Use new GSSAPI Credential Store API

This is the only thread safe way to pass in aribitrary values for all the bits
of environment we want to use when doing impersonation within gss-proxy.

Requires MIT version 1.12 for the client_keytab part to be operational.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>

2 files changed, 38 insertions, 50 deletions

diff --git a/proxy/BUILD.txt b/proxy/BUILD.txt
index a833217..10a727b 100644
--- a/proxy/BUILD.txt
+++ b/proxy/BUILD.txt
@@ -12,7 +12,7 @@ In order to build gss-proxy the following development packages are needed:
     doxygen
     findutils
     gettext-devel
-    iniparser-devel
+    iniparser-devel or libini_config-devel (preferred)
     keyutils-libs-devel
     krb5-devel
     libselinux-devel
@@ -23,3 +23,18 @@ In order to build gss-proxy the following development packages are needed:
     m4
     pkgconfig
     popt-devel
+
+NOTE:
+The minimum supported Kerberos version is MIT Kerberos 1.11.2 as it includes
+[1] and [2]
+The keytab initiation feature where Gss-Proxy acquires crdentials on behalf
+of clients using a ketab will only be available in MIT in 1.12
+This patch [3] can be used to backport the feature in 1.11.2, this new feature
+simply allows combining two [4][5] features introduced in MIT 1.11
+
+[1] http://k5wiki.kerberos.org/wiki/Projects/Interposer_Mechanism
+[2] https://github.com/krb5/krb5/commit/36c76aa3c625afc9291b9e1df071db51ccf37dab
+[3] https://github.com/krb5/krb5/commit/38cc076579888695a5820ceb44fe43020f5b61e1
+[4] http://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
+[5] http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
+
diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
index 43ab169..162caf6 100644
--- a/proxy/src/gp_creds.c
+++ b/proxy/src/gp_creds.c
@@ -270,15 +270,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
     char *ccache_name = NULL;
     char *client_keytab = NULL;
     char *keytab_name = NULL;
-    krb5_context kctx;
-    krb5_principal principal = NULL;
-    krb5_keytab keytab = NULL;
-    krb5_ccache ccache = NULL;
-    krb5_error_code kerr;
     uint32_t ret_maj = 0;
     uint32_t ret_min = 0;
     uint32_t discard;
     gss_name_t req_name = GSS_C_NO_NAME;
+    gss_OID_set_desc desired_mechs = { 1, &gp_mech_krb5 };
+    gss_key_value_element_desc cred_elems[3];
+    gss_key_value_set_desc cred_store;
+    int c;
 
     if (!min || !output_cred_handle) {
         return GSS_S_CALL_INACCESSIBLE_WRITE;
@@ -298,12 +297,6 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
         return GSS_S_CRED_UNAVAIL;
     }
 
-    kerr = krb5_init_context(&kctx);
-    if (kerr != 0) {
-        *min = kerr;
-        return GSS_S_FAILURE;
-    }
-
     if (cred_usage == GSS_C_ACCEPT && svc->krb5.keytab == NULL) {
         ret_maj = GSS_S_CRED_UNAVAIL;
         goto done;
@@ -317,45 +310,32 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
         goto done;
     }
 
-    if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_INITIATE) {
-        kerr = krb5_cc_resolve(kctx, ccache_name, &ccache);
-        if (kerr) {
-            ret_maj = GSS_S_FAILURE;
-            ret_min = kerr;
-            goto done;
-        }
-
-        /* FIXME: initiate ? */
+    cred_store.elements = cred_elems;
+    c = 0;
+    if (ccache_name) {
+        cred_elems[c].key = "ccache";
+        cred_elems[c].value = ccache_name;
+        c++;
+    }
+    if (client_keytab) {
+        cred_elems[c].key = "client_keytab";
+        cred_elems[c].value = client_keytab;
+        c++;
     }
-
     if (keytab_name) {
-        kerr = krb5_kt_resolve(kctx, keytab_name, &keytab);
-        if (kerr != 0) {
-            ret_maj = GSS_S_FAILURE;
-            ret_min = kerr;
-            goto done;
-        }
+        cred_elems[c].key = "keytab";
+        cred_elems[c].value = keytab_name;
+        c++;
     }
+    cred_store.count = c;
 
-    ret_maj = gss_krb5_import_cred(&ret_min,
-                                   ccache, principal, keytab,
-                                   output_cred_handle);
+    ret_maj = gss_acquire_cred_from(&ret_min, req_name, GSS_C_INDEFINITE,
+                                    &desired_mechs, cred_usage, &cred_store,
+                                    output_cred_handle, actual_mechs, NULL);
     if (ret_maj) {
         goto done;
     }
 
-    if (actual_mechs) {
-        ret_maj = gss_create_empty_oid_set(&ret_min, actual_mechs);
-        if (ret_maj) {
-            goto done;
-        }
-        ret_maj = gss_add_oid_set_member(&ret_min,
-                                         &gp_mech_krb5, actual_mechs);
-        if (ret_maj) {
-            goto done;
-        }
-    }
-
     if (initiator_time_rec || acceptor_time_rec) {
         ret_maj = gss_inquire_cred_by_mech(&ret_min,
                                            *output_cred_handle,
@@ -379,13 +359,6 @@ done:
         }
     }
     *min = ret_min;
-    if (ccache) {
-        krb5_cc_close(kctx, ccache);
-    }
-    if (keytab) {
-        krb5_kt_close(kctx, keytab);
-    }
 
-    krb5_free_context(kctx);
     return ret_maj;
 }