diff options
author | Filip Navara <navara@emclient.com> | 2022-07-29 02:42:22 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-29 02:42:22 +0300 |
commit | bda555725dabc46893bffb33e7f756528cbdc52c (patch) | |
tree | 5b8db384bd26fd409cb1cf2447a91b02592de1ea /src/native | |
parent | d7c8bc10ac00fe330daa633f8a2b16ba208e6e56 (diff) |
Add support for specifying Kerberos package on Linux/macOS (in addition to NTLM and Negotiate) (#72024)
Diffstat (limited to 'src/native')
-rw-r--r-- | src/native/libs/System.Net.Security.Native/pal_gssapi.c | 59 | ||||
-rw-r--r-- | src/native/libs/System.Net.Security.Native/pal_gssapi.h | 13 |
2 files changed, 45 insertions, 27 deletions
diff --git a/src/native/libs/System.Net.Security.Native/pal_gssapi.c b/src/native/libs/System.Net.Security.Native/pal_gssapi.c index 2430e540a5d..a325b1ac5ae 100644 --- a/src/native/libs/System.Net.Security.Native/pal_gssapi.c +++ b/src/native/libs/System.Net.Security.Native/pal_gssapi.c @@ -276,7 +276,7 @@ uint32_t NetSecurityNative_ImportPrincipalName(uint32_t* minorStatus, uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus, GssCredId* claimantCredHandle, GssCtxId** contextHandle, - uint32_t isNtlm, + uint32_t packageType, GssName* targetName, uint32_t reqFlags, uint8_t* inputBytes, @@ -288,7 +288,7 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus, return NetSecurityNative_InitSecContextEx(minorStatus, claimantCredHandle, contextHandle, - isNtlm, + packageType, NULL, 0, targetName, @@ -303,7 +303,7 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus, uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus, GssCredId* claimantCredHandle, GssCtxId** contextHandle, - uint32_t isNtlm, + uint32_t packageType, void* cbt, int32_t cbtSize, GssName* targetName, @@ -316,7 +316,7 @@ uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus, { assert(minorStatus != NULL); assert(contextHandle != NULL); - assert(isNtlm == 0 || isNtlm == 1); + assert(packageType == PAL_GSS_NEGOTIATE || packageType == PAL_GSS_NTLM || packageType == PAL_GSS_KERBEROS); assert(targetName != NULL); assert(inputBytes != NULL || inputLength == 0); assert(outBuffer != NULL); @@ -330,27 +330,33 @@ uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus, #if HAVE_GSS_SPNEGO_MECHANISM gss_OID krbMech = GSS_KRB5_MECHANISM; gss_OID desiredMech; - if (isNtlm) + if (packageType == PAL_GSS_NTLM) { desiredMech = GSS_NTLM_MECHANISM; } + else if (packageType == PAL_GSS_KERBEROS) + { + desiredMech = GSS_KRB5_MECHANISM; + } else { desiredMech = GSS_SPNEGO_MECHANISM; } #else gss_OID krbMech = (gss_OID)(unsigned long)gss_mech_krb5; - gss_OID_desc gss_mech_OID_desc; - if (isNtlm) + gss_OID desiredMech; + if (packageType == PAL_GSS_NTLM) + { + desiredMech = &gss_mech_ntlm_OID_desc; + } + else if (packageType == PAL_GSS_KERBEROS) { - gss_mech_OID_desc = gss_mech_ntlm_OID_desc; + desiredMech = gss_mech_krb5; } else { - gss_mech_OID_desc = gss_mech_spnego_OID_desc; + desiredMech = &gss_mech_spnego_OID_desc; } - - gss_OID desiredMech = &gss_mech_OID_desc; #endif GssBuffer inputToken = {.length = inputLength, .value = inputBytes}; @@ -379,7 +385,7 @@ uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus, retFlags, NULL); - *isNtlmUsed = (isNtlm || majorStatus != GSS_S_COMPLETE || gss_oid_equal(outmech, krbMech) == 0) ? 1 : 0; + *isNtlmUsed = (packageType == PAL_GSS_NTLM || majorStatus != GSS_S_COMPLETE || gss_oid_equal(outmech, krbMech) == 0) ? 1 : 0; NetSecurityNative_MoveBuffer(&gssBuffer, outBuffer); return majorStatus; @@ -598,7 +604,7 @@ uint32_t NetSecurityNative_VerifyMic(uint32_t* minorStatus, } static uint32_t AcquireCredWithPassword(uint32_t* minorStatus, - int32_t isNtlm, + int32_t packageType, GssName* desiredName, char* password, uint32_t passwdLen, @@ -606,34 +612,39 @@ static uint32_t AcquireCredWithPassword(uint32_t* minorStatus, GssCredId** outputCredHandle) { assert(minorStatus != NULL); - assert(isNtlm == 1 || isNtlm == 0); + assert(packageType == PAL_GSS_NEGOTIATE || packageType == PAL_GSS_NTLM || packageType == PAL_GSS_KERBEROS); assert(desiredName != NULL); assert(password != NULL); assert(outputCredHandle != NULL); assert(*outputCredHandle == NULL); #if HAVE_GSS_SPNEGO_MECHANISM - (void)isNtlm; // unused + (void)packageType; // unused // Specifying GSS_SPNEGO_MECHANISM as a desiredMech on OSX fails. - gss_OID_set desiredMech = GSS_C_NO_OID_SET; + gss_OID_set desiredMechSet = GSS_C_NO_OID_SET; #else gss_OID_desc gss_mech_OID_desc; - if (isNtlm) + gss_OID desiredMech; + if (packageType == PAL_GSS_NTLM) + { + desiredMech = &gss_mech_ntlm_OID_desc; + } + else if (packageType == PAL_GSS_KERBEROS) { - gss_mech_OID_desc = gss_mech_ntlm_OID_desc; + desiredMech = gss_mech_krb5; } else { - gss_mech_OID_desc = gss_mech_spnego_OID_desc; + desiredMech = &gss_mech_spnego_OID_desc; } - gss_OID_set_desc gss_mech_OID_set_desc = {.count = 1, .elements = &gss_mech_OID_desc}; - gss_OID_set desiredMech = &gss_mech_OID_set_desc; + gss_OID_set_desc gss_mech_OID_set_desc = {.count = 1, .elements = desiredMech}; + gss_OID_set desiredMechSet = &gss_mech_OID_set_desc; #endif GssBuffer passwordBuffer = {.length = passwdLen, .value = password}; uint32_t majorStatus = gss_acquire_cred_with_password( - minorStatus, desiredName, &passwordBuffer, 0, desiredMech, credUsage, outputCredHandle, NULL, NULL); + minorStatus, desiredName, &passwordBuffer, 0, desiredMechSet, credUsage, outputCredHandle, NULL, NULL); return majorStatus; } @@ -652,14 +663,14 @@ uint32_t NetSecurityNative_AcquireAcceptorCred(uint32_t* minorStatus, } uint32_t NetSecurityNative_InitiateCredWithPassword(uint32_t* minorStatus, - int32_t isNtlm, + int32_t packageType, GssName* desiredName, char* password, uint32_t passwdLen, GssCredId** outputCredHandle) { return AcquireCredWithPassword( - minorStatus, isNtlm, desiredName, password, passwdLen, GSS_C_INITIATE, outputCredHandle); + minorStatus, packageType, desiredName, password, passwdLen, GSS_C_INITIATE, outputCredHandle); } uint32_t NetSecurityNative_IsNtlmInstalled() diff --git a/src/native/libs/System.Net.Security.Native/pal_gssapi.h b/src/native/libs/System.Net.Security.Native/pal_gssapi.h index 3bd8a590983..10be636c778 100644 --- a/src/native/libs/System.Net.Security.Native/pal_gssapi.h +++ b/src/native/libs/System.Net.Security.Native/pal_gssapi.h @@ -40,6 +40,13 @@ typedef enum PAL_GSS_C_DELEG_POLICY_FLAG = 0x8000 } PAL_GssFlags; +typedef enum +{ + PAL_GSS_NEGOTIATE = 0, + PAL_GSS_NTLM = 1, + PAL_GSS_KERBEROS = 2, +} PAL_GssPackageType; + /* Issue: #7342 Disable padded warning which occurs in case of 32-bit builds @@ -111,7 +118,7 @@ Shims the gss_init_sec_context method with SPNEGO oids. PALEXPORT uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus, GssCredId* claimantCredHandle, GssCtxId** contextHandle, - uint32_t isNtlm, + uint32_t packageType, GssName* targetName, uint32_t reqFlags, uint8_t* inputBytes, @@ -123,7 +130,7 @@ PALEXPORT uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus, PALEXPORT uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus, GssCredId* claimantCredHandle, GssCtxId** contextHandle, - uint32_t isNtlm, + uint32_t packageType, void* cbt, int32_t cbtSize, GssName* targetName, @@ -195,7 +202,7 @@ PALEXPORT uint32_t NetSecurityNative_VerifyMic(uint32_t* minorStatus, Shims the gss_acquire_cred_with_password method with GSS_C_INITIATE. */ PALEXPORT uint32_t NetSecurityNative_InitiateCredWithPassword(uint32_t* minorStatus, - int32_t isNtlm, + int32_t packageType, GssName* desiredName, char* password, uint32_t passwdLen, |