[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPNEGO and credentials delegation
11 mar 2008 kl. 09.14 skrev Oleg Sharoiko:
> It looks like there exist two issues which affect credentials
> when SPNEGO is in use:
> 1. It looks like acceptor_start (lib/gssapi/spnego/
> always puts GSS_C_NO_CREDENTIAL into *delegated_cred_handle. Even if
> lower layer returns valid credentials and puts them into
> *delegated_cred_handle (lines 641-663) they are being overwritten
> with ctx->delegated_cred_id which seems to always be
> (lines 743-746) I guess that either lines 743-746 should be removed or
> delegated_cred_handle should be replaced with ctx->delegated_cred_id
> lines 641-663.
That was a misdirected try to make the delegated credential to be
returned in the last call, the gss api interface doesn't seem to have
such a limitation. Updated the code and will commit it when I get back
to network land.
> 2. There are two methods: _gss_spnego_inquire_sec_context_by_oid and
> _gss_spnego_inquire_cred_by_oid, which are implemented but not
> in lib/gssapi/spnego/external.c
> Are there any reasons for them to be disabled?
Not really, added them and the two other missing glue function in the