Apply (adapted) patch from Apple to check for SPNEGO mechanism in

export_lucid_sec_ctx. ticket: 6015 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20899 dc483132-0cff-0310-8789-dd5450dbe970
author: Tom Yu <tlyu@mit.edu> 2008-10-20 19:39:52 +0000
committer: Tom Yu <tlyu@mit.edu> 2008-10-20 19:39:52 +0000
commit: fd80796ebfd98e762293c298f5d880468266aad9 (patch)
tree: fb8cdc380bc64c0c0a6ae463c9ed83216e447747 /src/lib/gssapi
parent: e4a2f122c3086c1179323c0e24edb3506d3f4758 (diff)
download: krb5-fd80796ebfd98e762293c298f5d880468266aad9.tar.gz
krb5-fd80796ebfd98e762293c298f5d880468266aad9.tar.xz
krb5-fd80796ebfd98e762293c298f5d880468266aad9.zip
3 files changed, 48 insertions, 19 deletions
diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c
index 62905e421c..265818bf68 100644
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
@@ -27,6 +27,7 @@
 
 #include "gssapiP_krb5.h"
 #include "mglueP.h"
+#include "../spnego/gssapiP_spnego.h"
 
 
 /** mechglue wrappers **/
@@ -1141,7 +1142,6 @@ gss_krb5_copy_ccache(
     return GSS_S_DEFECTIVE_CREDENTIAL;
 }
 
-/* XXX need to delete mechglue ctx too */
 OM_uint32 KRB5_CALLCONV
 gss_krb5_export_lucid_sec_context(
     OM_uint32 *minor_status,
@@ -1149,15 +1149,40 @@ gss_krb5_export_lucid_sec_context(
     OM_uint32 version,
     void **kctx)
 {
-    gss_union_ctx_id_t uctx;
+    gss_union_ctx_id_t uctx = (gss_union_ctx_id_t)*context_handle;
+    gss_union_ctx_id_t kerb_ctx;
+    OM_uint32 major = GSS_S_COMPLETE, minor = 0;
+    int is_spnego = 0;
+
+    if (minor_status != NULL)
+        *minor_status = 0;
+    if (minor_status == NULL || context_handle == NULL || kctx == NULL)
+        return (GSS_S_CALL_INACCESSIBLE_WRITE);
+    *kctx = GSS_C_NO_CONTEXT;
+
+    if (uctx == GSS_C_NO_CONTEXT)
+        return (GSS_S_CALL_INACCESSIBLE_READ);
+
+    if (g_OID_equal(uctx->mech_type, gss_mech_spnego)) {
+        kerb_ctx = uctx->internal_ctx_id;
+        is_spnego = 1;
+    }
+    else
+        kerb_ctx = uctx;
+
+    major =  gss_krb5int_export_lucid_sec_context(minor_status,
+                                                  &kerb_ctx->internal_ctx_id,
+                                                  version, kctx);
+
+    if (major == GSS_S_COMPLETE) {
+        if (is_spnego) {
+            uctx->internal_ctx_id = GSS_C_NO_CONTEXT;
+            (void) gss_delete_sec_context(&minor, (gss_ctx_id_t *)&kerb_ctx, NULL);
+        }
+        (void) gss_delete_sec_context(&minor, context_handle, NULL);
+    }
 
-    uctx = (gss_union_ctx_id_t)*context_handle;
-    if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) &&
-        !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
-        return GSS_S_BAD_MECH;
-    return gss_krb5int_export_lucid_sec_context(minor_status,
-                                                &uctx->internal_ctx_id,
-                                                version, kctx);
+    return (major);
 }
 
 OM_uint32 KRB5_CALLCONV
diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
index 6d7d4c40c9..310fd18210 100644
--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
@@ -106,16 +106,9 @@ typedef struct {
  */
 #define	SPNEGO_MAGIC_ID  0x00000fed
 
-/* SPNEGO oid structure */
-static const gss_OID_desc spnego_oids[] = {
-	{SPNEGO_OID_LENGTH, SPNEGO_OID},
-};
-
-const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
-static const gss_OID_set_desc spnego_oidsets[] = {
-	{1, (gss_OID) spnego_oids+0},
-};
-const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
+/* SPNEGO oid declarations */
+const gss_OID_desc * const gss_mech_spnego;
+const gss_OID_set_desc * const gss_mech_set_spnego;
 
 #ifdef DEBUG
 #define	dsyslog(a) syslog(LOG_DEBUG, a)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 54b9af5d1c..f3cb5919b4 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -154,6 +154,17 @@ get_negTokenResp(OM_uint32 *, unsigned char *, unsigned int,
 static int
 is_kerb_mech(gss_OID oid);
 
+/* SPNEGO oid structure */
+static const gss_OID_desc spnego_oids[] = {
+	{SPNEGO_OID_LENGTH, SPNEGO_OID},
+};
+
+const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
+static const gss_OID_set_desc spnego_oidsets[] = {
+	{1, (gss_OID) spnego_oids+0},
+};
+const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
+
 /*
  * The Mech OID for SPNEGO:
  * { iso(1) org(3) dod(6) internet(1) security(5)
author	Tom Yu <tlyu@mit.edu>	2008-10-20 19:39:52 +0000
committer	Tom Yu <tlyu@mit.edu>	2008-10-20 19:39:52 +0000
commit	fd80796ebfd98e762293c298f5d880468266aad9 (patch)
tree	fb8cdc380bc64c0c0a6ae463c9ed83216e447747 /src/lib/gssapi
parent	e4a2f122c3086c1179323c0e24edb3506d3f4758 (diff)
download	krb5-fd80796ebfd98e762293c298f5d880468266aad9.tar.gz krb5-fd80796ebfd98e762293c298f5d880468266aad9.tar.xz krb5-fd80796ebfd98e762293c298f5d880468266aad9.zip