svn rev #24356: trunk/src/ lib/gssapi/ lib/gssapi/generic/ lib/gssapi/krb5/ lib/gssapi/mechglue/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Sun Sep 26 23:39:22 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24356
Commit By: ghudson
Log Message:
ticket: 6785
subject: Add gss_krb5_import_cred
Add gss_krb5_import_cred from Heimdal; allows krb5 creds to be
acquired from a keytab or ccache into a GSSAPI credential without
using global process or thread variables.
Merged from the users/lhoward/import-cred branch.
Changed Files:
U trunk/src/lib/gssapi/generic/gssapi_ext.h
U trunk/src/lib/gssapi/krb5/acquire_cred.c
U trunk/src/lib/gssapi/krb5/copy_ccache.c
U trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
U trunk/src/lib/gssapi/krb5/gssapi_krb5.c
U trunk/src/lib/gssapi/krb5/gssapi_krb5.hin
U trunk/src/lib/gssapi/krb5/krb5_gss_glue.c
U trunk/src/lib/gssapi/krb5/set_allowable_enctypes.c
U trunk/src/lib/gssapi/libgssapi_krb5.exports
U trunk/src/lib/gssapi/mechglue/g_set_cred_option.c
U trunk/src/lib/gssapi/mechglue/mglueP.h
U trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
U trunk/src/lib/gssapi/spnego/spnego_mech.c
U trunk/src/lib/krb5/libkrb5.exports
U trunk/src/tests/gssapi/t_gssexts.c
Modified: trunk/src/lib/gssapi/generic/gssapi_ext.h
===================================================================
--- trunk/src/lib/gssapi/generic/gssapi_ext.h 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/generic/gssapi_ext.h 2010-09-27 03:39:22 UTC (rev 24356)
@@ -115,10 +115,9 @@
const gss_OID /*desired_object*/,
const gss_buffer_t /*value*/);
-/* XXX do these really belong in this header? */
-OM_uint32 KRB5_CALLCONV gssspi_set_cred_option
+OM_uint32 KRB5_CALLCONV gss_set_cred_option
(OM_uint32 * /*minor_status*/,
- gss_cred_id_t /*cred*/,
+ gss_cred_id_t * /*cred*/,
const gss_OID /*desired_object*/,
const gss_buffer_t /*value*/);
Modified: trunk/src/lib/gssapi/krb5/acquire_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/acquire_cred.c 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/krb5/acquire_cred.c 2010-09-27 03:39:22 UTC (rev 24356)
@@ -1,6 +1,6 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
- * Copyright 2000, 2007, 2008 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2007-2010 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -129,56 +129,55 @@
}
/* get credentials corresponding to a key in the krb5 keytab.
- If the default name is requested, return the name in output_name.
- If output_name is non-NULL, the caller will use or free it, regardless
- of the return value.
If successful, set the keytab-specific fields in cred
*/
static OM_uint32
acquire_accept_cred(krb5_context context,
OM_uint32 *minor_status,
- krb5_gss_name_t desired_name,
- krb5_gss_name_t *output_name,
+ krb5_principal desired_princ,
+ krb5_keytab req_keytab,
krb5_gss_cred_id_rec *cred)
{
krb5_error_code code;
- krb5_principal princ;
krb5_keytab kt;
krb5_keytab_entry entry;
- *output_name = NULL;
- cred->keytab = NULL;
+ assert(cred->keytab == NULL);
- /* open the default keytab */
+ if (req_keytab != NULL) {
+ char ktname[BUFSIZ];
- code = gss_krb5int_initialize_library();
- if (code != 0) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
- code = k5_mutex_lock(&gssint_krb5_keytab_lock);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
- if (krb5_gss_keytab != NULL) {
- code = krb5_kt_resolve(context, krb5_gss_keytab, &kt);
- k5_mutex_unlock(&gssint_krb5_keytab_lock);
+ /* Duplicate keytab handle */
+ code = krb5_kt_get_name(context, req_keytab, ktname, sizeof(ktname));
+ if (code) {
+ *minor_status = code;
+ return GSS_S_CRED_UNAVAIL;
+ }
+ code = krb5_kt_resolve(context, ktname, &kt);
} else {
- k5_mutex_unlock(&gssint_krb5_keytab_lock);
- code = krb5_kt_default(context, &kt);
+ code = k5_mutex_lock(&gssint_krb5_keytab_lock);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ if (krb5_gss_keytab != NULL) {
+ code = krb5_kt_resolve(context, krb5_gss_keytab, &kt);
+ k5_mutex_unlock(&gssint_krb5_keytab_lock);
+ } else {
+ k5_mutex_unlock(&gssint_krb5_keytab_lock);
+ code = krb5_kt_default(context, &kt);
+ }
}
-
if (code) {
*minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
- if (desired_name != NULL) {
- princ = desired_name->princ;
- if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
- (void) krb5_kt_close(context, kt);
+ if (desired_princ != NULL) {
+ code = krb5_kt_get_entry(context, kt, desired_princ, 0, 0, &entry);
+ if (code) {
+ krb5_kt_close(context, kt);
if (code == KRB5_KT_NOTFOUND) {
char *errstr = (char *)krb5_get_error_message(context, code);
krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr);
@@ -186,46 +185,50 @@
*minor_status = KG_KEYTAB_NOMATCH;
} else
*minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
krb5_kt_free_entry(context, &entry);
+ assert(cred->name == NULL);
+ code = kg_init_name(context, desired_princ, NULL,
+ KG_INIT_NAME_INTERN, &cred->name);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
/* Open the replay cache for this principal. */
- if ((code = krb5_get_server_rcache(context,
- krb5_princ_component(context, princ, 0),
- &cred->rcache))) {
+ code = krb5_get_server_rcache(context,
+ krb5_princ_component(context, desired_princ, 0),
+ &cred->rcache);
+ if (code) {
*minor_status = code;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
}
-
}
-/* hooray. we made it */
-
cred->keytab = kt;
- return(GSS_S_COMPLETE);
+ return GSS_S_COMPLETE;
}
#endif /* LEAN_CLIENT */
/* get credentials corresponding to the default credential cache.
- If the default name is requested, return the name in output_name.
- If output_name is non-NULL, the caller will use or free it, regardless
- of the return value.
If successful, set the ccache-specific fields in cred.
*/
static OM_uint32
acquire_init_cred(krb5_context context,
OM_uint32 *minor_status,
- krb5_gss_name_t desired_name,
- krb5_gss_name_t *output_name,
+ krb5_ccache req_ccache,
+ krb5_principal desired_princ,
gss_buffer_t password,
krb5_gss_cred_id_rec *cred)
{
krb5_error_code code;
krb5_ccache ccache;
- krb5_principal princ = NULL, tmp_princ;
+ krb5_principal ccache_princ = NULL, tmp_princ;
+ krb5_const_principal cred_princ = NULL;
krb5_cc_cursor cur;
krb5_creds creds;
int got_endtime;
@@ -237,16 +240,16 @@
/* load the GSS ccache name into the kg_context */
if (GSS_ERROR(kg_sync_ccache_name(context, minor_status)))
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
/* check to see if the caller provided a ccache name if so
* we will just use that and not search the cache collection */
if (GSS_ERROR(kg_caller_provided_ccache_name (minor_status, &caller_provided_ccache_name))) {
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
}
#if defined(USE_KIM) || defined(USE_LEASH)
- if (desired_name && !caller_provided_ccache_name) {
+ if (desired_princ && !caller_provided_ccache_name && !req_ccache) {
#if defined(USE_KIM)
kim_error err = KIM_NO_ERROR;
kim_ccache kimccache = NULL;
@@ -255,7 +258,7 @@
err = kim_identity_create_from_krb5_principal (&identity,
context,
- desired_name->princ);
+ desired_princ);
if (!err) {
err = kim_ccache_create_from_client_identity (&kimccache, identity);
@@ -289,7 +292,7 @@
if (err) {
*minor_status = err;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
#elif defined(USE_LEASH)
@@ -303,80 +306,99 @@
if ( pLeash_AcquireInitialTicketsIfNeeded ) {
char ccname[256]="";
- pLeash_AcquireInitialTicketsIfNeeded(context, desired_name->princ, ccname, sizeof(ccname));
+ pLeash_AcquireInitialTicketsIfNeeded(context, desired_princ, ccname, sizeof(ccname));
if (!ccname[0]) {
*minor_status = KRB5_CC_NOTFOUND;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
if ((code = krb5_cc_resolve (context, ccname, &ccache))) {
*minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
} else {
/* leash dll not available, open the default credential cache */
if ((code = krb5int_cc_default(context, &ccache))) {
*minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
}
#endif /* USE_LEASH */
} else
#endif /* USE_KIM || USE_LEASH */
{
- /* open the default credential cache */
-
- if ((code = krb5int_cc_default(context, &ccache))) {
+ if (req_ccache != NULL) {
+ /* Duplicate ccache handle */
+ code = krb5_cc_dup(context, req_ccache, &ccache);
+ } else {
+ /* Open the default credential cache */
+ code = krb5int_cc_default(context, &ccache);
+ }
+ if (code != 0) {
*minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
}
/* turn off OPENCLOSE mode while extensive frobbing is going on */
code = krb5_cc_set_flags(context, ccache, 0);
if (code == KRB5_FCC_NOFILE &&
- password != GSS_C_NO_BUFFER && desired_name != NULL) {
+ password != GSS_C_NO_BUFFER && desired_princ != NULL) {
/* We will get initial creds later. */
- code = krb5_cc_initialize(context, ccache, desired_name->princ);
+ code = krb5_cc_initialize(context, ccache, desired_princ);
if (code == 0)
code = krb5_cc_set_flags(context, ccache, 0);
}
if (code != 0) {
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_close(context, ccache);
*minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
- /* get out the principal name and see if it matches */
- code = krb5_cc_get_principal(context, ccache, &princ);
+ /*
+ * Credentials cache principal must match either the acceptor principal
+ * name or the desired_princ argument (they may be the same).
+ */
+ if (cred->name != NULL && desired_princ == NULL)
+ desired_princ = cred->name->princ;
+
+ code = krb5_cc_get_principal(context, ccache, &ccache_princ);
if (code != 0) {
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_close(context, ccache);
*minor_status = code;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
}
- if (desired_name != NULL) {
- if (!krb5_principal_compare(context, princ, desired_name->princ)) {
- (void)krb5_free_principal(context, princ);
- (void)krb5_cc_close(context, ccache);
+ if (desired_princ != NULL) {
+ if (!krb5_principal_compare(context, ccache_princ, desired_princ)) {
+ krb5_free_principal(context, ccache_princ);
+ krb5_cc_close(context, ccache);
*minor_status = KG_CCACHE_NOMATCH;
- return(GSS_S_CRED_UNAVAIL);
+ return GSS_S_CRED_UNAVAIL;
}
- (void)krb5_free_principal(context, princ);
- princ = desired_name->princ;
- } else {
- if ((code = kg_init_name(context, princ, NULL,
+ }
+
+ /*
+ * If we are acquiring initiator-only default credentials, then set
+ * cred->name to the credentials cache principal name.
+ */
+ if (cred->name == NULL) {
+ if ((code = kg_init_name(context, ccache_princ, NULL,
KG_INIT_NAME_NO_COPY | KG_INIT_NAME_INTERN,
- output_name))) {
- (void)krb5_free_principal(context, princ);
- (void)krb5_cc_close(context, ccache);
+ &cred->name))) {
+ krb5_free_principal(context, ccache_princ);
+ krb5_cc_close(context, ccache);
*minor_status = code;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
}
- /* princ is now owned by output_name, it need not be freed here */
+ } else {
+ krb5_free_principal(context, ccache_princ);
}
+ assert(cred->name->princ != NULL);
+ cred_princ = cred->name->princ;
+
if (password != GSS_C_NO_BUFFER) {
/* stash the password for later */
password_data.length = password->length;
@@ -385,7 +407,7 @@
code = krb5int_copy_data_contents_add0(context, &password_data,
&cred->password);
if (code != 0) {
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_close(context, ccache);
*minor_status = code;
return GSS_S_FAILURE;
}
@@ -393,7 +415,7 @@
/* restore the OPENCLOSE flag */
code = krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
if (code != 0) {
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_close(context, ccache);
*minor_status = code;
return GSS_S_FAILURE;
}
@@ -405,9 +427,9 @@
/* iterate over the ccache, find the tgt */
if ((code = krb5_cc_start_seq_get(context, ccache, &cur))) {
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_close(context, ccache);
*minor_status = code;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
}
/* this is hairy. If there's a tgt for the principal's local realm
@@ -417,16 +439,16 @@
got_endtime = 0;
code = krb5_build_principal_ext(context, &tmp_princ,
- krb5_princ_realm(context, princ)->length,
- krb5_princ_realm(context, princ)->data,
+ krb5_princ_realm(context, cred_princ)->length,
+ krb5_princ_realm(context, cred_princ)->data,
KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
- krb5_princ_realm(context, princ)->length,
- krb5_princ_realm(context, princ)->data,
+ krb5_princ_realm(context, cred_princ)->length,
+ krb5_princ_realm(context, cred_princ)->data,
0);
if (code) {
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_close(context, ccache);
*minor_status = code;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
}
while (!(code = krb5_cc_next_cred(context, ccache, &cur, &creds))) {
if (krb5_principal_compare(context, tmp_princ, creds.server)) {
@@ -447,27 +469,27 @@
if (code && code != KRB5_CC_END) {
/* this means some error occurred reading the ccache */
- (void)krb5_cc_end_seq_get(context, ccache, &cur);
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_end_seq_get(context, ccache, &cur);
+ krb5_cc_close(context, ccache);
*minor_status = code;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
} else if (! got_endtime) {
/* this means the ccache was entirely empty */
- (void)krb5_cc_end_seq_get(context, ccache, &cur);
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_end_seq_get(context, ccache, &cur);
+ krb5_cc_close(context, ccache);
*minor_status = KG_EMPTY_CCACHE;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
} else {
/* this means that we found an endtime to use. */
if ((code = krb5_cc_end_seq_get(context, ccache, &cur))) {
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_close(context, ccache);
*minor_status = code;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
}
if ((code = krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE))) {
- (void)krb5_cc_close(context, ccache);
+ krb5_cc_close(context, ccache);
*minor_status = code;
- return(GSS_S_FAILURE);
+ return GSS_S_FAILURE;
}
}
@@ -475,27 +497,38 @@
cred->ccache = ccache;
/* minor_status is set while we are iterating over the ccache */
- return(GSS_S_COMPLETE);
+ return GSS_S_COMPLETE;
}
+struct acquire_cred_args {
+ gss_name_t desired_name;
+ gss_buffer_t password;
+ OM_uint32 time_req;
+ gss_OID_set desired_mechs;
+ gss_cred_usage_t cred_usage;
+ krb5_keytab keytab;
+ krb5_ccache ccache;
+ int iakerb;
+};
+
/*ARGSUSED*/
static OM_uint32
-acquire_cred(minor_status, desired_name, password, time_req,
- cred_usage, output_cred_handle, time_rec, req_iakerb)
- OM_uint32 *minor_status;
- const gss_name_t desired_name;
- const gss_buffer_t password;
- OM_uint32 time_req;
- gss_cred_usage_t cred_usage;
- gss_cred_id_t *output_cred_handle;
- OM_uint32 *time_rec;
- int req_iakerb;
+acquire_cred(OM_uint32 *minor_status,
+ const struct acquire_cred_args *args,
+ gss_cred_id_t *output_cred_handle,
+ OM_uint32 *time_rec)
{
krb5_context context = NULL;
krb5_gss_cred_id_t cred = NULL;
OM_uint32 ret;
krb5_error_code code = 0;
+ krb5_principal desired_princ = NULL;
+ /* make sure all outputs are valid */
+ *output_cred_handle = GSS_C_NO_CREDENTIAL;
+ if (time_rec)
+ *time_rec = 0;
+
code = gss_krb5int_initialize_library();
if (code)
goto krb_error_out;
@@ -504,31 +537,15 @@
if (code)
goto krb_error_out;
- /* make sure all outputs are valid */
-
- *output_cred_handle = NULL;
- if (time_rec)
- *time_rec = 0;
-
- /* validate the name */
-
- /*SUPPRESS 29*/
- if ((desired_name != GSS_C_NO_NAME) &&
- (! kg_validate_name(desired_name))) {
- code = G_VALIDATE_FAILED;
- goto krb_error_out;
- }
-
/* create the gss cred structure */
cred = k5alloc(sizeof(krb5_gss_cred_id_rec), &code);
- if (code != 0)
+ if (cred == NULL)
goto krb_error_out;
- cred->usage = cred_usage;
+ cred->usage = args->cred_usage;
cred->name = NULL;
- cred->iakerb_mech = req_iakerb;
- cred->default_identity = (desired_name == GSS_C_NO_NAME);
-
+ cred->iakerb_mech = args->iakerb;
+ cred->default_identity = (args->desired_name == GSS_C_NO_NAME);
#ifndef LEAN_CLIENT
cred->keytab = NULL;
#endif /* LEAN_CLIENT */
@@ -538,59 +555,50 @@
if (code)
goto krb_error_out;
- /* Note that we don't need to lock this GSSAPI credential record
- here, because no other thread can gain access to it until we
- return it. */
-
- if ((cred_usage != GSS_C_INITIATE) &&
- (cred_usage != GSS_C_ACCEPT) &&
- (cred_usage != GSS_C_BOTH)) {
+ switch (args->cred_usage) {
+ case GSS_C_INITIATE:
+ case GSS_C_ACCEPT:
+ case GSS_C_BOTH:
+ break;
+ default:
ret = GSS_S_FAILURE;
*minor_status = (OM_uint32) G_BAD_USAGE;
goto error_out;
}
- /* if requested, acquire credentials for accepting */
- /* this will fill in cred->name if the desired_name is not specified */
+ if (args->desired_name != GSS_C_NO_NAME)
+ desired_princ = ((krb5_gss_name_t)args->desired_name)->princ;
+
#ifndef LEAN_CLIENT
- if ((cred_usage == GSS_C_ACCEPT) ||
- (cred_usage == GSS_C_BOTH))
- if ((ret = acquire_accept_cred(context, minor_status,
- (krb5_gss_name_t)desired_name,
- &cred->name, cred))
- != GSS_S_COMPLETE) {
+ /*
+ * If requested, acquire credentials for accepting. This will fill
+ * in cred->name if desired_princ is specified.
+ */
+ if (args->cred_usage == GSS_C_ACCEPT || args->cred_usage == GSS_C_BOTH) {
+ ret = acquire_accept_cred(context, minor_status,
+ desired_princ,
+ args->keytab, cred);
+ if (ret != GSS_S_COMPLETE)
goto error_out;
- }
+ }
#endif /* LEAN_CLIENT */
- /* if requested, acquire credentials for initiation */
- /* this will fill in cred->name if it wasn't set above, and
- the desired_name is not specified */
-
- if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
- ret = acquire_init_cred(context, minor_status,
- cred->name ?
- cred->name : (krb5_gss_name_t)desired_name,
- &cred->name, password, cred);
+ /*
+ * If requested, acquire credentials for initiation. This will fill
+ * in cred->name if it wasn't set above.
+ */
+ if (args->cred_usage == GSS_C_INITIATE || args->cred_usage == GSS_C_BOTH) {
+ ret = acquire_init_cred(context, minor_status, args->ccache,
+ desired_princ, args->password, cred);
if (ret != GSS_S_COMPLETE)
goto error_out;
}
- /* if the princ wasn't filled in already, fill it in now */
+ assert(cred->default_identity || cred->name != NULL);
- if (!cred->name && (desired_name != GSS_C_NO_NAME)) {
- code = kg_duplicate_name(context,
- (krb5_gss_name_t)desired_name,
- 0, &cred->name);
- if (code != 0)
- goto krb_error_out;
- }
-
/*** at this point, the cred structure has been completely created */
- /* compute time_rec */
-
- if (cred_usage == GSS_C_ACCEPT) {
+ if (args->cred_usage == GSS_C_ACCEPT) {
if (time_rec)
*time_rec = GSS_C_INDEFINITE;
} else {
@@ -604,20 +612,16 @@
*time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0;
}
- /* intern the credential handle */
-
- if (! kg_save_cred_id((gss_cred_id_t) cred)) {
+ if (!kg_save_cred_id((gss_cred_id_t)cred)) {
ret = GSS_S_FAILURE;
goto error_out;
}
- /* return success */
-
*minor_status = 0;
*output_cred_handle = (gss_cred_id_t) cred;
krb5_free_context(context);
- return(GSS_S_COMPLETE);
+ return GSS_S_COMPLETE;
krb_error_out:
*minor_status = code;
@@ -626,10 +630,10 @@
error_out:
if (cred != NULL) {
if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
if (cred->name)
kg_release_name(context, 0, &cred->name);
@@ -643,7 +647,7 @@
OM_uint32
gss_krb5int_set_cred_rcache(OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
+ gss_cred_id_t *cred_handle,
const gss_OID desired_oid,
const gss_buffer_t value)
{
@@ -659,11 +663,8 @@
rcache = (krb5_rcache)value->value;
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- return GSS_S_NO_CRED;
+ cred = (krb5_gss_cred_id_t)*cred_handle;
- cred = (krb5_gss_cred_id_t)cred_handle;
-
code = krb5_gss_init_context(&context);
if (code) {
*minor_status = code;
@@ -704,8 +705,21 @@
gss_OID_set *actual_mechs;
OM_uint32 *time_rec;
{
- return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER,
- time_req, cred_usage, output_cred_handle, time_rec, 0);
+ struct acquire_cred_args args;
+
+ if (desired_name && !kg_validate_name(desired_name)) {
+ *minor_status = G_VALIDATE_FAILED;
+ return GSS_S_FAILURE;
+ }
+
+ memset(&args, 0, sizeof(args));
+ args.desired_name = desired_name;
+ args.time_req = time_req;
+ args.desired_mechs = desired_mechs;
+ args.cred_usage = cred_usage;
+ args.iakerb = 0;
+
+ return acquire_cred(minor_status, &args, output_cred_handle, time_rec);
}
OM_uint32
@@ -721,8 +735,21 @@
gss_OID_set *actual_mechs;
OM_uint32 *time_rec;
{
- return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER,
- time_req, cred_usage, output_cred_handle, time_rec, 1);
+ struct acquire_cred_args args;
+
+ if (desired_name && !kg_validate_name(desired_name)) {
+ *minor_status = G_VALIDATE_FAILED;
+ return GSS_S_FAILURE;
+ }
+
+ memset(&args, 0, sizeof(args));
+ args.desired_name = desired_name;
+ args.time_req = time_req;
+ args.desired_mechs = desired_mechs;
+ args.cred_usage = cred_usage;
+ args.iakerb = 1;
+
+ return acquire_cred(minor_status, &args, output_cred_handle, time_rec);
}
OM_uint32
@@ -736,8 +763,22 @@
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- return acquire_cred(minor_status, desired_name, password,
- time_req, cred_usage, output_cred_handle, time_rec, 0);
+ struct acquire_cred_args args;
+
+ if (desired_name && !kg_validate_name(desired_name)) {
+ *minor_status = G_VALIDATE_FAILED;
+ return GSS_S_FAILURE;
+ }
+
+ memset(&args, 0, sizeof(args));
+ args.desired_name = desired_name;
+ args.password = password;
+ args.time_req = time_req;
+ args.desired_mechs = desired_mechs;
+ args.cred_usage = cred_usage;
+ args.iakerb = 0;
+
+ return acquire_cred(minor_status, &args, output_cred_handle, time_rec);
}
OM_uint32
@@ -751,6 +792,64 @@
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- return acquire_cred(minor_status, desired_name, password,
- time_req, cred_usage, output_cred_handle, time_rec, 1);
+ struct acquire_cred_args args;
+
+ if (desired_name && !kg_validate_name(desired_name)) {
+ *minor_status = G_VALIDATE_FAILED;
+ return GSS_S_FAILURE;
+ }
+
+ memset(&args, 0, sizeof(args));
+ args.desired_name = desired_name;
+ args.password = password;
+ args.time_req = time_req;
+ args.desired_mechs = desired_mechs;
+ args.cred_usage = cred_usage;
+ args.iakerb = 1;
+
+ return acquire_cred(minor_status, &args, output_cred_handle, time_rec);
}
+
+OM_uint32
+gss_krb5int_import_cred(OM_uint32 *minor_status,
+ gss_cred_id_t *cred_handle,
+ const gss_OID desired_oid,
+ const gss_buffer_t value)
+{
+ struct krb5_gss_import_cred_req *req;
+ struct acquire_cred_args args;
+ krb5_gss_name_rec name;
+ OM_uint32 time_rec;
+
+ assert(value->length == sizeof(*req));
+
+ if (value->length != sizeof(*req))
+ return GSS_S_FAILURE;
+
+ req = (struct krb5_gss_import_cred_req *)value->value;
+
+ memset(&args, 0, sizeof(args));
+
+ if (req->keytab_principal) {
+ memset(&name, 0, sizeof(name));
+ name.princ = req->keytab_principal;
+ args.desired_name = (gss_name_t)&name;
+ }
+
+ args.ccache = req->id;
+ args.keytab = req->keytab;
+
+ if (req->id && req->keytab)
+ args.cred_usage = GSS_C_BOTH;
+ else if (req->id)
+ args.cred_usage = GSS_C_INITIATE;
+ else if (req->keytab)
+ args.cred_usage = GSS_C_ACCEPT;
+ else {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ return acquire_cred(minor_status, &args, cred_handle, &time_rec);
+}
+
Modified: trunk/src/lib/gssapi/krb5/copy_ccache.c
===================================================================
--- trunk/src/lib/gssapi/krb5/copy_ccache.c 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/krb5/copy_ccache.c 2010-09-27 03:39:22 UTC (rev 24356)
@@ -3,7 +3,7 @@
OM_uint32 KRB5_CALLCONV
gss_krb5int_copy_ccache(OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
+ gss_cred_id_t *cred_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
@@ -22,8 +22,7 @@
out_ccache = (krb5_ccache)value->value;
/* cred handle will have been validated by gssspi_set_cred_option() */
-
- k5creds = (krb5_gss_cred_id_t) cred_handle;
+ k5creds = (krb5_gss_cred_id_t) *cred_handle;
code = k5_mutex_lock(&k5creds->lock);
if (code) {
*minor_status = code;
Modified: trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapiP_krb5.h 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/krb5/gssapiP_krb5.h 2010-09-27 03:39:22 UTC (rev 24356)
@@ -1007,7 +1007,7 @@
OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache
(OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
+ gss_cred_id_t *cred_handle,
const gss_OID desired_oid,
const gss_buffer_t value);
@@ -1025,6 +1025,12 @@
const gss_OID,
const gss_buffer_t);
+#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
+#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
+
+OM_uint32
+gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
+
#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11
#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04"
@@ -1033,15 +1039,9 @@
krb5_enctype *ktypes;
};
-#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
-#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
-
-OM_uint32
-gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
-
OM_uint32 KRB5_CALLCONV
gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
- gss_cred_id_t cred,
+ gss_cred_id_t *cred,
const gss_OID desired_oid,
const gss_buffer_t value);
@@ -1091,7 +1091,7 @@
#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b"
OM_uint32
-gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t);
+gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t *, const gss_OID, const gss_buffer_t);
#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
@@ -1102,6 +1102,21 @@
const gss_OID,
gss_buffer_set_t *);
+#define GSS_KRB5_IMPORT_CRED_OID_LENGTH 11
+#define GSS_KRB5_IMPORT_CRED_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d"
+
+struct krb5_gss_import_cred_req {
+ krb5_ccache id;
+ krb5_principal keytab_principal;
+ krb5_keytab keytab;
+};
+
+OM_uint32 KRB5_CALLCONV
+gss_krb5int_import_cred(OM_uint32 *minor_status,
+ gss_cred_id_t *cred,
+ const gss_OID desired_oid,
+ const gss_buffer_t value);
+
#ifdef _GSS_STATIC_LINK
int gss_krb5int_lib_init(void);
void gss_krb5int_lib_fini(void);
Modified: trunk/src/lib/gssapi/krb5/gssapi_krb5.c
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapi_krb5.c 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/krb5/gssapi_krb5.c 2010-09-27 03:39:22 UTC (rev 24356)
@@ -510,7 +510,7 @@
*/
static struct {
gss_OID_desc oid;
- OM_uint32 (*func)(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t);
+ OM_uint32 (*func)(OM_uint32 *, gss_cred_id_t *, const gss_OID, const gss_buffer_t);
} krb5_gssspi_set_cred_option_ops[] = {
{
{GSS_KRB5_COPY_CCACHE_OID_LENGTH, GSS_KRB5_COPY_CCACHE_OID},
@@ -524,11 +524,15 @@
{GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH, GSS_KRB5_SET_CRED_RCACHE_OID},
gss_krb5int_set_cred_rcache
},
+ {
+ {GSS_KRB5_IMPORT_CRED_OID_LENGTH, GSS_KRB5_IMPORT_CRED_OID},
+ gss_krb5int_import_cred
+ },
};
static OM_uint32
krb5_gssspi_set_cred_option(OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
+ gss_cred_id_t *cred_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
@@ -538,19 +542,19 @@
if (minor_status == NULL)
return GSS_S_CALL_INACCESSIBLE_WRITE;
+ if (cred_handle == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
*minor_status = 0;
- if (cred_handle == GSS_C_NO_CREDENTIAL) {
- *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED;
- return GSS_S_NO_CRED;
- }
-
if (desired_object == GSS_C_NO_OID)
return GSS_S_CALL_INACCESSIBLE_READ;
- major_status = krb5_gss_validate_cred(minor_status, cred_handle);
- if (GSS_ERROR(major_status))
- return major_status;
+ if (*cred_handle != GSS_C_NO_CREDENTIAL) {
+ major_status = krb5_gss_validate_cred(minor_status, *cred_handle);
+ if (GSS_ERROR(major_status))
+ return major_status;
+ }
for (i = 0; i < sizeof(krb5_gssspi_set_cred_option_ops)/
sizeof(krb5_gssspi_set_cred_option_ops[0]); i++) {
Modified: trunk/src/lib/gssapi/krb5/gssapi_krb5.hin
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapi_krb5.hin 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/krb5/gssapi_krb5.hin 2010-09-27 03:39:22 UTC (rev 24356)
@@ -282,6 +282,13 @@
OM_uint32 KRB5_CALLCONV
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *);
+OM_uint32 KRB5_CALLCONV
+gss_krb5_import_cred(OM_uint32 *minor_status,
+ krb5_ccache id,
+ krb5_principal keytab_principal,
+ krb5_keytab keytab,
+ gss_cred_id_t *cred);
+
#ifdef __cplusplus
}
#endif /* __cplusplus */
Modified: trunk/src/lib/gssapi/krb5/krb5_gss_glue.c
===================================================================
--- trunk/src/lib/gssapi/krb5/krb5_gss_glue.c 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/krb5/krb5_gss_glue.c 2010-09-27 03:39:22 UTC (rev 24356)
@@ -108,15 +108,49 @@
req_buffer.value = out_ccache;
req_buffer.length = sizeof(out_ccache);
- major_status = gssspi_set_cred_option(minor_status,
- cred_handle,
- (gss_OID)&req_oid,
- &req_buffer);
+ major_status = gss_set_cred_option(minor_status,
+ &cred_handle,
+ (gss_OID)&req_oid,
+ &req_buffer);
return major_status;
}
OM_uint32 KRB5_CALLCONV
+gss_krb5_import_cred(OM_uint32 *minor_status,
+ krb5_ccache id,
+ krb5_principal keytab_principal,
+ krb5_keytab keytab,
+ gss_cred_id_t *cred)
+{
+ static const gss_OID_desc req_oid = {
+ GSS_KRB5_IMPORT_CRED_OID_LENGTH,
+ GSS_KRB5_IMPORT_CRED_OID };
+ OM_uint32 major_status;
+ struct krb5_gss_import_cred_req req;
+ gss_buffer_desc req_buffer;
+
+ if (cred == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+ *cred = GSS_C_NO_CREDENTIAL;
+
+ req.id = id;
+ req.keytab_principal = keytab_principal;
+ req.keytab = keytab;
+
+ req_buffer.value = &req;
+ req_buffer.length = sizeof(req);
+
+ major_status = gss_set_cred_option(minor_status,
+ cred,
+ (gss_OID)&req_oid,
+ &req_buffer);
+
+ return major_status;
+}
+
+OM_uint32 KRB5_CALLCONV
gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
OM_uint32 version,
@@ -189,10 +223,10 @@
req_buffer.length = sizeof(req);
req_buffer.value = &req;
- major_status = gssspi_set_cred_option(minor_status,
- cred,
- (gss_OID)&req_oid,
- &req_buffer);
+ major_status = gss_set_cred_option(minor_status,
+ &cred,
+ (gss_OID)&req_oid,
+ &req_buffer);
return major_status;
}
@@ -363,10 +397,10 @@
req_buffer.length = sizeof(rcache);
req_buffer.value = rcache;
- major_status = gssspi_set_cred_option(minor_status,
- cred,
- (gss_OID)&req_oid,
- &req_buffer);
+ major_status = gss_set_cred_option(minor_status,
+ &cred,
+ (gss_OID)&req_oid,
+ &req_buffer);
return major_status;
}
Modified: trunk/src/lib/gssapi/krb5/set_allowable_enctypes.c
===================================================================
--- trunk/src/lib/gssapi/krb5/set_allowable_enctypes.c 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/krb5/set_allowable_enctypes.c 2010-09-27 03:39:22 UTC (rev 24356)
@@ -61,7 +61,7 @@
OM_uint32 KRB5_CALLCONV
gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
+ gss_cred_id_t *cred_handle,
const gss_OID desired_oid,
const gss_buffer_t value)
{
@@ -81,16 +81,7 @@
req = (struct krb5_gss_set_allowable_enctypes_req *)value->value;
/* verify and valildate cred handle */
- if (cred_handle == GSS_C_NO_CREDENTIAL) {
- kerr = KRB5_NOCREDS_SUPPLIED;
- goto error_out;
- }
- major_status = krb5_gss_validate_cred(&temp_status, cred_handle);
- if (GSS_ERROR(major_status)) {
- kerr = temp_status;
- goto error_out;
- }
- cred = (krb5_gss_cred_id_t) cred_handle;
+ cred = (krb5_gss_cred_id_t) *cred_handle;
if (req->ktypes) {
for (i = 0; i < req->num_ktypes && req->ktypes[i]; i++) {
Modified: trunk/src/lib/gssapi/libgssapi_krb5.exports
===================================================================
--- trunk/src/lib/gssapi/libgssapi_krb5.exports 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/libgssapi_krb5.exports 2010-09-27 03:39:22 UTC (rev 24356)
@@ -46,8 +46,9 @@
gss_krb5_ccache_name
gss_krb5_copy_ccache
gss_krb5_export_lucid_sec_context
+gss_krb5_free_lucid_sec_context
gss_krb5_get_tkt_flags
-gss_krb5_free_lucid_sec_context
+gss_krb5_import_cred
gss_krb5_set_allowable_enctypes
gss_krb5_set_cred_rcache
gss_krb5int_make_seal_token_v3
@@ -99,6 +100,7 @@
gss_wrap_iov
gss_wrap_iov_length
gss_wrap_size_limit
+gss_set_cred_option
gssspi_set_cred_option
gssspi_mech_invoke
krb5_gss_dbg_client_expcreds
Modified: trunk/src/lib/gssapi/mechglue/g_set_cred_option.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_set_cred_option.c 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/mechglue/g_set_cred_option.c 2010-09-27 03:39:22 UTC (rev 24356)
@@ -1,5 +1,5 @@
/*
- * Copyright 2008 by the Massachusetts Institute of Technology.
+ * Copyright 2008-2010 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -35,11 +35,92 @@
#include <string.h>
#include <time.h>
+static OM_uint32
+alloc_union_cred(OM_uint32 *minor_status,
+ gss_mechanism mech,
+ gss_cred_id_t mech_cred,
+ gss_union_cred_t *pcred)
+{
+ OM_uint32 status;
+ OM_uint32 temp_minor_status;
+ gss_union_cred_t cred = NULL;
+ gss_name_t mech_name = GSS_C_NO_NAME;
+
+ *pcred = NULL;
+
+ if (mech->gss_inquire_cred == NULL) {
+ status = GSS_S_BAD_MECH;
+ goto cleanup;
+ }
+
+ status = GSS_S_FAILURE;
+
+ cred = calloc(1, sizeof(*cred));
+ if (cred == NULL) {
+ *minor_status = ENOMEM;
+ goto cleanup;
+ }
+
+ cred->loopback = cred;
+ cred->count = 1;
+
+ cred->cred_array = calloc(cred->count, sizeof(gss_cred_id_t));
+ if (cred->cred_array == NULL) {
+ *minor_status = ENOMEM;
+ goto cleanup;
+ }
+ cred->cred_array[0] = mech_cred;
+
+ status = generic_gss_copy_oid(minor_status,
+ &mech->mech_type,
+ &cred->mechs_array);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+
+ cred->auxinfo.creation_time = (OM_uint32)time(NULL);
+
+ status = mech->gss_inquire_cred(minor_status,
+ mech_cred,
+ &mech_name,
+ &cred->auxinfo.time_rec,
+ &cred->auxinfo.cred_usage,
+ NULL);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+
+ status = mech->gss_display_name(minor_status,
+ mech_name,
+ &cred->auxinfo.name,
+ &cred->auxinfo.name_type);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+
+ status = GSS_S_COMPLETE;
+ *pcred = cred;
+
+cleanup:
+ if (status != GSS_S_COMPLETE)
+ gss_release_cred(&temp_minor_status, (gss_cred_id_t *)&cred);
+ mech->gss_release_name(&temp_minor_status, &mech_name);
+
+ return status;
+}
+
+/*
+ * This differs from gssspi_set_cred_option() as shipped in 1.7, in that
+ * it can return a cred handle. To denote this change we have changed the
+ * name of the function from gssspi_set_cred_option() to gss_set_cred_option().
+ * However, the dlsym() entry point is still gssspi_set_cred_option(). This
+ * fixes a separate issue, namely that a dynamically loaded mechanism could
+ * not itself call set_cred_option() without calling its own implementation
+ * instead of the mechanism glue's. (This is useful where a mechanism wishes
+ * to export a mechanism-specific API that is a wrapper around this function.)
+ */
OM_uint32 KRB5_CALLCONV
-gssspi_set_cred_option(OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
- const gss_OID desired_object,
- const gss_buffer_t value)
+gss_set_cred_option(OM_uint32 *minor_status,
+ gss_cred_id_t *cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
{
gss_union_cred_t union_cred;
gss_mechanism mech;
@@ -51,42 +132,95 @@
if (minor_status == NULL)
return GSS_S_CALL_INACCESSIBLE_WRITE;
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CRED;
+ if (cred_handle == NULL)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
*minor_status = 0;
- union_cred = (gss_union_cred_t) cred_handle;
-
status = GSS_S_UNAVAILABLE;
- for (i = 0; i < union_cred->count; i++) {
- mech = gssint_get_mechanism(&union_cred->mechs_array[i]);
- if (mech == NULL) {
- status = GSS_S_BAD_MECH;
- break;
- }
+ if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+ gss_cred_id_t mech_cred = GSS_C_NO_CREDENTIAL;
- if (mech->gssspi_set_cred_option == NULL) {
- continue;
- }
+ /*
+ * We need to give a mechanism the opportunity to allocate a
+ * credentials handle. Unfortunately this does mean that only
+ * the default mechanism can allocate a credentials handle.
+ */
+ mech = gssint_get_mechanism(NULL);
+ if (mech == NULL)
+ return GSS_S_BAD_MECH;
- mech_status = (mech->gssspi_set_cred_option)(&mech_minor_status,
- union_cred->cred_array[i],
- desired_object,
- value);
- if (mech_status == GSS_S_UNAVAILABLE) {
- continue;
- }
- else {
- status = mech_status;
- *minor_status = mech_minor_status;
- }
+ if (mech->gssspi_set_cred_option == NULL)
+ return GSS_S_UNAVAILABLE;
+
+ status = mech->gssspi_set_cred_option(minor_status,
+ &mech_cred,
+ desired_object,
+ value);
if (status != GSS_S_COMPLETE) {
map_error(minor_status, mech);
- break;
+ return status;
}
+
+ if (mech_cred != GSS_C_NO_CREDENTIAL) {
+ status = alloc_union_cred(minor_status,
+ mech,
+ mech_cred,
+ &union_cred);
+ if (status != GSS_S_COMPLETE)
+ return status;
+ *cred_handle = (gss_cred_id_t)union_cred;
+ }
+ } else {
+ union_cred = (gss_union_cred_t)*cred_handle;
+
+ for (i = 0; i < union_cred->count; i++) {
+ mech = gssint_get_mechanism(&union_cred->mechs_array[i]);
+ if (mech == NULL) {
+ status = GSS_S_BAD_MECH;
+ break;
+ }
+
+ if (mech->gssspi_set_cred_option == NULL)
+ continue;
+
+ mech_status = mech->gssspi_set_cred_option(&mech_minor_status,
+ &union_cred->cred_array[i],
+ desired_object,
+ value);
+ if (mech_status == GSS_S_UNAVAILABLE)
+ continue;
+ else {
+ status = mech_status;
+ *minor_status = mech_minor_status;
+ }
+ if (status != GSS_S_COMPLETE) {
+ map_error(minor_status, mech);
+ break;
+ }
+ }
}
return status;
}
+
+/*
+ * Provide this for backward ABI compatibility, but remove it from the
+ * header.
+ */
+OM_uint32 KRB5_CALLCONV
+gssspi_set_cred_option(OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ const gss_OID desired_object,
+ const gss_buffer_t value);
+
+OM_uint32 KRB5_CALLCONV
+gssspi_set_cred_option(OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
+{
+ return gss_set_cred_option(minor_status, &cred,
+ desired_object, value);
+}
Modified: trunk/src/lib/gssapi/mechglue/mglueP.h
===================================================================
--- trunk/src/lib/gssapi/mechglue/mglueP.h 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/mechglue/mglueP.h 2010-09-27 03:39:22 UTC (rev 24356)
@@ -396,7 +396,7 @@
OM_uint32 (*gssspi_set_cred_option)
(
OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
+ gss_cred_id_t *, /* cred_handle */
const gss_OID, /* OID */
const gss_buffer_t /* value */
);
Modified: trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- trunk/src/lib/gssapi/spnego/gssapiP_spnego.h 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/spnego/gssapiP_spnego.h 2010-09-27 03:39:22 UTC (rev 24356)
@@ -361,7 +361,7 @@
spnego_gss_set_cred_option
(
OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
+ gss_cred_id_t *cred_handle,
const gss_OID desired_object,
const gss_buffer_t value
);
Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- trunk/src/lib/gssapi/spnego/spnego_mech.c 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/gssapi/spnego/spnego_mech.c 2010-09-27 03:39:22 UTC (rev 24356)
@@ -2247,18 +2247,38 @@
OM_uint32
spnego_gss_set_cred_option(
OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
+ gss_cred_id_t *cred_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
OM_uint32 ret;
+ OM_uint32 tmp_minor_status;
spnego_gss_cred_id_t spcred = (spnego_gss_cred_id_t)cred_handle;
gss_cred_id_t mcred;
+
mcred = (spcred == NULL) ? GSS_C_NO_CREDENTIAL : spcred->mcred;
+
ret = gssspi_set_cred_option(minor_status,
- mcred,
+ &mcred,
desired_object,
value);
+ if (ret == GSS_S_COMPLETE && spcred == NULL) {
+ /*
+ * If the mechanism allocated a new credential handle, then
+ * we need to wrap it up in an SPNEGO credential handle.
+ */
+
+ spcred = malloc(sizeof(spnego_gss_cred_id_rec));
+ if (spcred == NULL) {
+ gss_release_cred(&tmp_minor_status, &mcred);
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ spcred->mcred = mcred;
+ spcred->neg_mechs = GSS_C_NULL_OID_SET;
+ *cred_handle = (gss_cred_id_t)spcred;
+ }
+
return (ret);
}
Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/lib/krb5/libkrb5.exports 2010-09-27 03:39:22 UTC (rev 24356)
@@ -180,6 +180,7 @@
krb5_cc_default_name
krb5_cc_destroy
krb5_cc_dfl_ops
+krb5_cc_dup
krb5_cc_end_seq_get
krb5_cc_file_ops
krb5_cc_gen_new
Modified: trunk/src/tests/gssapi/t_gssexts.c
===================================================================
--- trunk/src/tests/gssapi/t_gssexts.c 2010-09-26 23:35:05 UTC (rev 24355)
+++ trunk/src/tests/gssapi/t_gssexts.c 2010-09-27 03:39:22 UTC (rev 24356)
@@ -288,6 +288,82 @@
return major;
}
+static OM_uint32
+getDefaultCred(OM_uint32 *minor,
+ const char *keytab_name,
+ gss_OID_set mechs,
+ gss_cred_id_t *impersonator_cred_handle)
+{
+ OM_uint32 major = GSS_S_FAILURE, tmp_minor;
+
+ if (keytab_name) {
+ krb5_error_code code;
+ krb5_context context = NULL;
+ krb5_keytab keytab = NULL;
+ krb5_principal keytab_principal = NULL;
+ krb5_ccache ccache = NULL;
+
+ code = krb5_init_context(&context);
+ if (code) {
+ displayStatus("krb5_init_context", major, code);
+ return major;
+ }
+
+ code = krb5_kt_resolve(context, keytab_name, &keytab);
+ if (code) {
+ displayStatus("krb5_kt_resolve", major, code);
+ goto out;
+ }
+
+ code = krb5_cc_default(context, &ccache);
+ if (code) {
+ displayStatus("krb5_cc_default", major, code);
+ goto out;
+ }
+
+ code = krb5_cc_get_principal(context, ccache, &keytab_principal);
+ if (code) {
+ displayStatus("krb5_cc_get_principal", major, code);
+ goto out;
+ }
+
+ major = gss_krb5_import_cred(minor,
+ ccache,
+ keytab_principal,
+ keytab,
+ impersonator_cred_handle);
+ if (GSS_ERROR(major)) {
+ displayStatus("gss_krb5_import_cred", major, minor);
+ goto out;
+ }
+
+ out:
+ if (code)
+ *minor = code;
+ krb5_free_principal(context, keytab_principal);
+ krb5_cc_close(context, ccache);
+ krb5_kt_close(context, keytab);
+ krb5_free_context(context);
+ } else {
+ gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
+
+ major = gss_acquire_cred(minor,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ mechs,
+ GSS_C_BOTH,
+ impersonator_cred_handle,
+ &actual_mechs,
+ NULL);
+ if (GSS_ERROR(major)) {
+ displayStatus("gss_acquire_cred", major, minor);
+ }
+ (void) gss_release_oid_set(&tmp_minor, &actual_mechs);
+ }
+
+ return major;
+}
+
int main(int argc, char *argv[])
{
OM_uint32 minor, major;
@@ -338,35 +414,17 @@
target = GSS_C_NO_NAME;
}
- if (argc > 3) {
- major = krb5_gss_register_acceptor_identity(argv[3]);
- if (GSS_ERROR(major)) {
- displayStatus("krb5_gss_register_acceptor_identity",
- major, minor);
- goto out;
- }
- }
-
mechs.elements = use_spnego ? (gss_OID)&spnego_mech :
(gss_OID)gss_mech_krb5;
mechs.count = 1;
- /* get default cred */
- major = gss_acquire_cred(&minor,
- GSS_C_NO_NAME,
- GSS_C_INDEFINITE,
- &mechs,
- GSS_C_BOTH,
- &impersonator_cred_handle,
- &actual_mechs,
- NULL);
- if (GSS_ERROR(major)) {
- displayStatus("gss_acquire_cred", major, minor);
+ major = getDefaultCred(&minor,
+ argc > 3 ? argv[3] : NULL,
+ &mechs,
+ &impersonator_cred_handle);
+ if (GSS_ERROR(major))
goto out;
- }
- (void) gss_release_oid_set(&minor, &actual_mechs);
-
printf("Protocol transition tests follow\n");
printf("-----------------------------------\n\n");
More information about the cvs-krb5
mailing list