diff options
| author | Simo Sorce <simo@redhat.com> | 2012-06-14 12:59:01 -0400 |
|---|---|---|
| committer | Günther Deschner <gdeschner@redhat.com> | 2012-06-26 14:44:44 +0200 |
| commit | a9c0609b686a369e16ed313a27b8acf968a47f07 (patch) | |
| tree | 2b5a77e98355d47b9e73a950cde3e2ddaaf46f28 | |
| parent | 32d669038a627392c0b5cca57ef0942993b04ec3 (diff) | |
| download | gss-proxy-a9c0609b686a369e16ed313a27b8acf968a47f07.tar.gz gss-proxy-a9c0609b686a369e16ed313a27b8acf968a47f07.tar.xz gss-proxy-a9c0609b686a369e16ed313a27b8acf968a47f07.zip | |
WIP: add cred handle wrappers
| -rw-r--r-- | proxy/src/mechglue/gpm_init_sec_context.c | 6 | ||||
| -rw-r--r-- | proxy/src/mechglue/gpp_acquire_cred.c | 16 | ||||
| -rw-r--r-- | proxy/src/mechglue/gpp_init_sec_context.c | 63 | ||||
| -rw-r--r-- | proxy/src/mechglue/gss_plugin.h | 5 | ||||
| -rw-r--r-- | proxy/src/mechglue/gssapi_gpm.h | 2 |
5 files changed, 73 insertions, 19 deletions
diff --git a/proxy/src/mechglue/gpm_init_sec_context.c b/proxy/src/mechglue/gpm_init_sec_context.c index 0769363..581dbc5 100644 --- a/proxy/src/mechglue/gpm_init_sec_context.c +++ b/proxy/src/mechglue/gpm_init_sec_context.c @@ -27,7 +27,7 @@ #include "src/gp_conv.h" OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status, - gss_cred_id_t claimant_cred_handle, + gssx_cred *cred_handle, gss_ctx_id_t *context_handle, gss_name_t target_name, gss_OID mech_type, @@ -55,8 +55,8 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status, memset(&ures, 0, sizeof(union gp_rpc_res)); /* prepare proxy request */ - if (claimant_cred_handle != GSS_C_NO_CREDENTIAL) { - arg->cred_handle = (gssx_cred *)claimant_cred_handle; + if (cred_handle != NULL) { + arg->cred_handle = cred_handle; } if (*context_handle) { diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c index 6106fb5..acd9fc2 100644 --- a/proxy/src/mechglue/gpp_acquire_cred.c +++ b/proxy/src/mechglue/gpp_acquire_cred.c @@ -90,10 +90,13 @@ OM_uint32 gssi_acquire_cred_with_password(OM_uint32 *minor_status, gss_OID_set *actual_mechs, OM_uint32 *time_rec) { + struct gpm_cred_handle *cred_handle; + gss_cred_id_t local_cred_handle; gss_name_t mech_name = GSS_C_NO_NAME; gss_OID_set special_mechs; gss_OID_set ret_mechs; OM_uint32 maj, min; + /* FIXME: -- Implement later. * There are some fringe cases for which we may want to proxy auth even * if the caller has access to credentials (in this case a password). */ @@ -124,13 +127,22 @@ OM_uint32 gssi_acquire_cred_with_password(OM_uint32 *minor_status, time_req, special_mechs, cred_usage, - output_cred_handle, + &local_cred_handle, &ret_mechs, time_rec); *minor_status = gpm_map_error(min); - /* TODO: wrap output_cred_handle in gssproxy cred handle */ + if (maj == GSS_S_COMPLETE) { + cred_handle = calloc(1, sizeof(struct gpm_cred_handle)); + if (!cred_handle) { + *minor_status = gpm_map_error(ENOMEM); + maj = GSS_S_FAILURE; + } + + cred_handle->local_cred_handle = local_cred_handle; + *output_cred_handle = cred_handle; + } if (actual_mechs) { *actual_mechs = ret_mechs; diff --git a/proxy/src/mechglue/gpp_init_sec_context.c b/proxy/src/mechglue/gpp_init_sec_context.c index 7085de6..fcc37f0 100644 --- a/proxy/src/mechglue/gpp_init_sec_context.c +++ b/proxy/src/mechglue/gpp_init_sec_context.c @@ -39,8 +39,17 @@ OM_uint32 gssi_init_sec_context(OM_uint32 *minor_status, OM_uint32 *ret_flags, OM_uint32 *time_rec) { + struct gpm_cred_handle *cred_handle = NULL; + gss_cred_id_t local_cred_handle = GSS_C_NO_CREDENTIAL; + gssx_cred *remote_cred_handle = NULL; OM_uint32 maj, min; + if (claimant_cred_handle != GSS_C_NO_CREDENTIAL) { + cred_handle = (struct gpm_cred_handle *)claimant_cred_handle; + local_cred_handle = cred_handle->local_cred_handle; + remote_cred_handle = cred_handle->remote_cred_handle; + } + /* if we get our own mechanism it means the original * caller did not specify any mechanism, and the default * (interposed) mechanism was choosen */ @@ -48,19 +57,47 @@ OM_uint32 gssi_init_sec_context(OM_uint32 *minor_status, mech_type = GSS_C_NO_OID; } - maj = gpm_init_sec_context(&min, - claimant_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_cb, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); + if (local_cred_handle != GSS_C_NO_CREDENTIAL) { + /* ok this means a previous acquire_cred call decided to + * short circuit to the local mechglue, so let's just re-enter + * the mechglue here, as we have no way to export creds yet. */ + + if (mech_type == GSS_C_NO_OID) { + /* shouldn't happen, but if it does we need to return an error + * or we might just loop */ + *minor_status = 0; + return GSS_S_BAD_MECH; + } + + maj = gss_init_sec_context(&min, + local_cred_handle, + context_handle, + target_name, + gpm_special_mech(mech_type), + req_flags, + time_req, + input_cb, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + } else { + + maj = gpm_init_sec_context(&min, + remote_cred_handle, + context_handle, + target_name, + mech_type, + req_flags, + time_req, + input_cb, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + } *minor_status = gpm_map_error(min); return maj; diff --git a/proxy/src/mechglue/gss_plugin.h b/proxy/src/mechglue/gss_plugin.h index d831eed..3ab5c98 100644 --- a/proxy/src/mechglue/gss_plugin.h +++ b/proxy/src/mechglue/gss_plugin.h @@ -28,6 +28,11 @@ #include "gssapi_gpm.h" +struct gpm_cred_handle { + gssx_cred *remote_cred_handle; + gss_cred_id_t local_cred_handle; +}; + extern const gss_OID_desc gssproxy_mech_interposer; gss_OID_set gss_mech_interposer(gss_OID mech_type); diff --git a/proxy/src/mechglue/gssapi_gpm.h b/proxy/src/mechglue/gssapi_gpm.h index c4a6856..06853c1 100644 --- a/proxy/src/mechglue/gssapi_gpm.h +++ b/proxy/src/mechglue/gssapi_gpm.h @@ -147,7 +147,7 @@ OM_uint32 gpm_inquire_name(OM_uint32 *minor_status, gss_buffer_set_t *attrs); OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status, - gss_cred_id_t claimant_cred_handle, + gssx_cred *cred_handle, gss_ctx_id_t *context_handle, gss_name_t target_name, gss_OID mech_type, |