[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPNEGO and credentials delegation



11 mar 2008 kl. 09.14 skrev Oleg Sharoiko:

> It looks like there exist two issues which affect credentials  
> delegation
> when SPNEGO is in use:
>
> 1. It looks like acceptor_start (lib/gssapi/spnego/ 
> accept_sec_context.c)
> always puts GSS_C_NO_CREDENTIAL into *delegated_cred_handle. Even if  
> the
> lower layer returns valid credentials and puts them into
> *delegated_cred_handle (lines 641-663) they are being overwritten  
> later
> with ctx->delegated_cred_id which seems to always be  
> GSS_C_NO_CREDENTIAL
> (lines 743-746) I guess that either lines 743-746 should be removed or
> delegated_cred_handle should be replaced with ctx->delegated_cred_id  
> in
> lines 641-663.

That was a misdirected try to make the delegated credential to be  
returned in the last call, the gss api interface doesn't seem to have  
such a limitation. Updated the code and will commit it when I get back  
to network land.

> 2. There are two methods: _gss_spnego_inquire_sec_context_by_oid and
> _gss_spnego_inquire_cred_by_oid, which are implemented but not  
> declared
> in lib/gssapi/spnego/external.c
> Are there any reasons for them to be disabled?

Not  really, added them and the two other missing glue function in the  
SPEGO layer.

Thanks!
Love