Skip Menu |
 

From: Sam Hartman <hartmans@MIT.EDU>
To: krb5-bugs@MIT.EDU
Subject: gss_krb5_export_lucid_sec_ctx fails in the spnego case
Date: Thu, 05 Oct 2006 16:01:56 -0400


If spnego negotiates a krb5 context then we expect the krb5 extensions
to work on that context.

--Sam
From: austinj@mit.edu
Subject: SVN Commit
Applying Apple patches:
SC-spnego-export.patch
BR-5023012-was-4858064_lucid_support_for_SPNEGO.patch


Commit By: austinj



Revision: 19767
Changed Files:
U users/austinj/Lucid_support_for_SPNEGO/src/lib/gssapi/krb5/krb5_gss_glue.c
U users/austinj/Lucid_support_for_SPNEGO/src/lib/gssapi/spnego/gssapiP_spnego.h
Subject: gss_export_lucid_sec_context support for SPNEGO
diff -r -u Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c 2007-03-01 13:31:55.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c 2007-03-01 13:34:48.000000000 -0800
@@ -24,8 +24,10 @@
* $Id: krb5_gss_glue.c 18262 2006-06-29 04:38:48Z tlyu $
*/

+#include <syslog.h>
#include "gssapiP_krb5.h"
#include "mglueP.h"
+#include "../spnego/gssapiP_spnego.h"

/** mechglue wrappers **/

@@ -1061,7 +1063,6 @@
return GSS_S_DEFECTIVE_CREDENTIAL;
}

-/* XXX need to delete mechglue ctx too */
OM_uint32 KRB5_CALLCONV
gss_krb5_export_lucid_sec_context(
OM_uint32 *minor_status,
@@ -1069,17 +1070,39 @@
OM_uint32 version,
void **kctx)
{
- gss_union_ctx_id_t uctx;
+ gss_union_ctx_id_t uctx = (gss_union_ctx_id_t)*context_handle;
+ gss_union_ctx_id_t kerb_ctx;
+ OM_uint32 major = GSS_S_COMPLETE, minor = 0;
+ int is_spnego = 0;
+
+ if (minor_status != NULL)
+ *minor_status = 0;
+ if (minor_status == NULL || context_handle == NULL || kctx == NULL)
+ return (GSS_S_CALL_INACCESSIBLE_WRITE);
+ *kctx = GSS_C_NO_CONTEXT;
+
+ if (uctx == GSS_C_NO_CONTEXT)
+ return (GSS_S_CALL_INACCESSIBLE_READ);
+
+ if (g_OID_equal(uctx->mech_type, &spnego_oids[0])) {
+ kerb_ctx = uctx->internal_ctx_id;
+ is_spnego = 1;
+ }
+ else
+ kerb_ctx = uctx;

- uctx = (gss_union_ctx_id_t)*context_handle;
- /*
- if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) &&
- !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
- return GSS_S_BAD_MECH;
- */
- return gss_krb5int_export_lucid_sec_context(minor_status,
- &uctx->internal_ctx_id,
- version, kctx);
+ major = gss_krb5int_export_lucid_sec_context(minor_status,
+ &kerb_ctx->internal_ctx_id, version, kctx);
+
+ if (major == GSS_S_COMPLETE) {
+ if (is_spnego) {
+ uctx->internal_ctx_id = GSS_C_NO_CONTEXT;
+ (void) gss_delete_sec_context(&minor, (gss_ctx_id_t *)&kerb_ctx, NULL);
+ }
+ (void) gss_delete_sec_context(&minor, context_handle, NULL);
+ }
+
+ return (major);
}

OM_uint32 KRB5_CALLCONV
diff -r -u Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/gssapiP_spnego.h Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/gssapiP_spnego.h
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/gssapiP_spnego.h 2007-02-07 12:40:20.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/gssapiP_spnego.h 2007-03-01 13:32:22.000000000 -0800
@@ -111,11 +111,11 @@
{SPNEGO_OID_LENGTH, SPNEGO_OID},
};

-const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
+static const gss_OID_desc * const gss_mech_spnego = spnego_oids+0;
static const gss_OID_set_desc spnego_oidsets[] = {
{1, (gss_OID) spnego_oids+0},
};
-const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
+static const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;

#ifdef DEBUG
#define dsyslog(a) syslog(LOG_DEBUG, a)
From: tlyu@mit.edu
Subject: SVN Commit

Apply (adapted) patch from Apple to check for SPNEGO mechanism in
export_lucid_sec_ctx.


Commit By: tlyu



Revision: 20899
Changed Files:
_U trunk/
U trunk/src/lib/gssapi/krb5/krb5_gss_glue.c
U trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
U trunk/src/lib/gssapi/spnego/spnego_mech.c
From: tlyu@mit.edu
Subject: SVN Commit

Fix previous commit by adding "extern" to header declarations for
SPNEGO mechanism OID stuff. It was causing tentative definition
issues on the Mac. (where there are constraints about common-block
symbols)


Commit By: tlyu



Revision: 20910
Changed Files:
_U trunk/
U trunk/src/lib/gssapi/spnego/gssapiP_spnego.h