From: Simo Sorce Date: Sat, 3 Mar 2012 04:21:04 +0000 (-0500) Subject: Implement credential store support in spnego X-Git-Tag: krb5-1.11-alpha1~391 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29f4249a49cf28192fa2caae1536e9a617c4562e;p=thirdparty%2Fkrb5.git Implement credential store support in spnego --- diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h index f50ab2df23..772ce50be2 100644 --- a/src/lib/gssapi/spnego/gssapiP_spnego.h +++ b/src/lib/gssapi/spnego/gssapiP_spnego.h @@ -601,6 +601,20 @@ spnego_gss_inquire_attrs_for_mech gss_OID_set *known_mech_attrs ); +OM_uint32 KRB5_CALLCONV +spnego_gss_acquire_cred_from +( + OM_uint32 *minor_status, + const gss_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec +); + #ifdef __cplusplus } #endif diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 0c4e7279d4..91cf5713d4 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -97,8 +97,9 @@ static gss_OID get_mech_oid(OM_uint32 *, unsigned char **, size_t); static gss_buffer_t get_input_token(unsigned char **, unsigned int); static gss_OID_set get_mech_set(OM_uint32 *, unsigned char **, unsigned int); static OM_uint32 get_req_flags(unsigned char **, OM_uint32, OM_uint32 *); -static OM_uint32 get_available_mechs(OM_uint32 *, gss_name_t, - gss_cred_usage_t, gss_cred_id_t *, gss_OID_set *); +static OM_uint32 get_available_mechs(OM_uint32 *, gss_name_t, gss_cred_usage_t, + gss_const_key_value_set_t, + gss_cred_id_t *, gss_OID_set *); static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t, gss_cred_usage_t, gss_OID_set *); static void release_spnego_ctx(spnego_gss_ctx_id_t *); @@ -273,6 +274,8 @@ static struct gss_config spnego_mechanism = spnego_gss_inquire_saslname_for_mech, spnego_gss_inquire_mech_for_saslname, spnego_gss_inquire_attrs_for_mech, + spnego_gss_acquire_cred_from, + NULL, /* gss_store_cred_into */ }; static struct gss_config_ext spnego_mechanism_ext = @@ -330,6 +333,24 @@ spnego_gss_acquire_cred(OM_uint32 *minor_status, gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs, OM_uint32 *time_rec) +{ + return spnego_gss_acquire_cred_from(minor_status, desired_name, time_req, + desired_mechs, cred_usage, NULL, + output_cred_handle, actual_mechs, + time_rec); +} + +/*ARGSUSED*/ +OM_uint32 KRB5_CALLCONV +spnego_gss_acquire_cred_from(OM_uint32 *minor_status, + const gss_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) { OM_uint32 status, tmpmin; gss_OID_set amechs; @@ -358,9 +379,9 @@ spnego_gss_acquire_cred(OM_uint32 *minor_status, * mechs for which creds are available. */ if (desired_mechs == GSS_C_NULL_OID_SET) { - status = get_available_mechs(minor_status, - desired_name, cred_usage, - &mcred, &amechs); + status = get_available_mechs(minor_status, desired_name, + cred_usage, cred_store, &mcred, + &amechs); } else { /* * The caller gave a specific list of mechanisms, @@ -368,10 +389,10 @@ spnego_gss_acquire_cred(OM_uint32 *minor_status, * gss_acquire_creds will return the subset of mechs for * which the given 'output_cred_handle' is valid. */ - status = gss_acquire_cred(minor_status, - desired_name, time_req, - desired_mechs, cred_usage, - &mcred, &amechs, time_rec); + status = gss_acquire_cred_from(minor_status, desired_name, + time_req, desired_mechs, + cred_usage, cred_store, &mcred, + &amechs, time_rec); } if (actual_mechs && amechs != GSS_C_NULL_OID_SET) { @@ -1916,6 +1937,7 @@ spnego_gss_inquire_cred( status = get_available_mechs(minor_status, GSS_C_NO_NAME, GSS_C_BOTH, + GSS_C_NO_CRED_STORE, &creds, mechanisms); if (status != GSS_S_COMPLETE) { @@ -2538,7 +2560,8 @@ spnego_gss_acquire_cred_with_password(OM_uint32 *minor_status, dmechs = desired_mechs; if (desired_mechs == GSS_C_NULL_OID_SET) { status = get_available_mechs(minor_status, desired_name, - cred_usage, NULL, &amechs); + cred_usage, GSS_C_NO_CRED_STORE, + NULL, &amechs); dmechs = amechs; } @@ -2849,6 +2872,7 @@ release_spnego_ctx(spnego_gss_ctx_id_t *ctx) static OM_uint32 get_available_mechs(OM_uint32 *minor_status, gss_name_t name, gss_cred_usage_t usage, + gss_const_key_value_set_t cred_store, gss_cred_id_t *creds, gss_OID_set *rmechs) { unsigned int i; @@ -2890,10 +2914,11 @@ get_available_mechs(OM_uint32 *minor_status, * for which the creds are valid. */ if (found > 0 && major_status == GSS_S_COMPLETE && creds != NULL) { - major_status = gss_acquire_cred(minor_status, - name, GSS_C_INDEFINITE, - *rmechs, usage, creds, - &goodmechs, NULL); + major_status = gss_acquire_cred_from(minor_status, name, + GSS_C_INDEFINITE, + *rmechs, usage, + cred_store, creds, + &goodmechs, NULL); /* * Drop the old list in favor of the new @@ -2942,7 +2967,8 @@ get_negotiable_mechs(OM_uint32 *minor_status, spnego_gss_cred_id_t spcred, */ credptr = (usage == GSS_C_INITIATE) ? &creds : NULL; ret = get_available_mechs(minor_status, GSS_C_NO_NAME, usage, - credptr, rmechs); + GSS_C_NO_CRED_STORE, credptr, + rmechs); gss_release_cred(&tmpmin, &creds); return (ret); }