diff options
author | Luke Howard <lukeh@padl.com> | 2012-08-29 09:47:24 +1000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-08-31 12:03:49 -0400 |
commit | 8626fe9fb6cb14e92b84a68fca5209d0ee656f74 (patch) | |
tree | 3ee89b0c1713b7904366ba86b3e2aa6ff3765794 /src | |
parent | 79b78773ee4e9219185c71907256a92e06ec5b57 (diff) | |
download | krb5-8626fe9fb6cb14e92b84a68fca5209d0ee656f74.tar.gz krb5-8626fe9fb6cb14e92b84a68fca5209d0ee656f74.tar.xz krb5-8626fe9fb6cb14e92b84a68fca5209d0ee656f74.zip |
Add support for GSS_C_NT_COMPOSITE_EXPORT
ticket: 7347 (new)
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/gssapi/generic/gssapi_ext.h | 1 | ||||
-rw-r--r-- | src/lib/gssapi/generic/gssapi_generic.c | 126 | ||||
-rw-r--r-- | src/lib/gssapi/generic/oid_ops.c | 1 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/import_name.c | 5 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/inq_names.c | 4 | ||||
-rw-r--r-- | src/lib/gssapi/libgssapi_krb5.exports | 1 | ||||
-rw-r--r-- | src/lib/gssapi/mechglue/g_imp_name.c | 2 |
7 files changed, 78 insertions, 62 deletions
diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h index 05f1ed7fb4..dd12ffecbf 100644 --- a/src/lib/gssapi/generic/gssapi_ext.h +++ b/src/lib/gssapi/generic/gssapi_ext.h @@ -368,6 +368,7 @@ gss_add_cred_impersonate_name( * Naming extensions */ GSS_DLLIMP extern gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER; +GSS_DLLIMP extern gss_OID GSS_C_NT_COMPOSITE_EXPORT; OM_uint32 KRB5_CALLCONV gss_display_name_ext ( diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c index 4718ac73a8..4759cdef83 100644 --- a/src/lib/gssapi/generic/gssapi_generic.c +++ b/src/lib/gssapi/generic/gssapi_generic.c @@ -119,7 +119,13 @@ static const gss_OID_desc const_oids[] = { * GSS_C_NT_EXPORT_NAME should be initialized to point * to that gss_OID_desc. */ - + {6, (void *)"\x2b\x06\x01\x05\x06\x06"}, + /* corresponding to an object-identifier value of + * {1(iso), 3(org), 6(dod), 1(internet), 5(security), + * 6(nametypes), 6(gss-composite-export)}. The constant + * GSS_C_NT_COMPOSITE_EXPORT should be initialized to point + * to that gss_OID_desc. + */ /* GSS_C_INQ_SSPI_SESSION_KEY 1.2.840.113554.1.2.2.5.5 */ {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"}, @@ -180,37 +186,39 @@ GSS_DLLIMP gss_OID GSS_C_NT_ANONYMOUS = oids+5; GSS_DLLIMP gss_OID GSS_C_NT_EXPORT_NAME = oids+6; gss_OID gss_nt_exported_name = oids+6; -GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY = oids+7; - -GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_CONCRETE = oids+8; -GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_PSEUDO = oids+9; -GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_COMPOSITE = oids+10; -GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_NEGO = oids+11; -GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_GLUE = oids+12; -GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_MECH = oids+13; -GSS_DLLIMP gss_const_OID GSS_C_MA_DEPRECATED = oids+14; -GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_DFLT_MECH = oids+15; -GSS_DLLIMP gss_const_OID GSS_C_MA_ITOK_FRAMED = oids+16; -GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT = oids+17; -GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG = oids+18; -GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_INIT = oids+19; -GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_INIT = oids+20; -GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_ANON = oids+21; -GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_ANON = oids+22; -GSS_DLLIMP gss_const_OID GSS_C_MA_DELEG_CRED = oids+23; -GSS_DLLIMP gss_const_OID GSS_C_MA_INTEG_PROT = oids+24; -GSS_DLLIMP gss_const_OID GSS_C_MA_CONF_PROT = oids+25; -GSS_DLLIMP gss_const_OID GSS_C_MA_MIC = oids+26; -GSS_DLLIMP gss_const_OID GSS_C_MA_WRAP = oids+27; -GSS_DLLIMP gss_const_OID GSS_C_MA_PROT_READY = oids+28; -GSS_DLLIMP gss_const_OID GSS_C_MA_REPLAY_DET = oids+29; -GSS_DLLIMP gss_const_OID GSS_C_MA_OOS_DET = oids+30; -GSS_DLLIMP gss_const_OID GSS_C_MA_CBINDINGS = oids+31; -GSS_DLLIMP gss_const_OID GSS_C_MA_PFS = oids+32; -GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS = oids+33; -GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS = oids+34; - -static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+8 }; +GSS_DLLIMP gss_OID GSS_C_NT_COMPOSITE_EXPORT = oids+7; + +GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY = oids+8; + +GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_CONCRETE = oids+9; +GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_PSEUDO = oids+10; +GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_COMPOSITE = oids+11; +GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_NEGO = oids+12; +GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_GLUE = oids+13; +GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_MECH = oids+14; +GSS_DLLIMP gss_const_OID GSS_C_MA_DEPRECATED = oids+15; +GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_DFLT_MECH = oids+16; +GSS_DLLIMP gss_const_OID GSS_C_MA_ITOK_FRAMED = oids+17; +GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT = oids+18; +GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG = oids+19; +GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_INIT = oids+20; +GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_INIT = oids+21; +GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_ANON = oids+22; +GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_ANON = oids+23; +GSS_DLLIMP gss_const_OID GSS_C_MA_DELEG_CRED = oids+24; +GSS_DLLIMP gss_const_OID GSS_C_MA_INTEG_PROT = oids+25; +GSS_DLLIMP gss_const_OID GSS_C_MA_CONF_PROT = oids+26; +GSS_DLLIMP gss_const_OID GSS_C_MA_MIC = oids+27; +GSS_DLLIMP gss_const_OID GSS_C_MA_WRAP = oids+28; +GSS_DLLIMP gss_const_OID GSS_C_MA_PROT_READY = oids+29; +GSS_DLLIMP gss_const_OID GSS_C_MA_REPLAY_DET = oids+30; +GSS_DLLIMP gss_const_OID GSS_C_MA_OOS_DET = oids+31; +GSS_DLLIMP gss_const_OID GSS_C_MA_CBINDINGS = oids+32; +GSS_DLLIMP gss_const_OID GSS_C_MA_PFS = oids+33; +GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS = oids+34; +GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS = oids+35; + +static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+9 }; gss_OID_set gss_ma_known_attrs = &gss_ma_known_attrs_desc; #define STRING_BUFFER(x) { sizeof((x) - 1), (x) } @@ -222,174 +230,174 @@ static struct mech_attr_info_desc { gss_buffer_desc long_desc; } mech_attr_info[] = { { - oids+8, + oids+9, STRING_BUFFER("GSS_C_MA_MECH_CONCRETE"), STRING_BUFFER("concrete-mech"), STRING_BUFFER("Mechanism is neither a pseudo-mechanism nor a " "composite mechanism."), }, { - oids+9, + oids+10, STRING_BUFFER("GSS_C_MA_MECH_PSEUDO"), STRING_BUFFER("pseudo-mech"), STRING_BUFFER("Mechanism is a pseudo-mechanism."), }, { - oids+10, + oids+11, STRING_BUFFER("GSS_C_MA_MECH_COMPOSITE"), STRING_BUFFER("composite-mech"), STRING_BUFFER("Mechanism is a composite of other mechanisms."), }, { - oids+11, + oids+12, STRING_BUFFER("GSS_C_MA_MECH_NEGO"), STRING_BUFFER("mech-negotiation-mech"), STRING_BUFFER("Mechanism negotiates other mechanisms."), }, { - oids+12, + oids+13, STRING_BUFFER("GSS_C_MA_MECH_GLUE"), STRING_BUFFER("mech-glue"), STRING_BUFFER("OID is not a mechanism but the GSS-API itself."), }, { - oids+13, + oids+14, STRING_BUFFER("GSS_C_MA_NOT_MECH"), STRING_BUFFER("not-mech"), STRING_BUFFER("Known OID but not a mechanism OID."), }, { - oids+14, + oids+15, STRING_BUFFER("GSS_C_MA_DEPRECATED"), STRING_BUFFER("mech-deprecated"), STRING_BUFFER("Mechanism is deprecated."), }, { - oids+15, + oids+16, STRING_BUFFER("GSS_C_MA_NOT_DFLT_MECH"), STRING_BUFFER("mech-not-default"), STRING_BUFFER("Mechanism must not be used as a default mechanism."), }, { - oids+16, + oids+17, STRING_BUFFER("GSS_C_MA_ITOK_FRAMED"), STRING_BUFFER("initial-is-framed"), STRING_BUFFER("Mechanism's initial contexts are properly framed."), }, { - oids+17, + oids+18, STRING_BUFFER("GSS_C_MA_AUTH_INIT"), STRING_BUFFER("auth-init-princ"), STRING_BUFFER("Mechanism supports authentication of initiator to " "acceptor."), }, { - oids+18, + oids+19, STRING_BUFFER("GSS_C_MA_AUTH_TARG"), STRING_BUFFER("auth-targ-princ"), STRING_BUFFER("Mechanism supports authentication of acceptor to " "initiator."), }, { - oids+19, + oids+20, STRING_BUFFER("GSS_C_MA_AUTH_INIT_INIT"), STRING_BUFFER("auth-init-princ-initial"), STRING_BUFFER("Mechanism supports authentication of initiator using " "initial credentials."), }, { - oids+20, + oids+21, STRING_BUFFER("GSS_C_MA_AUTH_TARG_INIT"), STRING_BUFFER("auth-target-princ-initial"), STRING_BUFFER("Mechanism supports authentication of acceptor using " "initial credentials."), }, { - oids+21, + oids+22, STRING_BUFFER("GSS_C_MA_AUTH_INIT_ANON"), STRING_BUFFER("auth-init-princ-anon"), STRING_BUFFER("Mechanism supports GSS_C_NT_ANONYMOUS as an initiator " "name."), }, { - oids+22, + oids+23, STRING_BUFFER("GSS_C_MA_AUTH_TARG_ANON"), STRING_BUFFER("auth-targ-princ-anon"), STRING_BUFFER("Mechanism supports GSS_C_NT_ANONYMOUS as an acceptor " "name."), }, { - oids+23, + oids+24, STRING_BUFFER("GSS_C_MA_DELEG_CRED"), STRING_BUFFER("deleg-cred"), STRING_BUFFER("Mechanism supports credential delegation."), }, { - oids+24, + oids+25, STRING_BUFFER("GSS_C_MA_INTEG_PROT"), STRING_BUFFER("integ-prot"), STRING_BUFFER("Mechanism supports per-message integrity protection."), }, { - oids+25, + oids+26, STRING_BUFFER("GSS_C_MA_CONF_PROT"), STRING_BUFFER("conf-prot"), STRING_BUFFER("Mechanism supports per-message confidentiality " "protection."), }, { - oids+26, + oids+27, STRING_BUFFER("GSS_C_MA_MIC"), STRING_BUFFER("mic"), STRING_BUFFER("Mechanism supports Message Integrity Code (MIC) " "tokens."), }, { - oids+27, + oids+28, STRING_BUFFER("GSS_C_MA_WRAP"), STRING_BUFFER("wrap"), STRING_BUFFER("Mechanism supports wrap tokens."), }, { - oids+28, + oids+29, STRING_BUFFER("GSS_C_MA_PROT_READY"), STRING_BUFFER("prot-ready"), STRING_BUFFER("Mechanism supports per-message proteciton prior to " "full context establishment."), }, { - oids+29, + oids+30, STRING_BUFFER("GSS_C_MA_REPLAY_DET"), STRING_BUFFER("replay-detection"), STRING_BUFFER("Mechanism supports replay detection."), }, { - oids+30, + oids+31, STRING_BUFFER("GSS_C_MA_OOS_DET"), STRING_BUFFER("oos-detection"), STRING_BUFFER("Mechanism supports out-of-sequence detection."), }, { - oids+31, + oids+32, STRING_BUFFER("GSS_C_MA_CBINDINGS"), STRING_BUFFER("channel-bindings"), STRING_BUFFER("Mechanism supports channel bindings."), }, { - oids+32, + oids+33, STRING_BUFFER("GSS_C_MA_PFS"), STRING_BUFFER("pfs"), STRING_BUFFER("Mechanism supports Perfect Forward Security."), }, { - oids+33, + oids+34, STRING_BUFFER("GSS_C_MA_COMPRESS"), STRING_BUFFER("compress"), STRING_BUFFER("Mechanism supports compression of data inputs to " "gss_wrap()."), }, { - oids+34, + oids+35, STRING_BUFFER("GSS_C_MA_CTX_TRANS"), STRING_BUFFER("context-transfer"), STRING_BUFFER("Mechanism supports security context export/import."), diff --git a/src/lib/gssapi/generic/oid_ops.c b/src/lib/gssapi/generic/oid_ops.c index 665b5902f4..85584fc3bd 100644 --- a/src/lib/gssapi/generic/oid_ops.c +++ b/src/lib/gssapi/generic/oid_ops.c @@ -97,6 +97,7 @@ generic_gss_release_oid(OM_uint32 *minor_status, gss_OID *oid) (*oid != GSS_C_NT_HOSTBASED_SERVICE) && (*oid != GSS_C_NT_ANONYMOUS) && (*oid != GSS_C_NT_EXPORT_NAME) && + (*oid != GSS_C_NT_COMPOSITE_EXPORT) && (*oid != gss_nt_service_name)) { free((*oid)->elements); free(*oid); diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index 0e730f98e2..ebc2a7bbea 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -218,7 +218,8 @@ krb5_gss_import_name(minor_status, input_name_buffer, uid = atoi(tmp); goto do_getpwuid; #endif - } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) { + } else if (g_OID_equal(input_name_type, gss_nt_exported_name) || + g_OID_equal(input_name_type, GSS_C_NT_COMPOSITE_EXPORT)) { #define BOUNDS_CHECK(cp, end, n) \ do { if ((end) - (cp) < (n)) goto fail_name; } while (0) cp = (unsigned char *)tmp; @@ -231,7 +232,7 @@ krb5_gss_import_name(minor_status, input_name_buffer, case 0x01: break; case 0x02: - has_ad++; + has_ad++; /* is composite name */ break; default: goto fail_name; diff --git a/src/lib/gssapi/krb5/inq_names.c b/src/lib/gssapi/krb5/inq_names.c index 9cc43500f4..fcf7dbcd3a 100644 --- a/src/lib/gssapi/krb5/inq_names.c +++ b/src/lib/gssapi/krb5/inq_names.c @@ -77,6 +77,10 @@ krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types) ((major = generic_gss_add_oid_set_member(minor_status, gss_nt_krb5_name, name_types) + ) == GSS_S_COMPLETE) && + ((major = generic_gss_add_oid_set_member(minor_status, + GSS_C_NT_COMPOSITE_EXPORT, + name_types) ) == GSS_S_COMPLETE) ) { major = generic_gss_add_oid_set_member(minor_status, diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports index a8ee3f2447..3da3a237c4 100644 --- a/src/lib/gssapi/libgssapi_krb5.exports +++ b/src/lib/gssapi/libgssapi_krb5.exports @@ -1,6 +1,7 @@ GSS_C_ATTR_LOCAL_LOGIN_USER GSS_C_INQ_SSPI_SESSION_KEY GSS_C_NT_ANONYMOUS +GSS_C_NT_COMPOSITE_EXPORT GSS_C_NT_EXPORT_NAME GSS_C_NT_HOSTBASED_SERVICE GSS_C_NT_HOSTBASED_SERVICE_X diff --git a/src/lib/gssapi/mechglue/g_imp_name.c b/src/lib/gssapi/mechglue/g_imp_name.c index 7afa188e53..8fcc3d0f26 100644 --- a/src/lib/gssapi/mechglue/g_imp_name.c +++ b/src/lib/gssapi/mechglue/g_imp_name.c @@ -209,7 +209,7 @@ importExportName(minor, unionName) buf = (unsigned char *)expName.value; if (buf[0] != 0x04) return (GSS_S_DEFECTIVE_TOKEN); - if (buf[1] != 0x01 && buf[1] != 0x02) + if (buf[1] != 0x01 && buf[1] != 0x02) /* allow composite names */ return (GSS_S_DEFECTIVE_TOKEN); buf += expNameTokIdLen; |