-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement support for GSSAPI extension RFC 4178
RFC 4178 provides two support API calls that enable the caller to manipulate the set of acceptable security mechanisms used in SPNEGO protocol; for the given credentials, the gss_get_neg_mechs call is used to indicate the current set of security mechanisms available for negotiation, and the gss_set_neg_mechs call is used to specify the set of security mechanisms avaiable for negotiation. Since gss_get_neg_mechs is not implemented by MIT krb5, we are only implementing the raw interface for the latter call. Note that although RFC 4178 did not specify that the mech_set argument cannot be an empty set, we are forcing it to be non empty in the low-level API here since passing an empty set will always trigger an error in MIT krb5 implementation.
- Loading branch information
1 parent
b6efe72
commit 8f77bf7
Showing
4 changed files
with
116 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
GSSAPI="BASE" # This ensures that a full module is generated by Cython | ||
|
||
from gssapi.raw.cython_types cimport * | ||
from gssapi.raw.cython_converters cimport c_get_mech_oid_set | ||
from gssapi.raw.creds cimport Creds | ||
|
||
from gssapi.raw.misc import GSSError | ||
|
||
cdef extern from "python_gssapi_ext.h": | ||
OM_uint32 gss_set_neg_mechs( | ||
OM_uint32 *minor_status, | ||
gss_cred_id_t cred_handle, | ||
const gss_OID_set mech_set) nogil | ||
|
||
|
||
def set_neg_mechs(Creds cred_handle not None, mech_set not None): | ||
""" | ||
set_neg_mechs(cred_handle not None, mech_set not None) | ||
Specify the set of security mechanisms that may be negotiated with | ||
the credential identified by cred_handle. | ||
If more than one mechanism is specified in mech_set, the order in | ||
which those mechanisms are specified implies a relative preference. | ||
Args: | ||
cred_handle (Creds): credentials to set negotiable mechanisms for | ||
mech_set ([MechType]): negotiable mechanisms to be set | ||
Returns: | ||
None | ||
Raises: | ||
GSSError | ||
""" | ||
|
||
cdef gss_OID_set negotiable_mechs = c_get_mech_oid_set(mech_set) | ||
|
||
cdef OM_uint32 maj_stat, min_stat | ||
|
||
with nogil: | ||
maj_stat = gss_set_neg_mechs(&min_stat, cred_handle.raw_creds, | ||
negotiable_mechs) | ||
|
||
cdef OM_uint32 tmp_min_stat | ||
gss_release_oid_set(&tmp_min_stat, &negotiable_mechs) | ||
|
||
if maj_stat == GSS_S_COMPLETE: | ||
return None | ||
else: | ||
raise GSSError(maj_stat, min_stat) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters