Package: libkrb53
Version: 1.6.dfsg.3~beta1-4
Severity: normal
Tags: patch
When trying to delegate credentials using mod_auth_kerb, delegation
succeeds (mod_auth_kerb receives a delegated gss_cred_id_t), but when it
tries to copy that credential into a ccache so it can write it out for
CGI scripts to use later, the copy fails.
The copy fails because gss_krb5_copy_ccache (the function being used) is
trying to find a credential from the passed-in gss_union_cred_t whose
mechanism OID is either krb5_mechanism, or krb5_mechanism_old. But the
gss_union_cred_t returned to mod_auth_kerb uses the SPNEGO mechanism OID
(since the browser used SPNEGO), which doesn't match either of those.
The gss_krb5_copy_ccache function only needs to set "mcred" to one or
the other of the Kerberos mechanism credential handles; if the top level
gss_union_cred_t uses SPNEGO, then it should contain a sub-credential
that uses one of the Kerberos mechanisms. So one fix would be to make
gssint_get_mechanism_cred recurse when it receives an SPNEGO-mechanism
union_cred, and SPNEGO is not what was asked for.
It needs to get a reference to the SPNEGO mechanism OID, of course, but
the spnego_gss_get_mech_configs() function provides this.
So if the current mechs_array element doesn't match the passed-in
mech_type, but does match spnego_mech, then call back into
gssint_get_mechanism_cred with the current cred_array element (cast to a
gss_union_cred_t), and see if any of its sub-credentials match. If not,
keep running through the loop. If so, return the one that does match.
Attached is a proposed patch to do exactly that (generated from a
libkrb53 tree that already has all the other Debian patches applied).
*** krb5-get_mechanism_cred-recurse-on-spnego.patch
Make gssint_get_mechanism_cred recurse if it finds a mechs_array item that
matches the SPNEGO OID, but not the OID that it's looking for. (SPNEGO
credentials might contain the needed OID.) If a sub-cred is found that
matches, return it; otherwise keep looping.
diff -ur a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c
--- a/src/lib/gssapi/mechglue/g_glue.c 2007-10-01 22:43:12.000000000 -0400
+++ b/src/lib/gssapi/mechglue/g_glue.c 2008-05-09 13:54:29.000000000 -0400
@@ -519,6 +519,8 @@
return (major_status);
}
+extern gss_mechanism *spnego_gss_get_mech_configs(void);
+
/*
* Glue routine for returning the mechanism-specific credential from a
* external union credential.
@@ -529,6 +531,7 @@
gss_OID mech_type;
{
int i;
+ gss_OID spnego_mech = &(spnego_gss_get_mech_configs()[0]->mech_type);
if (union_cred == GSS_C_NO_CREDENTIAL)
return GSS_C_NO_CREDENTIAL;
@@ -536,6 +539,18 @@
for (i=0; i < union_cred->count; i++) {
if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
return union_cred->cred_array[i];
+
+ /* for SPNEGO, check the next-lower set of creds */
+ if (g_OID_equal(spnego_mech, &union_cred->mechs_array[i])) {
+ gss_union_cred_t candidate_cred;
+ gss_cred_id_t sub_cred;
+
+ candidate_cred = (gss_union_cred_t)union_cred->cred_array[i];
+ sub_cred = gssint_get_mechanism_cred(candidate_cred, mech_type);
+
+ if(sub_cred != GSS_C_NO_CREDENTIAL)
+ return sub_cred;
+ }
}
return GSS_C_NO_CREDENTIAL;
}
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages libkrb53 depends on:
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcomerr2 1.40.8-2 common error description library
ii libkeyutils1 1.2-7 Linux Key Management Utilities (li
libkrb53 recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
