From 74d8f852cbd4f763c1a9563b498ac90130f9ed84 Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Wed, 24 Dec 2014 01:50:34 +0000
Subject: [PATCH] Add ability to set client socket SASL mechanism Fix a couple
 of build warnings

---
 lib/libtdekrb/src/tdekrbclientsocket.cpp | 59 ++++++++++++++++++++++--
 lib/libtdekrb/src/tdekrbclientsocket.h   |  8 ++++
 lib/libtdekrb/src/tdekrbserversocket.cpp |  2 +-
 3 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/lib/libtdekrb/src/tdekrbclientsocket.cpp b/lib/libtdekrb/src/tdekrbclientsocket.cpp
index 3663e7a..167fdda 100644
--- a/lib/libtdekrb/src/tdekrbclientsocket.cpp
+++ b/lib/libtdekrb/src/tdekrbclientsocket.cpp
@@ -546,6 +546,18 @@ void TDEKerberosClientSocket::writeLine(TQString str) {
 	}
 }
 
+void TDEKerberosClientSocket::setAllowedMechanisms(TQStringList mechanisms) {
+	m_allowedMechanisms = mechanisms;
+}
+
+void TDEKerberosClientSocket::setDisallowedMechanisms(TQStringList mechanisms) {
+	m_disallowedMechanisms = mechanisms;
+}
+
+void TDEKerberosClientSocket::setMechanismOverrideList(TQStringList mechanisms) {
+	m_overrideMechanisms = mechanisms;
+}
+
 void TDEKerberosClientSocket::freeKerberosConnection(void) {
 	if (saslData->m_krbConnection) {
 		sasl_dispose(&saslData->m_krbConnection);
@@ -666,7 +678,7 @@ int TDEKerberosClientSocket::transmitEncryptedData(const char* readbuf, int cc)
 	remnant_position = 0;
 	while ((data_remaining > 0) && (dataTimeoutTimer.isActive() || (m_dataTimeout < 0))) {
 		int data_to_write_len;
-		if (data_remaining > (m_negotiatedMaxBufferSize/2)) {
+		if ((unsigned long)data_remaining > (m_negotiatedMaxBufferSize/2)) {
 			data_to_write_len = m_negotiatedMaxBufferSize/2;
 		}
 		else {
@@ -815,9 +827,50 @@ void TDEKerberosClientSocket::continueKerberosInitialization() {
 						}
 						len = slen;
 
-						printf("Choosing best mechanism from: %s\n", buf);
+						printf("[DEBUG] Server and client support mechanisms: %s\n", buf);
+
+						TQStringList krbMechList = TQStringList::split(" ", buf, false);
+
+						// If mechanism override is set then use it1
+						if (m_overrideMechanisms.count() > 0) {
+							printf("[DEBUG] Overriding mechanisms list: %s\n", m_overrideMechanisms.join(" ").ascii());
+
+							TQStringList supportedMechanisms = krbMechList;
+							krbMechList = m_overrideMechanisms;
+							// Remove all mechanisms not supported by the client and server
+							for (TQStringList::Iterator it = krbMechList.begin(); it != krbMechList.end(); ++it ) {
+								if (supportedMechanisms.find(*it) == supportedMechanisms.end()) {
+									krbMechList.remove(*it);
+									it = krbMechList.begin();
+								}
+							}
+						}
+						else {
+							// Remove all mechanisms not listed in the allowed list
+							if (m_allowedMechanisms.count() > 0) {
+								for (TQStringList::Iterator it = krbMechList.begin(); it != krbMechList.end(); ++it ) {
+									if (m_allowedMechanisms.find(*it) == m_allowedMechanisms.end()) {
+										printf("[DEBUG] Removing implicitly disallowed mechanism %s from list\n", (*it).ascii());
+										krbMechList.remove(*it);
+										it = krbMechList.begin();
+									}
+								}
+							}
+	
+							// Remove all mechanisms listed in the disallowed list
+							if (m_disallowedMechanisms.count() > 0) {
+								for (TQStringList::Iterator it = m_disallowedMechanisms.begin(); it != m_disallowedMechanisms.end(); ++it ) {
+									printf("[DEBUG] Removing explicitly disallowed mechanism %s from list\n", (*it).ascii());
+									krbMechList.remove(*it);
+								}
+							}
+						}
+
+						TQString krbMechListString = krbMechList.join(" ");
+
+						printf("Choosing best mechanism from: %s\n", krbMechListString.ascii());
 
-						m_krbInitResult = sasl_client_start(saslData->m_krbConnection, buf, NULL, &data, &len, &chosenmech);
+						m_krbInitResult = sasl_client_start(saslData->m_krbConnection, krbMechListString.ascii(), NULL, &data, &len, &chosenmech);
 						if (m_krbInitResult != SASL_OK && m_krbInitResult != SASL_CONTINUE) {
 							printf("[ERROR] Starting SASL negotiation returned %s (%d)\n\r", sasl_errstring(m_krbInitResult, NULL, NULL), m_krbInitResult);
 							freeKerberosConnection();
diff --git a/lib/libtdekrb/src/tdekrbclientsocket.h b/lib/libtdekrb/src/tdekrbclientsocket.h
index 93e0dc3..b941eb0 100644
--- a/lib/libtdekrb/src/tdekrbclientsocket.h
+++ b/lib/libtdekrb/src/tdekrbclientsocket.h
@@ -22,6 +22,7 @@
 #define TDEKRBCLIENTSOCKET_H
 
 #include <tqsocket.h>
+#include <tqstringlist.h>
 
 #define N_CALLBACKS 3
 
@@ -78,6 +79,10 @@ class TDEKerberosClientSocket : public TQSocket
 		void clearFrameTail();
 		void writeBufferedData();
 
+		void setAllowedMechanisms(TQStringList mechanisms);
+		void setDisallowedMechanisms(TQStringList mechanisms);
+		void setMechanismOverrideList(TQStringList mechanisms);
+
 	public slots:
 		int processPendingData();
 
@@ -112,6 +117,9 @@ class TDEKerberosClientSocket : public TQSocket
 		TQString m_prevStatusMessage;
 		int m_dataTimeout;
 		TQTimer* kerberosInitLoopTimer;
+		TQStringList m_allowedMechanisms;
+		TQStringList m_disallowedMechanisms;
+		TQStringList m_overrideMechanisms;
 		bool* m_canary;
 
 	private:
diff --git a/lib/libtdekrb/src/tdekrbserversocket.cpp b/lib/libtdekrb/src/tdekrbserversocket.cpp
index 5a9f9ff..a924236 100644
--- a/lib/libtdekrb/src/tdekrbserversocket.cpp
+++ b/lib/libtdekrb/src/tdekrbserversocket.cpp
@@ -675,7 +675,7 @@ int TDEKerberosServerSocket::transmitEncryptedData(const char* readbuf, int cc)
 	remnant_position = 0;
 	while ((data_remaining > 0) && (dataTimeoutTimer.isActive() || (m_dataTimeout < 0))) {
 		int data_to_write_len;
-		if (data_remaining > (m_negotiatedMaxBufferSize/2)) {
+		if ((unsigned long)data_remaining > (m_negotiatedMaxBufferSize/2)) {
 			data_to_write_len = m_negotiatedMaxBufferSize/2;
 		}
 		else {