Apply (adapted) patch from Apple to check for SPNEGO mechanism in

export_lucid_sec_ctx.

ticket: 6015

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20899 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c
index 62905e421c5c46aecba24bccdf27ed9edb2e2140..265818bf68660fd433f4683472abc15325a92944 100644 (file)
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
@@ -27,6 +27,7 @@
 
 #include "gssapiP_krb5.h"
 #include "mglueP.h"
+#include "../spnego/gssapiP_spnego.h"
 
 
 /** mechglue wrappers **/
@@ -1141,7 +1142,6 @@ gss_krb5_copy_ccache(
     return GSS_S_DEFECTIVE_CREDENTIAL;
 }
 
-/* XXX need to delete mechglue ctx too */
 OM_uint32 KRB5_CALLCONV
 gss_krb5_export_lucid_sec_context(
     OM_uint32 *minor_status,
@@ -1149,15 +1149,40 @@ gss_krb5_export_lucid_sec_context(
     OM_uint32 version,
     void **kctx)
 {
-    gss_union_ctx_id_t uctx;
+    gss_union_ctx_id_t uctx = (gss_union_ctx_id_t)*context_handle;
+    gss_union_ctx_id_t kerb_ctx;
+    OM_uint32 major = GSS_S_COMPLETE, minor = 0;
+    int is_spnego = 0;
+
+    if (minor_status != NULL)
+        *minor_status = 0;
+    if (minor_status == NULL || context_handle == NULL || kctx == NULL)
+        return (GSS_S_CALL_INACCESSIBLE_WRITE);
+    *kctx = GSS_C_NO_CONTEXT;
+
+    if (uctx == GSS_C_NO_CONTEXT)
+        return (GSS_S_CALL_INACCESSIBLE_READ);
+
+    if (g_OID_equal(uctx->mech_type, gss_mech_spnego)) {
+        kerb_ctx = uctx->internal_ctx_id;
+        is_spnego = 1;
+    }
+    else
+        kerb_ctx = uctx;
+
+    major =  gss_krb5int_export_lucid_sec_context(minor_status,
+                                                  &kerb_ctx->internal_ctx_id,
+                                                  version, kctx);
+
+    if (major == GSS_S_COMPLETE) {
+        if (is_spnego) {
+            uctx->internal_ctx_id = GSS_C_NO_CONTEXT;
+            (void) gss_delete_sec_context(&minor, (gss_ctx_id_t *)&kerb_ctx, NULL);
+        }
+        (void) gss_delete_sec_context(&minor, context_handle, NULL);
+    }
 
-    uctx = (gss_union_ctx_id_t)*context_handle;
-    if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) &&
-        !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
-        return GSS_S_BAD_MECH;
-    return gss_krb5int_export_lucid_sec_context(minor_status,
-                                                &uctx->internal_ctx_id,
-                                                version, kctx);
+    return (major);
 }
 
 OM_uint32 KRB5_CALLCONV

diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
index 6d7d4c40c92ed43a5bf20260b8ba5b873c44803e..310fd18210bb00f69b2a4ee184ca0a9ca88ad33b 100644 (file)
--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
@@ -106,16 +106,9 @@ typedef struct {
  */
 #define        SPNEGO_MAGIC_ID  0x00000fed
 
-/* SPNEGO oid structure */
-static const gss_OID_desc spnego_oids[] = {
-       {SPNEGO_OID_LENGTH, SPNEGO_OID},
-};
-
-const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
-static const gss_OID_set_desc spnego_oidsets[] = {
-       {1, (gss_OID) spnego_oids+0},
-};
-const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
+/* SPNEGO oid declarations */
+const gss_OID_desc * const gss_mech_spnego;
+const gss_OID_set_desc * const gss_mech_set_spnego;
 
 #ifdef DEBUG
 #define        dsyslog(a) syslog(LOG_DEBUG, a)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 54b9af5d1c47919189e9b67ae2999125f39ba7a5..f3cb5919b42384e8fa82f506832a3c056957f0f0 100644 (file)
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -154,6 +154,17 @@ get_negTokenResp(OM_uint32 *, unsigned char *, unsigned int,
 static int
 is_kerb_mech(gss_OID oid);
 
+/* SPNEGO oid structure */
+static const gss_OID_desc spnego_oids[] = {
+       {SPNEGO_OID_LENGTH, SPNEGO_OID},
+};
+
+const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
+static const gss_OID_set_desc spnego_oidsets[] = {
+       {1, (gss_OID) spnego_oids+0},
+};
+const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
+
 /*
  * The Mech OID for SPNEGO:
  * { iso(1) org(3) dod(6) internet(1) security(5)