verifier_cred_handle,
&krb_creds,
GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET,
out_cred,
NULL,
- NULL,
context);
krb5_free_data(context, data);
cred->usage = GSS_C_INITIATE; /* we can't accept with this */
/* cred->name already set */
- cred->prerfc_mech = 1; /* this cred will work with all three mechs */
- cred->rfc_mech = 1;
cred->keytab = NULL; /* no keytab associated with this... */
cred->tgt_expire = creds[0]->times.endtime; /* store the end time */
cred->ccache = ccache; /* the ccache containing the credential */
/*ARGSUSED*/
static OM_uint32
acquire_cred(minor_status, desired_name, password, time_req,
- desired_mechs, cred_usage, output_cred_handle,
- actual_mechs, time_rec, req_iakerb)
+ cred_usage, output_cred_handle, time_rec, req_iakerb)
OM_uint32 *minor_status;
const gss_name_t desired_name;
const gss_buffer_t password;
OM_uint32 time_req;
- const gss_OID_set desired_mechs;
gss_cred_usage_t cred_usage;
gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
OM_uint32 *time_rec;
int req_iakerb;
{
krb5_context context = NULL;
- size_t i;
krb5_gss_cred_id_t cred = NULL;
- gss_OID_set ret_mechs = GSS_C_NO_OID_SET;
- int req_old, req_new;
OM_uint32 ret;
krb5_error_code code = 0;
/* make sure all outputs are valid */
*output_cred_handle = NULL;
- if (actual_mechs)
- *actual_mechs = NULL;
if (time_rec)
*time_rec = 0;
goto krb_error_out;
}
- /* verify that the requested mechanism set is the default, or
- contains krb5 */
-
- if (desired_mechs == GSS_C_NULL_OID_SET) {
- req_old = 1;
- req_new = 1;
- } else {
- req_old = 0;
- req_new = 0;
-
- for (i=0; i<desired_mechs->count; i++) {
- if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i])))
- req_old++;
- if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i])))
- req_new++;
- }
-
- if (!req_old && !req_new) {
- ret = GSS_S_BAD_MECH;
- goto error_out;
- }
- }
-
/* create the gss cred structure */
cred = k5alloc(sizeof(krb5_gss_cred_id_rec), &code);
if (code != 0)
cred->usage = cred_usage;
cred->name = NULL;
- cred->prerfc_mech = (req_old != 0) && (req_iakerb == 0);
- cred->rfc_mech = (req_new != 0) && (req_iakerb == 0);
cred->iakerb_mech = req_iakerb;
cred->default_identity = (desired_name == GSS_C_NO_NAME);
*time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0;
}
- /* create mechs */
-
- if (actual_mechs) {
- if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
- &ret_mechs)) ||
- (cred->prerfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5_old,
- &ret_mechs))) ||
- (cred->rfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5,
- &ret_mechs))) ||
- (cred->iakerb_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_iakerb,
- &ret_mechs)))) {
- goto error_out;
- }
- }
-
/* intern the credential handle */
if (! kg_save_cred_id((gss_cred_id_t) cred)) {
*minor_status = 0;
*output_cred_handle = (gss_cred_id_t) cred;
- if (actual_mechs)
- *actual_mechs = ret_mechs;
krb5_free_context(context);
return(GSS_S_COMPLETE);
ret = GSS_S_FAILURE;
error_out:
- if (ret_mechs != GSS_C_NO_OID_SET) {
- free(ret_mechs->elements);
- free(ret_mechs);
- }
if (cred != NULL) {
if (cred->ccache)
(void)krb5_cc_close(context, cred->ccache);
return GSS_S_COMPLETE;
}
+/*
+ * krb5 and IAKERB mech API functions follow. The mechglue always passes null
+ * desired_mechs and actual_mechs, so we ignore those parameters.
+ */
+
OM_uint32
krb5_gss_acquire_cred(minor_status, desired_name, time_req,
desired_mechs, cred_usage, output_cred_handle,
OM_uint32 *time_rec;
{
return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER,
- time_req, desired_mechs,
- cred_usage, output_cred_handle, actual_mechs,
- time_rec, 0);
+ time_req, cred_usage, output_cred_handle, time_rec, 0);
}
OM_uint32
OM_uint32 *time_rec;
{
return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER,
- time_req, desired_mechs,
- cred_usage, output_cred_handle, actual_mechs,
- time_rec, 1);
+ time_req, cred_usage, output_cred_handle, time_rec, 1);
}
OM_uint32
OM_uint32 *time_rec)
{
return acquire_cred(minor_status, desired_name, password,
- time_req, desired_mechs,
- cred_usage, output_cred_handle, actual_mechs,
- time_rec, 0);
+ time_req, cred_usage, output_cred_handle, time_rec, 0);
}
OM_uint32
OM_uint32 *time_rec)
{
return acquire_cred(minor_status, desired_name, password,
- time_req, desired_mechs,
- cred_usage, output_cred_handle, actual_mechs,
- time_rec, 1);
+ time_req, cred_usage, output_cred_handle, time_rec, 1);
}
-
/* name/type of credential */
gss_cred_usage_t usage;
krb5_gss_name_t name;
- unsigned int prerfc_mech : 1;
- unsigned int rfc_mech : 1;
unsigned int proxy_cred : 1;
unsigned int default_identity : 1;
unsigned int iakerb_mech : 1;
krb5_creds *creds,
krb5_gss_cred_id_t *out_cred);
-OM_uint32
-kg_new_connection(
- OM_uint32 *minor_status,
- krb5_gss_cred_id_t cred,
- gss_ctx_id_t *context_handle,
- gss_name_t target_name,
- gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- gss_channel_bindings_t input_chan_bindings,
- gss_buffer_t input_token,
- gss_OID *actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 *ret_flags,
- OM_uint32 *time_rec,
- krb5_context context,
- int default_mech,
- krb5_gss_ctx_ext_t exts);
-
/** declarations of internal name mechanism functions **/
OM_uint32 krb5_gss_acquire_cred
krb5_gss_cred_id_t impersonator_cred,
krb5_creds *subject_creds,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
krb5_gss_cred_id_t *output_cred,
- gss_OID_set *actual_mechs,
OM_uint32 *time_rec,
krb5_context context);
gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
krb5_gss_cred_id_t kcred;
krb5_gss_name_t kname;
- int credLocked = 0;
+ krb5_boolean cred_locked = FALSE;
int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
if (initialContextToken) {
if (GSS_ERROR(major_status))
goto cleanup;
- credLocked = 1;
+ cred_locked = TRUE;
kcred = (krb5_gss_cred_id_t)claimant_cred_handle;
} else {
- major_status = iakerb_gss_acquire_cred(minor_status, NULL,
- GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET,
- GSS_C_INITIATE,
- &defcred, NULL, NULL);
+ major_status = krb5_gss_acquire_cred(minor_status, NULL,
+ GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET,
+ GSS_C_INITIATE,
+ &defcred, NULL, NULL);
if (GSS_ERROR(major_status))
goto cleanup;
kcred = (krb5_gss_cred_id_t)defcred;
if (ctx->state == IAKERB_AP_REQ) {
krb5_gss_ctx_ext_rec exts;
- /* Ensure cred is marked as usable for Kerberos mechanism */
- if (kcred != NULL) {
- if (kcred->iakerb_mech)
- kcred->rfc_mech = 1;
-
+ if (cred_locked) {
k5_mutex_unlock(&kcred->lock);
- credLocked = 0;
+ cred_locked = FALSE;
}
iakerb_make_exts(ctx, &exts);
}
cleanup:
- if (credLocked)
+ if (cred_locked)
k5_mutex_unlock(&kcred->lock);
if (initialContextToken && GSS_ERROR(major_status)) {
iakerb_release_context(ctx);
*
* Do the grunt work of setting up a new context.
*/
-OM_uint32
+static OM_uint32
kg_new_connection(
OM_uint32 *minor_status,
krb5_gss_cred_id_t cred,
OM_uint32 *ret_flags,
OM_uint32 *time_rec,
krb5_context context,
- int default_mech,
krb5_gss_ctx_ext_t exts)
{
OM_uint32 major_status;
&& (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
- if (default_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- }
-
if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
!= GSS_S_COMPLETE) {
code = *minor_status;
{
krb5_context context;
krb5_gss_cred_id_t cred;
- int err;
krb5_error_code kerr;
- int default_mech = 0;
OM_uint32 major_status;
OM_uint32 tmp_min_stat;
/* verify the mech_type */
- err = 0;
- if (mech_type == GSS_C_NULL_OID) {
- default_mech = 1;
- if (cred->rfc_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- } else if (cred->prerfc_mech) {
- mech_type = (gss_OID) gss_mech_krb5_old;
- } else {
- err = 1;
- }
- } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+ if (mech_type == GSS_C_NULL_OID || g_OID_equal(mech_type, gss_mech_krb5)) {
mech_type = (gss_OID) gss_mech_krb5;
- if (!cred->rfc_mech)
- err = 1;
} else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
mech_type = (gss_OID) gss_mech_krb5_old;
- if (!cred->prerfc_mech)
- err = 1;
} else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
mech_type = (gss_OID) gss_mech_krb5_wrong;
- if (!cred->rfc_mech)
- err = 1;
} else {
- err = 1;
- }
-
- if (err) {
k5_mutex_unlock(&cred->lock);
if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
time_req, input_chan_bindings,
input_token, actual_mech_type,
output_token, ret_flags, time_rec,
- context, default_mech, exts);
+ context, exts);
k5_mutex_unlock(&cred->lock);
if (*context_handle == GSS_C_NO_CONTEXT) {
save_error_info (*minor_status, context);
if (mechanisms) {
if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
&mechs)) ||
- (cred->prerfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5_old,
- &mechs))) ||
- (cred->rfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5,
- &mechs))) ||
- (cred->iakerb_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_iakerb,
- &mechs)))) {
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5_old,
+ &mechs)) ||
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5,
+ &mechs))) {
k5_mutex_unlock(&cred->lock);
if (ret_name)
kg_release_name(context, KG_INIT_NAME_INTERN, &ret_name);
#endif
#include <assert.h>
-static OM_uint32
-kg_set_desired_mechs(OM_uint32 *minor_status,
- const gss_OID_set desired_mechs,
- krb5_gss_cred_id_t cred)
-{
- unsigned int i;
-
- if (desired_mechs == GSS_C_NULL_OID_SET) {
- cred->prerfc_mech = 1;
- cred->rfc_mech = 1;
- } else {
- cred->prerfc_mech = 0;
- cred->rfc_mech = 0;
-
- for (i = 0; i < desired_mechs->count; i++) {
- if (g_OID_equal(gss_mech_krb5_old, &desired_mechs->elements[i]))
- cred->prerfc_mech = 1;
- else if (g_OID_equal(gss_mech_krb5, &desired_mechs->elements[i]))
- cred->rfc_mech = 1;
- }
-
- if (!cred->prerfc_mech && !cred->rfc_mech) {
- *minor_status = 0;
- return GSS_S_BAD_MECH;
- }
- }
-
- return GSS_S_COMPLETE;
-}
-
-static OM_uint32
-kg_return_mechs(OM_uint32 *minor_status,
- krb5_gss_cred_id_t cred,
- gss_OID_set *actual_mechs)
-{
- OM_uint32 major_status, minor;
- gss_OID_set mechs;
-
- if (actual_mechs == NULL)
- return GSS_S_COMPLETE;
-
- major_status = generic_gss_create_empty_oid_set(minor_status, &mechs);
- if (GSS_ERROR(major_status))
- return major_status;
-
- if (cred->prerfc_mech) {
- major_status = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5_old,
- &mechs);
- if (GSS_ERROR(major_status)) {
- generic_gss_release_oid_set(&minor, &mechs);
- return major_status;
- }
- }
- if (cred->rfc_mech) {
- major_status = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5,
- &mechs);
- if (GSS_ERROR(major_status)) {
- generic_gss_release_oid_set(&minor, &mechs);
- return major_status;
- }
- }
-
- *actual_mechs = mechs;
-
- return GSS_S_COMPLETE;
-}
-
static int
kg_is_initiator_cred(krb5_gss_cred_id_t cred)
{
const krb5_gss_cred_id_t impersonator_cred,
const krb5_gss_name_t user,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
krb5_gss_cred_id_t *output_cred,
- gss_OID_set *actual_mechs,
OM_uint32 *time_rec,
krb5_context context)
{
impersonator_cred,
out_creds,
time_req,
- desired_mechs,
output_cred,
- actual_mechs,
time_rec,
context);
return major_status;
}
+/* The mechglue always passes null desired_mechs and actual_mechs. */
OM_uint32
krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
const gss_cred_id_t impersonator_cred_handle,
}
*output_cred_handle = GSS_C_NO_CREDENTIAL;
- if (actual_mechs != NULL)
- *actual_mechs = GSS_C_NO_OID_SET;
if (time_rec != NULL)
*time_rec = 0;
(krb5_gss_cred_id_t)impersonator_cred_handle,
(krb5_gss_name_t)desired_name,
time_req,
- desired_mechs,
&cred,
- actual_mechs,
time_rec,
context);
krb5_gss_cred_id_t impersonator_cred,
krb5_creds *subject_creds,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
krb5_gss_cred_id_t *output_cred,
- gss_OID_set *actual_mechs,
OM_uint32 *time_rec,
krb5_context context)
{
cred->usage = GSS_C_INITIATE;
cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
- major_status = kg_set_desired_mechs(minor_status, desired_mechs, cred);
- if (GSS_ERROR(major_status))
- goto cleanup;
-
cred->tgt_expire = impersonator_cred->tgt_expire;
code = kg_init_name(context, subject_creds->client, NULL, 0, &cred->name);
*time_rec = cred->tgt_expire - now;
}
- major_status = kg_return_mechs(minor_status, cred, actual_mechs);
- if (GSS_ERROR(major_status))
- goto cleanup;
-
if (!kg_save_cred_id((gss_cred_id_t)cred)) {
code = G_VALIDATE_FAILED;
goto cleanup;