gss: add some missing GM_USE_MG_CRED checks

GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism
without additional wrapping. Although no extant mechanisms use this flag, the
flag had sporadic support in the mechanism glue already. In the interest of
consistency, add missing GM_USE_MG_CRED checks. If this functionality is not
desired, then all checks should be removed.

diff --git a/lib/gssapi/mech/gss_accept_sec_context.c b/lib/gssapi/mech/gss_accept_sec_context.c
index 2b6a1c5a16e82182c18571cada7a4bb0a93c7abf..85d6ef82683fd5d72ed12c9fb633023af9a940d8 100644 (file)
--- a/lib/gssapi/mech/gss_accept_sec_context.c
+++ b/lib/gssapi/mech/gss_accept_sec_context.c
@@ -210,7 +210,9 @@ gss_accept_sec_context(OM_uint32 *minor_status,
                m = ctx->gc_mech;
        }
 
-       if (cred) {
+       if (m->gm_flags & GM_USE_MG_CRED) {
+               acceptor_mc = acceptor_cred_handle;
+       } else if (cred) {
                HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link)
                        if (mc->gmc_mech == m)
                                break;
@@ -270,9 +272,18 @@ gss_accept_sec_context(OM_uint32 *minor_status,
 
        if (mech_ret_flags & GSS_C_DELEG_FLAG) {
                if (!delegated_cred_handle) {
-                       m->gm_release_cred(minor_status, &delegated_mc);
+                       if (m->gm_flags  & GM_USE_MG_CRED)
+                               gss_release_cred(minor_status, &delegated_mc);
+                       else
+                               m->gm_release_cred(minor_status, &delegated_mc);
                        mech_ret_flags &=
                            ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+               } else if ((m->gm_flags & GM_USE_MG_CRED) != 0) {
+                       /* 
+                        * If credential is uses mechglue cred, assume it
+                        * returns one too.
+                        */
+                       *delegated_cred_handle = delegated_mc;
                } else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
                        /*
                         * If the returned mech_type is not the same

diff --git a/lib/gssapi/mech/gss_acquire_cred_from.c b/lib/gssapi/mech/gss_acquire_cred_from.c
index f0ddd6b679fe9ad7d3ced12867f92c6f71227d66..d32ebf6cb1b1227db94bd1c48524c772d118b7d3 100644 (file)
--- a/lib/gssapi/mech/gss_acquire_cred_from.c
+++ b/lib/gssapi/mech/gss_acquire_cred_from.c
@@ -200,7 +200,7 @@ gss_acquire_cred_from(OM_uint32 *minor_status,
        OM_uint32 cred_time;
 
        m = __gss_get_mechanism(&mechs->elements[i]);
-       if (m == NULL)
+       if (m == NULL || (m->gm_flags & GM_USE_MG_CRED) != 0)
            continue;
 
        if (desired_name != GSS_C_NO_NAME) {

diff --git a/lib/gssapi/mech/gss_add_cred_from.c b/lib/gssapi/mech/gss_add_cred_from.c
index 785ea9d04b4b6a682b97c1f3758f69d05f60628e..d304061dbfda25946aa84bd77a3cab8edc5eb185 100644 (file)
--- a/lib/gssapi/mech/gss_add_cred_from.c
+++ b/lib/gssapi/mech/gss_add_cred_from.c
@@ -130,7 +130,8 @@ gss_add_cred_from(OM_uint32 *minor_status,
         *acceptor_time_rec = 0;
     if (actual_mechs)
         *actual_mechs = GSS_C_NO_OID_SET;
-    if ((m = __gss_get_mechanism(desired_mech)) == NULL)
+    if ((m = __gss_get_mechanism(desired_mech)) == NULL ||
+       (m->gm_flags & GM_USE_MG_CRED))
         return GSS_S_BAD_MECH;
     if (input_cred_handle == GSS_C_NO_CREDENTIAL &&
         output_cred_handle == NULL) {

diff --git a/lib/gssapi/mech/gss_store_cred_into.c b/lib/gssapi/mech/gss_store_cred_into.c
index c327e08e0e60d210ae1766ac3e6219d93347ed20..3009fa4a23ca6788098ced6c19461bc9f7819338 100644 (file)
--- a/lib/gssapi/mech/gss_store_cred_into.c
+++ b/lib/gssapi/mech/gss_store_cred_into.c
@@ -110,7 +110,7 @@ gss_store_cred_into(OM_uint32 *minor_status,
     HEIM_TAILQ_FOREACH(mc, &cred->gc_mc, gmc_link) {
        gssapi_mech_interface m = mc->gmc_mech;
 
-       if (m == NULL)
+       if (m == NULL || (m->gm_flags & GM_USE_MG_CRED) != 0)
            continue;
 
         if (desired_mech != GSS_C_NO_OID &&