diff options
| author | Simo Sorce <simo@redhat.com> | 2013-09-10 01:58:31 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-09-12 18:06:35 -0400 |
| commit | 6b8a9724458f578d8103a94ccbb05ee49fe5c716 (patch) | |
| tree | 8602176fa986716c5b53ff9dda9b23752036b78f | |
| parent | 8c92de1e09d76b0cf667bc77e2c673cf20ba3d41 (diff) | |
| download | gss-proxy-6b8a9724458f578d8103a94ccbb05ee49fe5c716.tar.gz gss-proxy-6b8a9724458f578d8103a94ccbb05ee49fe5c716.tar.xz gss-proxy-6b8a9724458f578d8103a94ccbb05ee49fe5c716.zip | |
Work around MIT 1.11 issues with delegated creds
For some reason directly exporting crdentials will result in a non
functional st when reimported later before the init_sec_context call.
However storing them and then reacquiring before the export seem to
work.
Wrap around defines so that eventually we may be able to avoid these
operations.
| -rw-r--r-- | proxy/src/gp_creds.c | 46 |
1 files changed, 45 insertions, 1 deletions
diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c index df379c8..b1a4938 100644 --- a/proxy/src/gp_creds.c +++ b/proxy/src/gp_creds.c @@ -397,6 +397,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min, gss_name_t target_name = GSS_C_NO_NAME; gss_buffer_desc init_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc accept_token = GSS_C_EMPTY_BUFFER; + uint32_t lifetime = 0; if (!min || !output_cred_handle) { return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -441,11 +442,31 @@ uint32_t gp_add_krb5_creds(uint32_t *min, goto done; } ret_maj = gss_inquire_cred(&ret_min, impersonator_cred, - &target_name, NULL, NULL, NULL); + &target_name, &lifetime, NULL, NULL); if (ret_maj) { goto done; } +#define NEEDS_CREDS_WORKAROUND 1 +#ifdef NEEDS_CREDS_WORKAROUND + { + int eq = 0; + /* check if we already have the requested credentials (due + * to saving credentials in a file cache as per WORKAROUND) */ + ret_maj = gss_compare_name(&ret_min, req_name, target_name, &eq); + if (ret_maj) { + goto done; + } + /* skip impersonation if we already have credentials *and* they + * have at least 5 minutes of lifetime left */ + if (eq && lifetime > 300) { + *output_cred_handle = impersonator_cred; + impersonator_cred = GSS_C_NO_CREDENTIAL; + goto workaround_done; + } + } +#endif /* NEEDS_CREDS_WORKAROUND */ + ret_maj = gss_acquire_cred_impersonate_name(&ret_min, impersonator_cred, req_name, @@ -477,8 +498,31 @@ uint32_t gp_add_krb5_creds(uint32_t *min, if (ret_maj) { goto done; } + +#ifdef NEEDS_CREDS_WORKAROUND + /* <WORKAROUND> Bug with exporting credentials in 1.11.3 */ + ret_maj = gss_store_cred_into(&ret_min, delegated_cred, + GSS_C_INITIATE, &gp_mech_krb5, 1, 1, + &cred_store, NULL, NULL); + if (ret_maj) { + goto done; + } + ret_maj = gss_acquire_cred_from(&ret_min, GSS_C_NO_NAME, + GSS_C_INDEFINITE, + &desired_mechs, GSS_C_INITIATE, + &cred_store, output_cred_handle, + NULL, NULL); + if (ret_maj) { + goto done; + } + /* </WORKAROUND> */ +#endif /* NEEDS_CREDS_WORKAROUND */ } +#ifdef NEEDS_CREDS_WORKAROUND +workaround_done: +#endif /* NEEDS_CREDS_WORKAROUND */ + if (initiator_time_rec || acceptor_time_rec) { ret_maj = gss_inquire_cred_by_mech(&ret_min, *output_cred_handle, |