diff options
-rw-r--r-- | lib/libtdekrb/src/tdekrbclientsocket.cpp | 59 | ||||
-rw-r--r-- | lib/libtdekrb/src/tdekrbclientsocket.h | 8 | ||||
-rw-r--r-- | lib/libtdekrb/src/tdekrbserversocket.cpp | 2 |
3 files changed, 65 insertions, 4 deletions
diff --git a/lib/libtdekrb/src/tdekrbclientsocket.cpp b/lib/libtdekrb/src/tdekrbclientsocket.cpp index 3663e7a..167fdda 100644 --- a/lib/libtdekrb/src/tdekrbclientsocket.cpp +++ b/lib/libtdekrb/src/tdekrbclientsocket.cpp @@ -546,6 +546,18 @@ void TDEKerberosClientSocket::writeLine(TQString str) { } } +void TDEKerberosClientSocket::setAllowedMechanisms(TQStringList mechanisms) { + m_allowedMechanisms = mechanisms; +} + +void TDEKerberosClientSocket::setDisallowedMechanisms(TQStringList mechanisms) { + m_disallowedMechanisms = mechanisms; +} + +void TDEKerberosClientSocket::setMechanismOverrideList(TQStringList mechanisms) { + m_overrideMechanisms = mechanisms; +} + void TDEKerberosClientSocket::freeKerberosConnection(void) { if (saslData->m_krbConnection) { sasl_dispose(&saslData->m_krbConnection); @@ -666,7 +678,7 @@ int TDEKerberosClientSocket::transmitEncryptedData(const char* readbuf, int cc) remnant_position = 0; while ((data_remaining > 0) && (dataTimeoutTimer.isActive() || (m_dataTimeout < 0))) { int data_to_write_len; - if (data_remaining > (m_negotiatedMaxBufferSize/2)) { + if ((unsigned long)data_remaining > (m_negotiatedMaxBufferSize/2)) { data_to_write_len = m_negotiatedMaxBufferSize/2; } else { @@ -815,9 +827,50 @@ void TDEKerberosClientSocket::continueKerberosInitialization() { } len = slen; - printf("Choosing best mechanism from: %s\n", buf); + printf("[DEBUG] Server and client support mechanisms: %s\n", buf); + + TQStringList krbMechList = TQStringList::split(" ", buf, false); + + // If mechanism override is set then use it1 + if (m_overrideMechanisms.count() > 0) { + printf("[DEBUG] Overriding mechanisms list: %s\n", m_overrideMechanisms.join(" ").ascii()); + + TQStringList supportedMechanisms = krbMechList; + krbMechList = m_overrideMechanisms; + // Remove all mechanisms not supported by the client and server + for (TQStringList::Iterator it = krbMechList.begin(); it != krbMechList.end(); ++it ) { + if (supportedMechanisms.find(*it) == supportedMechanisms.end()) { + krbMechList.remove(*it); + it = krbMechList.begin(); + } + } + } + else { + // Remove all mechanisms not listed in the allowed list + if (m_allowedMechanisms.count() > 0) { + for (TQStringList::Iterator it = krbMechList.begin(); it != krbMechList.end(); ++it ) { + if (m_allowedMechanisms.find(*it) == m_allowedMechanisms.end()) { + printf("[DEBUG] Removing implicitly disallowed mechanism %s from list\n", (*it).ascii()); + krbMechList.remove(*it); + it = krbMechList.begin(); + } + } + } + + // Remove all mechanisms listed in the disallowed list + if (m_disallowedMechanisms.count() > 0) { + for (TQStringList::Iterator it = m_disallowedMechanisms.begin(); it != m_disallowedMechanisms.end(); ++it ) { + printf("[DEBUG] Removing explicitly disallowed mechanism %s from list\n", (*it).ascii()); + krbMechList.remove(*it); + } + } + } + + TQString krbMechListString = krbMechList.join(" "); + + printf("Choosing best mechanism from: %s\n", krbMechListString.ascii()); - m_krbInitResult = sasl_client_start(saslData->m_krbConnection, buf, NULL, &data, &len, &chosenmech); + m_krbInitResult = sasl_client_start(saslData->m_krbConnection, krbMechListString.ascii(), NULL, &data, &len, &chosenmech); if (m_krbInitResult != SASL_OK && m_krbInitResult != SASL_CONTINUE) { printf("[ERROR] Starting SASL negotiation returned %s (%d)\n\r", sasl_errstring(m_krbInitResult, NULL, NULL), m_krbInitResult); freeKerberosConnection(); diff --git a/lib/libtdekrb/src/tdekrbclientsocket.h b/lib/libtdekrb/src/tdekrbclientsocket.h index 93e0dc3..b941eb0 100644 --- a/lib/libtdekrb/src/tdekrbclientsocket.h +++ b/lib/libtdekrb/src/tdekrbclientsocket.h @@ -22,6 +22,7 @@ #define TDEKRBCLIENTSOCKET_H #include <tqsocket.h> +#include <tqstringlist.h> #define N_CALLBACKS 3 @@ -78,6 +79,10 @@ class TDEKerberosClientSocket : public TQSocket void clearFrameTail(); void writeBufferedData(); + void setAllowedMechanisms(TQStringList mechanisms); + void setDisallowedMechanisms(TQStringList mechanisms); + void setMechanismOverrideList(TQStringList mechanisms); + public slots: int processPendingData(); @@ -112,6 +117,9 @@ class TDEKerberosClientSocket : public TQSocket TQString m_prevStatusMessage; int m_dataTimeout; TQTimer* kerberosInitLoopTimer; + TQStringList m_allowedMechanisms; + TQStringList m_disallowedMechanisms; + TQStringList m_overrideMechanisms; bool* m_canary; private: diff --git a/lib/libtdekrb/src/tdekrbserversocket.cpp b/lib/libtdekrb/src/tdekrbserversocket.cpp index 5a9f9ff..a924236 100644 --- a/lib/libtdekrb/src/tdekrbserversocket.cpp +++ b/lib/libtdekrb/src/tdekrbserversocket.cpp @@ -675,7 +675,7 @@ int TDEKerberosServerSocket::transmitEncryptedData(const char* readbuf, int cc) remnant_position = 0; while ((data_remaining > 0) && (dataTimeoutTimer.isActive() || (m_dataTimeout < 0))) { int data_to_write_len; - if (data_remaining > (m_negotiatedMaxBufferSize/2)) { + if ((unsigned long)data_remaining > (m_negotiatedMaxBufferSize/2)) { data_to_write_len = m_negotiatedMaxBufferSize/2; } else { |