880468266aad9 (patch) | |
tree | fb8cdc380bc64c0c0a6ae463c9ed83216e447747 /src/lib/gssapi | |
parent | e4a2f122c3086c1179323c0e24edb3506d3f4758 (diff) | |
download | krb5-fd80796ebfd98e762293c298f5d880468266aad9.tar.gz krb5-fd80796ebfd98e762293c298f5d880468266aad9.tar.xz krb5-fd80796ebfd98e762293c298f5d880468266aad9.zip |
Apply (adapted) patch from Apple to check for SPNEGO mechanism in
export_lucid_sec_ctx.
ticket: 6015
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20899 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi')
-rw-r--r-- | src/lib/gssapi/krb5/krb5_gss_glue.c | 43 | ||||
-rw-r--r-- | src/lib/gssapi/spnego/gssapiP_spnego.h | 13 | ||||
-rw-r--r-- | src/lib/gssapi/spnego/spnego_mech.c | 11 |
3 files changed, 48 insertions, 19 deletions
diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c index 62905e421c..265818bf68 100644 --- a/src/lib/gssapi/krb5/krb5_gss_glue.c +++ b/src/lib/gssapi/krb5/krb5_gss_glue.c @@ -27,6 +27,7 @@ #include "gssapiP_krb5.h" #include "mglueP.h" +#include "../spnego/gssapiP_spnego.h" /** mechglue wrappers **/ @@ -1141,7 +1142,6 @@ gss_krb5_copy_ccache( return GSS_S_DEFECTIVE_CREDENTIAL; } -/* XXX need to delete mechglue ctx too */ OM_uint32 KRB5_CALLCONV gss_krb5_export_lucid_sec_context( OM_uint32 *minor_status, @@ -1149,15 +1149,40 @@ gss_krb5_export_lucid_sec_context( OM_uint32 version, void **kctx) { - gss_union_ctx_id_t uctx; + gss_union_ctx_id_t uctx = (gss_union_ctx_id_t)*context_handle; + gss_union_ctx_id_t kerb_ctx; + OM_uint32 major = GSS_S_COMPLETE, minor = 0; + int is_spnego = 0; + + if (minor_status != NULL) + *minor_status = 0; + if (minor_status == NULL || context_handle == NULL || kctx == NULL) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + *kctx = GSS_C_NO_CONTEXT; + + if (uctx == GSS_C_NO_CONTEXT) + return (GSS_S_CALL_INACCESSIBLE_READ); + + if (g_OID_equal(uctx->mech_type, gss_mech_spnego)) { + kerb_ctx = uctx->internal_ctx_id; + is_spnego = 1; + } + else + kerb_ctx = uctx; + + major = gss_krb5int_export_lucid_sec_context(minor_status, + &kerb_ctx->internal_ctx_id, + version, kctx); + + if (major == GSS_S_COMPLETE) { + if (is_spnego) { + uctx->internal_ctx_id = GSS_C_NO_CONTEXT; + (void) gss_delete_sec_context(&minor, (gss_ctx_id_t *)&kerb_ctx, NULL); + } + (void) gss_delete_sec_context(&minor, context_handle, NULL); + } - uctx = (gss_union_ctx_id_t)*context_handle; - if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) && - !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type)) - return GSS_S_BAD_MECH; - return gss_krb5int_export_lucid_sec_context(minor_status, - &uctx->internal_ctx_id, - version, kctx); + return (major); } OM_uint32 KRB5_CALLCONV diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h index 6d7d4c40c9..310fd18210 100644 --- a/src/lib/gssapi/spnego/gssapiP_spnego.h +++ b/src/lib/gssapi/spnego/gssapiP_spnego.h @@ -106,16 +106,9 @@ typedef struct { */ #define SPNEGO_MAGIC_ID 0x00000fed -/* SPNEGO oid structure */ -static const gss_OID_desc spnego_oids[] = { - {SPNEGO_OID_LENGTH, SPNEGO_OID}, -}; - -const gss_OID_desc * const gss_mech_spnego = spnego_oids+0; -static const gss_OID_set_desc spnego_oidsets[] = { - {1, (gss_OID) spnego_oids+0}, -}; -const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0; +/* SPNEGO oid declarations */ +const gss_OID_desc * const gss_mech_spnego; +const gss_OID_set_desc * const gss_mech_set_spnego; #ifdef DEBUG #define dsyslog(a) syslog(LOG_DEBUG, a) diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 54b9af5d1c..f3cb5919b4 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -154,6 +154,17 @@ get_negTokenResp(OM_uint32 *, unsigned char *, unsigned int, static int is_kerb_mech(gss_OID oid); +/* SPNEGO oid structure */ +static const gss_OID_desc spnego_oids[] = { + {SPNEGO_OID_LENGTH, SPNEGO_OID}, +}; + +const gss_OID_desc * const gss_mech_spnego = spnego_oids+0; +static const gss_OID_set_desc spnego_oidsets[] = { + {1, (gss_OID) spnego_oids+0}, +}; +const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0; + /* * The Mech OID for SPNEGO: * { iso(1) org(3) dod(6) internet(1) security(5) |