krb5 commit: Add support for GSS_C_NT_COMPOSITE_EXPORT

Greg Hudson ghudson at MIT.EDU
Fri Aug 31 12:04:06 EDT 2012


https://github.com/krb5/krb5/commit/8626fe9fb6cb14e92b84a68fca5209d0ee656f74
commit 8626fe9fb6cb14e92b84a68fca5209d0ee656f74
Author: Luke Howard <lukeh at padl.com>
Date:   Wed Aug 29 09:47:24 2012 +1000

    Add support for GSS_C_NT_COMPOSITE_EXPORT
    
    ticket: 7347 (new)

 src/lib/gssapi/generic/gssapi_ext.h     |    1 +
 src/lib/gssapi/generic/gssapi_generic.c |  122 ++++++++++++++++--------------
 src/lib/gssapi/generic/oid_ops.c        |    1 +
 src/lib/gssapi/krb5/import_name.c       |    5 +-
 src/lib/gssapi/krb5/inq_names.c         |    4 +
 src/lib/gssapi/libgssapi_krb5.exports   |    1 +
 src/lib/gssapi/mechglue/g_imp_name.c    |    2 +-
 7 files changed, 76 insertions(+), 60 deletions(-)

diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
index 05f1ed7..dd12ffe 100644
--- a/src/lib/gssapi/generic/gssapi_ext.h
+++ b/src/lib/gssapi/generic/gssapi_ext.h
@@ -368,6 +368,7 @@ gss_add_cred_impersonate_name(
  * Naming extensions
  */
 GSS_DLLIMP extern gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;
+GSS_DLLIMP extern gss_OID GSS_C_NT_COMPOSITE_EXPORT;
 
 OM_uint32 KRB5_CALLCONV gss_display_name_ext
 (
diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c
index 4718ac7..4759cde 100644
--- a/src/lib/gssapi/generic/gssapi_generic.c
+++ b/src/lib/gssapi/generic/gssapi_generic.c
@@ -119,7 +119,13 @@ static const gss_OID_desc const_oids[] = {
      * GSS_C_NT_EXPORT_NAME should be initialized to point
      * to that gss_OID_desc.
      */
-
+    {6, (void *)"\x2b\x06\x01\x05\x06\x06"},
+    /* corresponding to an object-identifier value of
+     * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+     * 6(nametypes), 6(gss-composite-export)}.  The constant
+     * GSS_C_NT_COMPOSITE_EXPORT should be initialized to point
+     * to that gss_OID_desc.
+     */
     /* GSS_C_INQ_SSPI_SESSION_KEY 1.2.840.113554.1.2.2.5.5 */
     {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"},
 
@@ -180,37 +186,39 @@ GSS_DLLIMP gss_OID GSS_C_NT_ANONYMOUS           = oids+5;
 GSS_DLLIMP gss_OID GSS_C_NT_EXPORT_NAME         = oids+6;
 gss_OID gss_nt_exported_name                    = oids+6;
 
-GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY   = oids+7;
-
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_CONCRETE     = oids+8;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_PSEUDO       = oids+9;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_COMPOSITE    = oids+10;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_NEGO         = oids+11;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_GLUE         = oids+12;
-GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_MECH          = oids+13;
-GSS_DLLIMP gss_const_OID GSS_C_MA_DEPRECATED        = oids+14;
-GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_DFLT_MECH     = oids+15;
-GSS_DLLIMP gss_const_OID GSS_C_MA_ITOK_FRAMED       = oids+16;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT         = oids+17;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG         = oids+18;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_INIT    = oids+19;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_INIT    = oids+20;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_ANON    = oids+21;
-GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_ANON    = oids+22;
-GSS_DLLIMP gss_const_OID GSS_C_MA_DELEG_CRED        = oids+23;
-GSS_DLLIMP gss_const_OID GSS_C_MA_INTEG_PROT        = oids+24;
-GSS_DLLIMP gss_const_OID GSS_C_MA_CONF_PROT         = oids+25;
-GSS_DLLIMP gss_const_OID GSS_C_MA_MIC               = oids+26;
-GSS_DLLIMP gss_const_OID GSS_C_MA_WRAP              = oids+27;
-GSS_DLLIMP gss_const_OID GSS_C_MA_PROT_READY        = oids+28;
-GSS_DLLIMP gss_const_OID GSS_C_MA_REPLAY_DET        = oids+29;
-GSS_DLLIMP gss_const_OID GSS_C_MA_OOS_DET           = oids+30;
-GSS_DLLIMP gss_const_OID GSS_C_MA_CBINDINGS         = oids+31;
-GSS_DLLIMP gss_const_OID GSS_C_MA_PFS               = oids+32;
-GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS          = oids+33;
-GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS         = oids+34;
-
-static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+8 };
+GSS_DLLIMP gss_OID GSS_C_NT_COMPOSITE_EXPORT    = oids+7;
+
+GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY   = oids+8;
+
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_CONCRETE     = oids+9;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_PSEUDO       = oids+10;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_COMPOSITE    = oids+11;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_NEGO         = oids+12;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MECH_GLUE         = oids+13;
+GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_MECH          = oids+14;
+GSS_DLLIMP gss_const_OID GSS_C_MA_DEPRECATED        = oids+15;
+GSS_DLLIMP gss_const_OID GSS_C_MA_NOT_DFLT_MECH     = oids+16;
+GSS_DLLIMP gss_const_OID GSS_C_MA_ITOK_FRAMED       = oids+17;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT         = oids+18;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG         = oids+19;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_INIT    = oids+20;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_INIT    = oids+21;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_INIT_ANON    = oids+22;
+GSS_DLLIMP gss_const_OID GSS_C_MA_AUTH_TARG_ANON    = oids+23;
+GSS_DLLIMP gss_const_OID GSS_C_MA_DELEG_CRED        = oids+24;
+GSS_DLLIMP gss_const_OID GSS_C_MA_INTEG_PROT        = oids+25;
+GSS_DLLIMP gss_const_OID GSS_C_MA_CONF_PROT         = oids+26;
+GSS_DLLIMP gss_const_OID GSS_C_MA_MIC               = oids+27;
+GSS_DLLIMP gss_const_OID GSS_C_MA_WRAP              = oids+28;
+GSS_DLLIMP gss_const_OID GSS_C_MA_PROT_READY        = oids+29;
+GSS_DLLIMP gss_const_OID GSS_C_MA_REPLAY_DET        = oids+30;
+GSS_DLLIMP gss_const_OID GSS_C_MA_OOS_DET           = oids+31;
+GSS_DLLIMP gss_const_OID GSS_C_MA_CBINDINGS         = oids+32;
+GSS_DLLIMP gss_const_OID GSS_C_MA_PFS               = oids+33;
+GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS          = oids+34;
+GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS         = oids+35;
+
+static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+9 };
 gss_OID_set gss_ma_known_attrs = &gss_ma_known_attrs_desc;
 
 #define STRING_BUFFER(x)    { sizeof((x) - 1), (x) }
@@ -222,174 +230,174 @@ static struct mech_attr_info_desc {
     gss_buffer_desc long_desc;
 } mech_attr_info[] = {
     {
-        oids+8,
+        oids+9,
         STRING_BUFFER("GSS_C_MA_MECH_CONCRETE"),
         STRING_BUFFER("concrete-mech"),
         STRING_BUFFER("Mechanism is neither a pseudo-mechanism nor a "
                       "composite mechanism."),
     },
     {
-        oids+9,
+        oids+10,
         STRING_BUFFER("GSS_C_MA_MECH_PSEUDO"),
         STRING_BUFFER("pseudo-mech"),
         STRING_BUFFER("Mechanism is a pseudo-mechanism."),
     },
     {
-        oids+10,
+        oids+11,
         STRING_BUFFER("GSS_C_MA_MECH_COMPOSITE"),
         STRING_BUFFER("composite-mech"),
         STRING_BUFFER("Mechanism is a composite of other mechanisms."),
     },
     {
-        oids+11,
+        oids+12,
         STRING_BUFFER("GSS_C_MA_MECH_NEGO"),
         STRING_BUFFER("mech-negotiation-mech"),
         STRING_BUFFER("Mechanism negotiates other mechanisms."),
     },
     {
-        oids+12,
+        oids+13,
         STRING_BUFFER("GSS_C_MA_MECH_GLUE"),
         STRING_BUFFER("mech-glue"),
         STRING_BUFFER("OID is not a mechanism but the GSS-API itself."),
     },
     {
-        oids+13,
+        oids+14,
         STRING_BUFFER("GSS_C_MA_NOT_MECH"),
         STRING_BUFFER("not-mech"),
         STRING_BUFFER("Known OID but not a mechanism OID."),
     },
     {
-        oids+14,
+        oids+15,
         STRING_BUFFER("GSS_C_MA_DEPRECATED"),
         STRING_BUFFER("mech-deprecated"),
         STRING_BUFFER("Mechanism is deprecated."),
     },
     {
-        oids+15,
+        oids+16,
         STRING_BUFFER("GSS_C_MA_NOT_DFLT_MECH"),
         STRING_BUFFER("mech-not-default"),
         STRING_BUFFER("Mechanism must not be used as a default mechanism."),
     },
     {
-        oids+16,
+        oids+17,
         STRING_BUFFER("GSS_C_MA_ITOK_FRAMED"),
         STRING_BUFFER("initial-is-framed"),
         STRING_BUFFER("Mechanism's initial contexts are properly framed."),
     },
     {
-        oids+17,
+        oids+18,
         STRING_BUFFER("GSS_C_MA_AUTH_INIT"),
         STRING_BUFFER("auth-init-princ"),
         STRING_BUFFER("Mechanism supports authentication of initiator to "
                       "acceptor."),
     },
     {
-        oids+18,
+        oids+19,
         STRING_BUFFER("GSS_C_MA_AUTH_TARG"),
         STRING_BUFFER("auth-targ-princ"),
         STRING_BUFFER("Mechanism supports authentication of acceptor to "
                       "initiator."),
     },
     {
-        oids+19,
+        oids+20,
         STRING_BUFFER("GSS_C_MA_AUTH_INIT_INIT"),
         STRING_BUFFER("auth-init-princ-initial"),
         STRING_BUFFER("Mechanism supports authentication of initiator using "
                       "initial credentials."),
     },
     {
-        oids+20,
+        oids+21,
         STRING_BUFFER("GSS_C_MA_AUTH_TARG_INIT"),
         STRING_BUFFER("auth-target-princ-initial"),
         STRING_BUFFER("Mechanism supports authentication of acceptor using "
                       "initial credentials."),
     },
     {
-        oids+21,
+        oids+22,
         STRING_BUFFER("GSS_C_MA_AUTH_INIT_ANON"),
         STRING_BUFFER("auth-init-princ-anon"),
         STRING_BUFFER("Mechanism supports GSS_C_NT_ANONYMOUS as an initiator "
                       "name."),
     },
     {
-        oids+22,
+        oids+23,
         STRING_BUFFER("GSS_C_MA_AUTH_TARG_ANON"),
         STRING_BUFFER("auth-targ-princ-anon"),
         STRING_BUFFER("Mechanism supports GSS_C_NT_ANONYMOUS as an acceptor "
                       "name."),
     },
     {
-        oids+23,
+        oids+24,
         STRING_BUFFER("GSS_C_MA_DELEG_CRED"),
         STRING_BUFFER("deleg-cred"),
         STRING_BUFFER("Mechanism supports credential delegation."),
     },
     {
-        oids+24,
+        oids+25,
         STRING_BUFFER("GSS_C_MA_INTEG_PROT"),
         STRING_BUFFER("integ-prot"),
         STRING_BUFFER("Mechanism supports per-message integrity protection."),
     },
     {
-        oids+25,
+        oids+26,
         STRING_BUFFER("GSS_C_MA_CONF_PROT"),
         STRING_BUFFER("conf-prot"),
         STRING_BUFFER("Mechanism supports per-message confidentiality "
                       "protection."),
     },
     {
-        oids+26,
+        oids+27,
         STRING_BUFFER("GSS_C_MA_MIC"),
         STRING_BUFFER("mic"),
         STRING_BUFFER("Mechanism supports Message Integrity Code (MIC) "
                       "tokens."),
     },
     {
-        oids+27,
+        oids+28,
         STRING_BUFFER("GSS_C_MA_WRAP"),
         STRING_BUFFER("wrap"),
         STRING_BUFFER("Mechanism supports wrap tokens."),
     },
     {
-        oids+28,
+        oids+29,
         STRING_BUFFER("GSS_C_MA_PROT_READY"),
         STRING_BUFFER("prot-ready"),
         STRING_BUFFER("Mechanism supports per-message proteciton prior to "
                       "full context establishment."),
     },
     {
-        oids+29,
+        oids+30,
         STRING_BUFFER("GSS_C_MA_REPLAY_DET"),
         STRING_BUFFER("replay-detection"),
         STRING_BUFFER("Mechanism supports replay detection."),
     },
     {
-        oids+30,
+        oids+31,
         STRING_BUFFER("GSS_C_MA_OOS_DET"),
         STRING_BUFFER("oos-detection"),
         STRING_BUFFER("Mechanism supports out-of-sequence detection."),
     },
     {
-        oids+31,
+        oids+32,
         STRING_BUFFER("GSS_C_MA_CBINDINGS"),
         STRING_BUFFER("channel-bindings"),
         STRING_BUFFER("Mechanism supports channel bindings."),
     },
     {
-        oids+32,
+        oids+33,
         STRING_BUFFER("GSS_C_MA_PFS"),
         STRING_BUFFER("pfs"),
         STRING_BUFFER("Mechanism supports Perfect Forward Security."),
     },
     {
-        oids+33,
+        oids+34,
         STRING_BUFFER("GSS_C_MA_COMPRESS"),
         STRING_BUFFER("compress"),
         STRING_BUFFER("Mechanism supports compression of data inputs to "
                       "gss_wrap()."),
     },
     {
-        oids+34,
+        oids+35,
         STRING_BUFFER("GSS_C_MA_CTX_TRANS"),
         STRING_BUFFER("context-transfer"),
         STRING_BUFFER("Mechanism supports security context export/import."),
diff --git a/src/lib/gssapi/generic/oid_ops.c b/src/lib/gssapi/generic/oid_ops.c
index 665b590..85584fc 100644
--- a/src/lib/gssapi/generic/oid_ops.c
+++ b/src/lib/gssapi/generic/oid_ops.c
@@ -97,6 +97,7 @@ generic_gss_release_oid(OM_uint32 *minor_status, gss_OID *oid)
         (*oid != GSS_C_NT_HOSTBASED_SERVICE) &&
         (*oid != GSS_C_NT_ANONYMOUS) &&
         (*oid != GSS_C_NT_EXPORT_NAME) &&
+        (*oid != GSS_C_NT_COMPOSITE_EXPORT) &&
         (*oid != gss_nt_service_name)) {
         free((*oid)->elements);
         free(*oid);
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
index 0e730f9..ebc2a7b 100644
--- a/src/lib/gssapi/krb5/import_name.c
+++ b/src/lib/gssapi/krb5/import_name.c
@@ -218,7 +218,8 @@ krb5_gss_import_name(minor_status, input_name_buffer,
             uid = atoi(tmp);
             goto do_getpwuid;
 #endif
-        } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
+        } else if (g_OID_equal(input_name_type, gss_nt_exported_name) ||
+                   g_OID_equal(input_name_type, GSS_C_NT_COMPOSITE_EXPORT)) {
 #define BOUNDS_CHECK(cp, end, n)                                        \
             do { if ((end) - (cp) < (n)) goto fail_name; } while (0)
             cp = (unsigned char *)tmp;
@@ -231,7 +232,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
             case 0x01:
                 break;
             case 0x02:
-                has_ad++;
+                has_ad++; /* is composite name */
                 break;
             default:
                 goto fail_name;
diff --git a/src/lib/gssapi/krb5/inq_names.c b/src/lib/gssapi/krb5/inq_names.c
index 9cc4350..fcf7dbc 100644
--- a/src/lib/gssapi/krb5/inq_names.c
+++ b/src/lib/gssapi/krb5/inq_names.c
@@ -77,6 +77,10 @@ krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types)
             ((major = generic_gss_add_oid_set_member(minor_status,
                                                      gss_nt_krb5_name,
                                                      name_types)
+            ) == GSS_S_COMPLETE) &&
+            ((major = generic_gss_add_oid_set_member(minor_status,
+                                                     GSS_C_NT_COMPOSITE_EXPORT,
+                                                     name_types)
             ) == GSS_S_COMPLETE)
         ) {
             major = generic_gss_add_oid_set_member(minor_status,
diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports
index a8ee3f2..3da3a23 100644
--- a/src/lib/gssapi/libgssapi_krb5.exports
+++ b/src/lib/gssapi/libgssapi_krb5.exports
@@ -1,6 +1,7 @@
 GSS_C_ATTR_LOCAL_LOGIN_USER
 GSS_C_INQ_SSPI_SESSION_KEY
 GSS_C_NT_ANONYMOUS
+GSS_C_NT_COMPOSITE_EXPORT
 GSS_C_NT_EXPORT_NAME
 GSS_C_NT_HOSTBASED_SERVICE
 GSS_C_NT_HOSTBASED_SERVICE_X
diff --git a/src/lib/gssapi/mechglue/g_imp_name.c b/src/lib/gssapi/mechglue/g_imp_name.c
index 7afa188..8fcc3d0 100644
--- a/src/lib/gssapi/mechglue/g_imp_name.c
+++ b/src/lib/gssapi/mechglue/g_imp_name.c
@@ -209,7 +209,7 @@ importExportName(minor, unionName)
     buf = (unsigned char *)expName.value;
     if (buf[0] != 0x04)
 	return (GSS_S_DEFECTIVE_TOKEN);
-    if (buf[1] != 0x01 && buf[1] != 0x02)
+    if (buf[1] != 0x01 && buf[1] != 0x02) /* allow composite names */
 	return (GSS_S_DEFECTIVE_TOKEN);
 
     buf += expNameTokIdLen;


More information about the cvs-krb5 mailing list