From df41d53c674f9296641d88532ff3b22abb4216b9 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 18 Mar 2015 22:23:45 -0500 Subject: [PATCH] Fix gss_add_cred() (krb5) gss_add_cred() with GSS_C_NO_CREDENTIAL as the input_cred_handle should act like gss_acquire_cred() with desired_mechs containing just the desired_mech. --- lib/gssapi/krb5/add_cred.c | 178 ++++++++++++++++++++++++--------------------- 1 file changed, 97 insertions(+), 81 deletions(-) diff --git a/lib/gssapi/krb5/add_cred.c b/lib/gssapi/krb5/add_cred.c index 519596fc4..2980bf6de 100644 --- a/lib/gssapi/krb5/add_cred.c +++ b/lib/gssapi/krb5/add_cred.c @@ -47,7 +47,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( OM_uint32 *acceptor_time_rec) { krb5_context context; - OM_uint32 ret, lifetime; + OM_uint32 major, lifetime; gsskrb5_cred cred, handle; krb5_const_principal dname; @@ -55,50 +55,80 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( cred = (gsskrb5_cred)input_cred_handle; dname = (krb5_const_principal)desired_name; + if (cred == NULL && output_cred_handle == NULL) { + *minor_status = EINVAL; + return GSS_S_CALL_INACCESSIBLE_WRITE; + } + GSSAPI_KRB5_INIT (&context); - if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { + if (desired_mech != GSS_C_NO_OID && + gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { *minor_status = 0; return GSS_S_BAD_MECH; } - if (cred == NULL && output_cred_handle == NULL) { - *minor_status = 0; - return GSS_S_NO_CRED; - } + if (cred == NULL) { + /* + * Acquire a credential; output_cred_handle can't be NULL, see above. + */ + heim_assert(output_cred_handle != NULL, + "internal error in _gsskrb5_add_cred()"); + + major = _gsskrb5_acquire_cred(minor_status, desired_name, + min(initiator_time_req, + acceptor_time_req), + GSS_C_NO_OID_SET, + cred_usage, + output_cred_handle, + actual_mechs, &lifetime); + if (major != GSS_S_COMPLETE) + goto failure; + + } else if (cred != NULL) { + /* + * Check that we're done or copy input to output if + * output_cred_handle != NULL. + */ - if (cred == NULL) { /* XXX standard conformance failure */ - *minor_status = 0; - return GSS_S_NO_CRED; - } - - /* check if requested output usage is compatible with output usage */ - if (output_cred_handle != NULL) { HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); + + /* Check if requested output usage is compatible with output usage */ if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = GSS_KRB5_S_G_BAD_USAGE; return(GSS_S_FAILURE); } - } - - /* check that we have the same name */ - if (dname != NULL && - krb5_principal_compare(context, dname, - cred->principal) != FALSE) { - if (output_cred_handle) - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = 0; - return GSS_S_BAD_NAME; - } - /* make a copy */ - if (output_cred_handle) { - krb5_error_code kret; + /* Check that we have the same name */ + if (dname != NULL && + krb5_principal_compare(context, dname, + cred->principal) != FALSE) { + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + *minor_status = 0; + return GSS_S_BAD_NAME; + } + + if (output_cred_handle == NULL) { + /* + * This case is basically useless as we implement a single + * mechanism here, so we can't add elements to the + * input_cred_handle. + */ + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + *minor_status = 0; + return GSS_S_COMPLETE; + } + + /* + * Copy input to output -- this works as if we were a + * GSS_Duplicate_cred() for one mechanism element. + */ handle = calloc(1, sizeof(*handle)); if (handle == NULL) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + if (cred != NULL) + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = ENOMEM; return (GSS_S_FAILURE); } @@ -111,42 +141,37 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( handle->mechanisms = NULL; HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - ret = GSS_S_FAILURE; + major = GSS_S_FAILURE; - kret = krb5_copy_principal(context, cred->principal, - &handle->principal); - if (kret) { + *minor_status = krb5_copy_principal(context, cred->principal, + &handle->principal); + if (*minor_status) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); free(handle); - *minor_status = kret; return GSS_S_FAILURE; } if (cred->keytab) { char *name = NULL; - ret = GSS_S_FAILURE; + major = GSS_S_FAILURE; - kret = krb5_kt_get_full_name(context, cred->keytab, &name); - if (kret) { - *minor_status = kret; + *minor_status = krb5_kt_get_full_name(context, cred->keytab, + &name); + if (*minor_status) goto failure; - } - kret = krb5_kt_resolve(context, name, - &handle->keytab); + *minor_status = krb5_kt_resolve(context, name, &handle->keytab); krb5_xfree(name); - if (kret){ - *minor_status = kret; + if (*minor_status) goto failure; - } } if (cred->ccache) { const char *type, *name; char *type_name = NULL; - ret = GSS_S_FAILURE; + major = GSS_S_FAILURE; type = krb5_cc_get_type(context, cred->ccache); if (type == NULL){ @@ -155,19 +180,15 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( } if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_new_unique(context, type, - NULL, &handle->ccache); - if (ret) { - *minor_status = ret; + *minor_status = krb5_cc_new_unique(context, type, + NULL, &handle->ccache); + if (*minor_status) goto failure; - } - ret = krb5_cc_copy_cache(context, cred->ccache, - handle->ccache); - if (ret) { - *minor_status = ret; + *minor_status = krb5_cc_copy_cache(context, cred->ccache, + handle->ccache); + if (*minor_status) goto failure; - } } else { name = krb5_cc_get_name(context, cred->ccache); @@ -176,52 +197,47 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( goto failure; } - kret = asprintf(&type_name, "%s:%s", type, name); - if (kret < 0 || type_name == NULL) { + if (asprintf(&type_name, "%s:%s", type, name) == -1 || + type_name == NULL) { *minor_status = ENOMEM; goto failure; } - kret = krb5_cc_resolve(context, type_name, - &handle->ccache); + *minor_status = krb5_cc_resolve(context, type_name, + &handle->ccache); free(type_name); - if (kret) { - *minor_status = kret; + if (*minor_status) goto failure; - } } } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret) + major = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + if (major != GSS_S_COMPLETE) goto failure; - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret) + major = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); + if (major != GSS_S_COMPLETE) goto failure; - } - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred, - NULL, &lifetime, NULL, actual_mechs); - if (ret) - goto failure; + major = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred, + NULL, &lifetime, NULL, actual_mechs); + if (major != GSS_S_COMPLETE) + goto failure; + + *output_cred_handle = (gss_cred_id_t)handle; + } if (initiator_time_rec) *initiator_time_rec = lifetime; if (acceptor_time_rec) *acceptor_time_rec = lifetime; - if (output_cred_handle) { - *output_cred_handle = (gss_cred_id_t)handle; - } - *minor_status = 0; - return ret; - - failure: + return major; +failure: if (handle) { if (handle->principal) krb5_free_principal(context, handle->principal); @@ -233,7 +249,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( gss_release_oid_set(NULL, &handle->mechanisms); free(handle); } - if (output_cred_handle) + if (cred && output_cred_handle) HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - return ret; + return major; } -- 2.11.4.GIT