krb5 commit: Add support for GSS_C_NT_COMPOSITE_EXPORT
Greg Hudson
ghudson at MIT.EDU
Fri Aug 31 12:04:06 EDT 2012
https://github.com/krb5/krb5/commit/8626fe9fb6cb14e92b84a68fca5209d0ee656f74
commit 8626fe9fb6cb14e92b84a68fca5209d0ee656f74
Author: Luke Howard <lukeh at padl.com>
Date: Wed Aug 29 09:47:24 2012 +1000
Add support for GSS_C_NT_COMPOSITE_EXPORT
ticket: 7347 (new)
src/lib/gssapi/generic/gssapi_ext.h | 1 +
src/lib/gssapi/generic/gssapi_generic.c | 122 ++++++++++++++++--------------
src/lib/gssapi/generic/oid_ops.c | 1 +
src/lib/gssapi/krb5/import_name.c | 5 +-
src/lib/gssapi/krb5/inq_names.c | 4 +
src/lib/gssapi/libgssapi_krb5.exports | 1 +
src/lib/gssapi/mechglue/g_imp_name.c | 2 +-
7 files changed, 76 insertions(+), 60 deletions(-)
diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
index 05f1ed7..dd12ffe 100644
--- a/src/lib/gssapi/generic/gssapi_ext.h
+++ b/src/lib/gssapi/generic/gssapi_ext.h
@@ -368,6 +368,7 @@ gss_add_cred_impersonate_name(
* Naming extensions
*/
GSS_DLLIMP extern gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;
+GSS_DLLIMP extern gss_OID GSS_C_NT_COMPOSITE_EXPORT;
OM_uint32 KRB5_CALLCONV gss_display_name_ext
(
diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c
index 4718ac7..4759cde 100644
--- a/src/lib/gssapi/generic/gssapi_generic.c
+++ b/src/lib/gssapi/generic/gssapi_generic.c
@@ -119,7 +119,13 @@ static const gss_OID_desc const_oids[] = {
* GSS_C_NT_EXPORT_NAME should be initialized to point
* to that gss_OID_desc.
*/
-
+ {6, (void *)"\x2b\x06\x01\x05\x06\x06"},
+ /* corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 6(gss-composite-export)}. The constant
+ * GSS_C_NT_COMPOSITE_EXPORT should be initialized to point
+ * to that gss_OID_desc.
+ */
/* GSS_C_INQ_SSPI_SESSION_KEY 1.2.840.113554.1.2.2.5.5 */
{11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"},
@@ -180,37 +186,39 @@ GSS_DLLIMP gss_OID GSS_C_NT_ANONYMOUS = oids+5;
GSS_DLLIMP gss_OID GSS_C_NT_EXPORT_NAME = oids+6;
gss_OID gss_nt_exported_name = oids+6;
-GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY = oids+7;
-
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_CONCRETE = oids+8;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_PSEUDO = oids+9;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_COMPOSITE = oids+10;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_NEGO = oids+11;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_GLUE = oids+12;
-GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_MECH = oids+13;
-GSS_DLLIMP gss_const_OID GSS_C_MA_DEPRECATED = oids+14;
-GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_DFLT_MECH = oids+15;
-GSS_DLLIMP gss_const_OID GSS_C_MA_ITOK_FRAMED = oids+16;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT = oids+17;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG = oids+18;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_INIT = oids+19;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_INIT = oids+20;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_ANON = oids+21;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_ANON = oids+22;
-GSS_DLLIMP gss_const_OID GSS_C_MA_DELEG_CRED = oids+23;
-GSS_DLLIMP gss_const_OID GSS_C_MA_INTEG_PROT = oids+24;
-GSS_DLLIMP gss_const_OID GSS_C_MA_CONF_PROT = oids+25;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MIC = oids+26;
-GSS_DLLIMP gss_const_OID GSS_C_MA_WRAP = oids+27;
-GSS_DLLIMP gss_const_OID GSS_C_MA_PROT_READY = oids+28;
-GSS_DLLIMP gss_const_OID GSS_C_MA_REPLAY_DET = oids+29;
-GSS_DLLIMP gss_const_OID GSS_C_MA_OOS_DET = oids+30;
-GSS_DLLIMP gss_const_OID GSS_C_MA_CBINDINGS = oids+31;
-GSS_DLLIMP gss_const_OID GSS_C_MA_PFS = oids+32;
-GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS = oids+33;
-GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS = oids+34;
-
-static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+8 };
+GSS_DLLIMP gss_OID GSS_C_NT_COMPOSITE_EXPORT = oids+7;
+
+GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY = oids+8;
+
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_CONCRETE = oids+9;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_PSEUDO = oids+10;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_COMPOSITE = oids+11;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_NEGO = oids+12;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_GLUE = oids+13;
+GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_MECH = oids+14;
+GSS_DLLIMP gss_const_OID GSS_C_MA_DEPRECATED = oids+15;
+GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_DFLT_MECH = oids+16;
+GSS_DLLIMP gss_const_OID GSS_C_MA_ITOK_FRAMED = oids+17;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT = oids+18;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG = oids+19;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_INIT = oids+20;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_INIT = oids+21;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_ANON = oids+22;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_ANON = oids+23;
+GSS_DLLIMP gss_const_OID GSS_C_MA_DELEG_CRED = oids+24;
+GSS_DLLIMP gss_const_OID GSS_C_MA_INTEG_PROT = oids+25;
+GSS_DLLIMP gss_const_OID GSS_C_MA_CONF_PROT = oids+26;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MIC = oids+27;
+GSS_DLLIMP gss_const_OID GSS_C_MA_WRAP = oids+28;
+GSS_DLLIMP gss_const_OID GSS_C_MA_PROT_READY = oids+29;
+GSS_DLLIMP gss_const_OID GSS_C_MA_REPLAY_DET = oids+30;
+GSS_DLLIMP gss_const_OID GSS_C_MA_OOS_DET = oids+31;
+GSS_DLLIMP gss_const_OID GSS_C_MA_CBINDINGS = oids+32;
+GSS_DLLIMP gss_const_OID GSS_C_MA_PFS = oids+33;
+GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS = oids+34;
+GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS = oids+35;
+
+static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+9 };
gss_OID_set gss_ma_known_attrs = &gss_ma_known_attrs_desc;
#define STRING_BUFFER(x) { sizeof((x) - 1), (x) }
@@ -222,174 +230,174 @@ static struct mech_attr_info_desc {
gss_buffer_desc long_desc;
} mech_attr_info[] = {
{
- oids+8,
+ oids+9,
STRING_BUFFER("GSS_C_MA_MECH_CONCRETE"),
STRING_BUFFER("concrete-mech"),
STRING_BUFFER("Mechanism is neither a pseudo-mechanism nor a "
"composite mechanism."),
},
{
- oids+9,
+ oids+10,
STRING_BUFFER("GSS_C_MA_MECH_PSEUDO"),
STRING_BUFFER("pseudo-mech"),
STRING_BUFFER("Mechanism is a pseudo-mechanism."),
},
{
- oids+10,
+ oids+11,
STRING_BUFFER("GSS_C_MA_MECH_COMPOSITE"),
STRING_BUFFER("composite-mech"),
STRING_BUFFER("Mechanism is a composite of other mechanisms."),
},
{
- oids+11,
+ oids+12,
STRING_BUFFER("GSS_C_MA_MECH_NEGO"),
STRING_BUFFER("mech-negotiation-mech"),
STRING_BUFFER("Mechanism negotiates other mechanisms."),
},
{
- oids+12,
+ oids+13,
STRING_BUFFER("GSS_C_MA_MECH_GLUE"),
STRING_BUFFER("mech-glue"),
STRING_BUFFER("OID is not a mechanism but the GSS-API itself."),
},
{
- oids+13,
+ oids+14,
STRING_BUFFER("GSS_C_MA_NOT_MECH"),
STRING_BUFFER("not-mech"),
STRING_BUFFER("Known OID but not a mechanism OID."),
},
{
- oids+14,
+ oids+15,
STRING_BUFFER("GSS_C_MA_DEPRECATED"),
STRING_BUFFER("mech-deprecated"),
STRING_BUFFER("Mechanism is deprecated."),
},
{
- oids+15,
+ oids+16,
STRING_BUFFER("GSS_C_MA_NOT_DFLT_MECH"),
STRING_BUFFER("mech-not-default"),
STRING_BUFFER("Mechanism must not be used as a default mechanism."),
},
{
- oids+16,
+ oids+17,
STRING_BUFFER("GSS_C_MA_ITOK_FRAMED"),
STRING_BUFFER("initial-is-framed"),
STRING_BUFFER("Mechanism's initial contexts are properly framed."),
},
{
- oids+17,
+ oids+18,
STRING_BUFFER("GSS_C_MA_AUTH_INIT"),
STRING_BUFFER("auth-init-princ"),
STRING_BUFFER("Mechanism supports authentication of initiator to "
"acceptor."),
},
{
- oids+18,
+ oids+19,
STRING_BUFFER("GSS_C_MA_AUTH_TARG"),
STRING_BUFFER("auth-targ-princ"),
STRING_BUFFER("Mechanism supports authentication of acceptor to "
"initiator."),
},
{
- oids+19,
+ oids+20,
STRING_BUFFER("GSS_C_MA_AUTH_INIT_INIT"),
STRING_BUFFER("auth-init-princ-initial"),
STRING_BUFFER("Mechanism supports authentication of initiator using "
"initial credentials."),
},
{
- oids+20,
+ oids+21,
STRING_BUFFER("GSS_C_MA_AUTH_TARG_INIT"),
STRING_BUFFER("auth-target-princ-initial"),
STRING_BUFFER("Mechanism supports authentication of acceptor using "
"initial credentials."),
},
{
- oids+21,
+ oids+22,
STRING_BUFFER("GSS_C_MA_AUTH_INIT_ANON"),
STRING_BUFFER("auth-init-princ-anon"),
STRING_BUFFER("Mechanism supports GSS_C_NT_ANONYMOUS as an initiator "
"name."),
},
{
- oids+22,
+ oids+23,
STRING_BUFFER("GSS_C_MA_AUTH_TARG_ANON"),
STRING_BUFFER("auth-targ-princ-anon"),
STRING_BUFFER("Mechanism supports GSS_C_NT_ANONYMOUS as an acceptor "
"name."),
},
{
- oids+23,
+ oids+24,
STRING_BUFFER("GSS_C_MA_DELEG_CRED"),
STRING_BUFFER("deleg-cred"),
STRING_BUFFER("Mechanism supports credential delegation."),
},
{
- oids+24,
+ oids+25,
STRING_BUFFER("GSS_C_MA_INTEG_PROT"),
STRING_BUFFER("integ-prot"),
STRING_BUFFER("Mechanism supports per-message integrity protection."),
},
{
- oids+25,
+ oids+26,
STRING_BUFFER("GSS_C_MA_CONF_PROT"),
STRING_BUFFER("conf-prot"),
STRING_BUFFER("Mechanism supports per-message confidentiality "
"protection."),
},
{
- oids+26,
+ oids+27,
STRING_BUFFER("GSS_C_MA_MIC"),
STRING_BUFFER("mic"),
STRING_BUFFER("Mechanism supports Message Integrity Code (MIC) "
"tokens."),
},
{
- oids+27,
+ oids+28,
STRING_BUFFER("GSS_C_MA_WRAP"),
STRING_BUFFER("wrap"),
STRING_BUFFER("Mechanism supports wrap tokens."),
},
{
- oids+28,
+ oids+29,
STRING_BUFFER("GSS_C_MA_PROT_READY"),
STRING_BUFFER("prot-ready"),
STRING_BUFFER("Mechanism supports per-message proteciton prior to "
"full context establishment."),
},
{
- oids+29,
+ oids+30,
STRING_BUFFER("GSS_C_MA_REPLAY_DET"),
STRING_BUFFER("replay-detection"),
STRING_BUFFER("Mechanism supports replay detection."),
},
{
- oids+30,
+ oids+31,
STRING_BUFFER("GSS_C_MA_OOS_DET"),
STRING_BUFFER("oos-detection"),
STRING_BUFFER("Mechanism supports out-of-sequence detection."),
},
{
- oids+31,
+ oids+32,
STRING_BUFFER("GSS_C_MA_CBINDINGS"),
STRING_BUFFER("channel-bindings"),
STRING_BUFFER("Mechanism supports channel bindings."),
},
{
- oids+32,
+ oids+33,
STRING_BUFFER("GSS_C_MA_PFS"),
STRING_BUFFER("pfs"),
STRING_BUFFER("Mechanism supports Perfect Forward Security."),
},
{
- oids+33,
+ oids+34,
STRING_BUFFER("GSS_C_MA_COMPRESS"),
STRING_BUFFER("compress"),
STRING_BUFFER("Mechanism supports compression of data inputs to "
"gss_wrap()."),
},
{
- oids+34,
+ oids+35,
STRING_BUFFER("GSS_C_MA_CTX_TRANS"),
STRING_BUFFER("context-transfer"),
STRING_BUFFER("Mechanism supports security context export/import."),
diff --git a/src/lib/gssapi/generic/oid_ops.c b/src/lib/gssapi/generic/oid_ops.c
index 665b590..85584fc 100644
--- a/src/lib/gssapi/generic/oid_ops.c
+++ b/src/lib/gssapi/generic/oid_ops.c
@@ -97,6 +97,7 @@ generic_gss_release_oid(OM_uint32 *minor_status, gss_OID *oid)
(*oid != GSS_C_NT_HOSTBASED_SERVICE) &&
(*oid != GSS_C_NT_ANONYMOUS) &&
(*oid != GSS_C_NT_EXPORT_NAME) &&
+ (*oid != GSS_C_NT_COMPOSITE_EXPORT) &&
(*oid != gss_nt_service_name)) {
free((*oid)->elements);
free(*oid);
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
index 0e730f9..ebc2a7b 100644
--- a/src/lib/gssapi/krb5/import_name.c
+++ b/src/lib/gssapi/krb5/import_name.c
@@ -218,7 +218,8 @@ krb5_gss_import_name(minor_status, input_name_buffer,
uid = atoi(tmp);
goto do_getpwuid;
#endif
- } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
+ } else if (g_OID_equal(input_name_type, gss_nt_exported_name) ||
+ g_OID_equal(input_name_type, GSS_C_NT_COMPOSITE_EXPORT)) {
#define BOUNDS_CHECK(cp, end, n) \
do { if ((end) - (cp) < (n)) goto fail_name; } while (0)
cp = (unsigned char *)tmp;
@@ -231,7 +232,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
case 0x01:
break;
case 0x02:
- has_ad++;
+ has_ad++; /* is composite name */
break;
default:
goto fail_name;
diff --git a/src/lib/gssapi/krb5/inq_names.c b/src/lib/gssapi/krb5/inq_names.c
index 9cc4350..fcf7dbc 100644
--- a/src/lib/gssapi/krb5/inq_names.c
+++ b/src/lib/gssapi/krb5/inq_names.c
@@ -77,6 +77,10 @@ krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types)
((major = generic_gss_add_oid_set_member(minor_status,
gss_nt_krb5_name,
name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ GSS_C_NT_COMPOSITE_EXPORT,
+ name_types)
) == GSS_S_COMPLETE)
) {
major = generic_gss_add_oid_set_member(minor_status,
diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports
index a8ee3f2..3da3a23 100644
--- a/src/lib/gssapi/libgssapi_krb5.exports
+++ b/src/lib/gssapi/libgssapi_krb5.exports
@@ -1,6 +1,7 @@
GSS_C_ATTR_LOCAL_LOGIN_USER
GSS_C_INQ_SSPI_SESSION_KEY
GSS_C_NT_ANONYMOUS
+GSS_C_NT_COMPOSITE_EXPORT
GSS_C_NT_EXPORT_NAME
GSS_C_NT_HOSTBASED_SERVICE
GSS_C_NT_HOSTBASED_SERVICE_X
diff --git a/src/lib/gssapi/mechglue/g_imp_name.c b/src/lib/gssapi/mechglue/g_imp_name.c
index 7afa188..8fcc3d0 100644
--- a/src/lib/gssapi/mechglue/g_imp_name.c
+++ b/src/lib/gssapi/mechglue/g_imp_name.c
@@ -209,7 +209,7 @@ importExportName(minor, unionName)
buf = (unsigned char *)expName.value;
if (buf[0] != 0x04)
return (GSS_S_DEFECTIVE_TOKEN);
- if (buf[1] != 0x01 && buf[1] != 0x02)
+ if (buf[1] != 0x01 && buf[1] != 0x02) /* allow composite names */
return (GSS_S_DEFECTIVE_TOKEN);
buf += expNameTokIdLen;
More information about the cvs-krb5
mailing list