summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lib/libtdekrb/src/tdekrbclientsocket.cpp59
-rw-r--r--lib/libtdekrb/src/tdekrbclientsocket.h8
-rw-r--r--lib/libtdekrb/src/tdekrbserversocket.cpp2
3 files changed, 65 insertions, 4 deletions
diff --git a/lib/libtdekrb/src/tdekrbclientsocket.cpp b/lib/libtdekrb/src/tdekrbclientsocket.cpp
index 3663e7a..167fdda 100644
--- a/lib/libtdekrb/src/tdekrbclientsocket.cpp
+++ b/lib/libtdekrb/src/tdekrbclientsocket.cpp
@@ -546,6 +546,18 @@ void TDEKerberosClientSocket::writeLine(TQString str) {
}
}
+void TDEKerberosClientSocket::setAllowedMechanisms(TQStringList mechanisms) {
+ m_allowedMechanisms = mechanisms;
+}
+
+void TDEKerberosClientSocket::setDisallowedMechanisms(TQStringList mechanisms) {
+ m_disallowedMechanisms = mechanisms;
+}
+
+void TDEKerberosClientSocket::setMechanismOverrideList(TQStringList mechanisms) {
+ m_overrideMechanisms = mechanisms;
+}
+
void TDEKerberosClientSocket::freeKerberosConnection(void) {
if (saslData->m_krbConnection) {
sasl_dispose(&saslData->m_krbConnection);
@@ -666,7 +678,7 @@ int TDEKerberosClientSocket::transmitEncryptedData(const char* readbuf, int cc)
remnant_position = 0;
while ((data_remaining > 0) && (dataTimeoutTimer.isActive() || (m_dataTimeout < 0))) {
int data_to_write_len;
- if (data_remaining > (m_negotiatedMaxBufferSize/2)) {
+ if ((unsigned long)data_remaining > (m_negotiatedMaxBufferSize/2)) {
data_to_write_len = m_negotiatedMaxBufferSize/2;
}
else {
@@ -815,9 +827,50 @@ void TDEKerberosClientSocket::continueKerberosInitialization() {
}
len = slen;
- printf("Choosing best mechanism from: %s\n", buf);
+ printf("[DEBUG] Server and client support mechanisms: %s\n", buf);
+
+ TQStringList krbMechList = TQStringList::split(" ", buf, false);
+
+ // If mechanism override is set then use it1
+ if (m_overrideMechanisms.count() > 0) {
+ printf("[DEBUG] Overriding mechanisms list: %s\n", m_overrideMechanisms.join(" ").ascii());
+
+ TQStringList supportedMechanisms = krbMechList;
+ krbMechList = m_overrideMechanisms;
+ // Remove all mechanisms not supported by the client and server
+ for (TQStringList::Iterator it = krbMechList.begin(); it != krbMechList.end(); ++it ) {
+ if (supportedMechanisms.find(*it) == supportedMechanisms.end()) {
+ krbMechList.remove(*it);
+ it = krbMechList.begin();
+ }
+ }
+ }
+ else {
+ // Remove all mechanisms not listed in the allowed list
+ if (m_allowedMechanisms.count() > 0) {
+ for (TQStringList::Iterator it = krbMechList.begin(); it != krbMechList.end(); ++it ) {
+ if (m_allowedMechanisms.find(*it) == m_allowedMechanisms.end()) {
+ printf("[DEBUG] Removing implicitly disallowed mechanism %s from list\n", (*it).ascii());
+ krbMechList.remove(*it);
+ it = krbMechList.begin();
+ }
+ }
+ }
+
+ // Remove all mechanisms listed in the disallowed list
+ if (m_disallowedMechanisms.count() > 0) {
+ for (TQStringList::Iterator it = m_disallowedMechanisms.begin(); it != m_disallowedMechanisms.end(); ++it ) {
+ printf("[DEBUG] Removing explicitly disallowed mechanism %s from list\n", (*it).ascii());
+ krbMechList.remove(*it);
+ }
+ }
+ }
+
+ TQString krbMechListString = krbMechList.join(" ");
+
+ printf("Choosing best mechanism from: %s\n", krbMechListString.ascii());
- m_krbInitResult = sasl_client_start(saslData->m_krbConnection, buf, NULL, &data, &len, &chosenmech);
+ m_krbInitResult = sasl_client_start(saslData->m_krbConnection, krbMechListString.ascii(), NULL, &data, &len, &chosenmech);
if (m_krbInitResult != SASL_OK && m_krbInitResult != SASL_CONTINUE) {
printf("[ERROR] Starting SASL negotiation returned %s (%d)\n\r", sasl_errstring(m_krbInitResult, NULL, NULL), m_krbInitResult);
freeKerberosConnection();
diff --git a/lib/libtdekrb/src/tdekrbclientsocket.h b/lib/libtdekrb/src/tdekrbclientsocket.h
index 93e0dc3..b941eb0 100644
--- a/lib/libtdekrb/src/tdekrbclientsocket.h
+++ b/lib/libtdekrb/src/tdekrbclientsocket.h
@@ -22,6 +22,7 @@
#define TDEKRBCLIENTSOCKET_H
#include <tqsocket.h>
+#include <tqstringlist.h>
#define N_CALLBACKS 3
@@ -78,6 +79,10 @@ class TDEKerberosClientSocket : public TQSocket
void clearFrameTail();
void writeBufferedData();
+ void setAllowedMechanisms(TQStringList mechanisms);
+ void setDisallowedMechanisms(TQStringList mechanisms);
+ void setMechanismOverrideList(TQStringList mechanisms);
+
public slots:
int processPendingData();
@@ -112,6 +117,9 @@ class TDEKerberosClientSocket : public TQSocket
TQString m_prevStatusMessage;
int m_dataTimeout;
TQTimer* kerberosInitLoopTimer;
+ TQStringList m_allowedMechanisms;
+ TQStringList m_disallowedMechanisms;
+ TQStringList m_overrideMechanisms;
bool* m_canary;
private:
diff --git a/lib/libtdekrb/src/tdekrbserversocket.cpp b/lib/libtdekrb/src/tdekrbserversocket.cpp
index 5a9f9ff..a924236 100644
--- a/lib/libtdekrb/src/tdekrbserversocket.cpp
+++ b/lib/libtdekrb/src/tdekrbserversocket.cpp
@@ -675,7 +675,7 @@ int TDEKerberosServerSocket::transmitEncryptedData(const char* readbuf, int cc)
remnant_position = 0;
while ((data_remaining > 0) && (dataTimeoutTimer.isActive() || (m_dataTimeout < 0))) {
int data_to_write_len;
- if (data_remaining > (m_negotiatedMaxBufferSize/2)) {
+ if ((unsigned long)data_remaining > (m_negotiatedMaxBufferSize/2)) {
data_to_write_len = m_negotiatedMaxBufferSize/2;
}
else {