krb5 commit [krb5-1.14]: Use public OID for interposing several functions

Tom Yu tlyu at mit.edu
Tue Apr 5 23:02:53 EDT 2016 

https://github.com/krb5/krb5/commit/d6fa09597eee34e15a70f3d0ef937f7122be0e56
commit d6fa09597eee34e15a70f3d0ef937f7122be0e56
Author: Robbie Harwood <rharwood at redhat.com>
Date:   Tue Jan 12 15:59:49 2016 -0500

    Use public OID for interposing several functions
    
    This resolves an issue where an interposer would receive the private
    OID, and be unable to call back into krb5 in the expected manner in
    gss_inquire_names_for_mech(), gss_inquire_cred_by_mech(),
    gss_localname(), gss_store_cred(), and gss_store_cred_into().
    
    Also change the return code of gss_localname() to GSS_S_BAD_MECH
    instead of GSS_S_UNAVAILABLE on mech lookup failure, for consistency
    with other functions.
    
    (cherry picked from commit fe73f1130695880bd83cf811c37131b12711be23)
    
    ticket: 8360
    version_fixed: 1.14.2
    status: resolved
    tags: -pullup

 src/lib/gssapi/mechglue/g_inq_cred.c        |    5 ++-
 src/lib/gssapi/mechglue/g_inq_names.c       |   28 ++++++++++----------------
 src/lib/gssapi/mechglue/g_store_cred.c      |    6 +++-
 src/lib/gssapi/mechglue/gssd_pname_to_uid.c |    7 +++--
 4 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c
index c8e45fe..c5577d4 100644
--- a/src/lib/gssapi/mechglue/g_inq_cred.c
+++ b/src/lib/gssapi/mechglue/g_inq_cred.c
@@ -169,7 +169,7 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name,
     gss_mechanism	mech;
     OM_uint32		status, temp_minor_status;
     gss_name_t		internal_name;
-    gss_OID		selected_mech;
+    gss_OID		selected_mech, public_mech;
 
     if (minor_status != NULL)
 	*minor_status = 0;
@@ -198,8 +198,9 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name,
 	return (GSS_S_DEFECTIVE_CREDENTIAL);
 #endif
 
+    public_mech = gssint_get_public_oid(selected_mech);
     status = mech->gss_inquire_cred_by_mech(minor_status,
-					    mech_cred, selected_mech,
+					    mech_cred, public_mech,
 					    name ? &internal_name : NULL,
 					    initiator_lifetime,
 					    acceptor_lifetime, cred_usage);
diff --git a/src/lib/gssapi/mechglue/g_inq_names.c b/src/lib/gssapi/mechglue/g_inq_names.c
index b44fd6c..d22af8b 100644
--- a/src/lib/gssapi/mechglue/g_inq_names.c
+++ b/src/lib/gssapi/mechglue/g_inq_names.c
@@ -40,7 +40,7 @@ gss_OID_set *	name_types;
 
 {
     OM_uint32		status;
-    gss_OID		selected_mech = GSS_C_NO_OID;
+    gss_OID		selected_mech = GSS_C_NO_OID, public_mech;
     gss_mechanism	mech;
 
     /* Initialize outputs. */
@@ -70,23 +70,17 @@ gss_OID_set *	name_types;
 	return (status);
 
     mech = gssint_get_mechanism(selected_mech);
+    if (mech == NULL)
+	return GSS_S_BAD_MECH;
+    else if (mech->gss_inquire_names_for_mech == NULL)
+	return GSS_S_UNAVAILABLE;
+    public_mech = gssint_get_public_oid(selected_mech);
+    status = mech->gss_inquire_names_for_mech(minor_status, public_mech,
+					      name_types);
+    if (status != GSS_S_COMPLETE)
+	map_error(minor_status, mech);
 
-    if (mech) {
-
-	if (mech->gss_inquire_names_for_mech) {
-	    status = mech->gss_inquire_names_for_mech(
-				minor_status,
-				selected_mech,
-				name_types);
-	    if (status != GSS_S_COMPLETE)
-		map_error(minor_status, mech);
-	} else
-	    status = GSS_S_UNAVAILABLE;
-
-	return(status);
-    }
-
-    return (GSS_S_BAD_MECH);
+    return status;
 }
 
 static OM_uint32
diff --git a/src/lib/gssapi/mechglue/g_store_cred.c b/src/lib/gssapi/mechglue/g_store_cred.c
index 030c73f..c2b6ddf 100644
--- a/src/lib/gssapi/mechglue/g_store_cred.c
+++ b/src/lib/gssapi/mechglue/g_store_cred.c
@@ -24,15 +24,17 @@ store_cred_fallback(
 	gss_OID_set *elements_stored,
 	gss_cred_usage_t *cred_usage_stored)
 {
+	gss_OID public_mech = gssint_get_public_oid(desired_mech);
+
 	if (mech->gss_store_cred_into != NULL) {
 		return mech->gss_store_cred_into(minor_status, mech_cred,
-						 cred_usage, desired_mech,
+						 cred_usage, public_mech,
 						 overwrite_cred, default_cred,
 						 cred_store, elements_stored,
 						 cred_usage_stored);
 	} else if (cred_store == GSS_C_NO_CRED_STORE) {
 		return mech->gss_store_cred(minor_status, mech_cred,
-					    cred_usage, desired_mech,
+					    cred_usage, public_mech,
 					    overwrite_cred, default_cred,
 					    elements_stored,
 					    cred_usage_stored);
diff --git a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c
index 4e7b644..4caa751 100644
--- a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c
+++ b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c
@@ -123,7 +123,7 @@ gss_localname(OM_uint32 *minor,
     gss_mechanism mech;
     gss_union_name_t unionName;
     gss_name_t mechName = GSS_C_NO_NAME, mechNameP;
-    gss_OID selected_mech = GSS_C_NO_OID;
+    gss_OID selected_mech = GSS_C_NO_OID, public_mech;
 
     if (localname != GSS_C_NO_BUFFER) {
 	localname->length = 0;
@@ -152,7 +152,7 @@ gss_localname(OM_uint32 *minor,
         mech = gssint_get_mechanism(unionName->mech_type);
 
     if (mech == NULL)
-	return GSS_S_UNAVAILABLE;
+	return GSS_S_BAD_MECH;
 
     /* may need to create a mechanism specific name */
     if (unionName->mech_type == GSS_C_NO_OID ||
@@ -170,7 +170,8 @@ gss_localname(OM_uint32 *minor,
     major = GSS_S_UNAVAILABLE;
 
     if (mech->gss_localname != NULL) {
-        major = mech->gss_localname(minor, mechNameP, mech_type, localname);
+        public_mech = gssint_get_public_oid(selected_mech);
+        major = mech->gss_localname(minor, mechNameP, public_mech, localname);
         if (GSS_ERROR(major))
             map_error(minor, mech);
     }

More information about the cvs-krb5 mailing list