diff options
| author | Simo Sorce <simo@redhat.com> | 2012-09-13 17:46:18 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2012-09-14 16:53:34 -0400 |
| commit | d273dcc03df00cb048a4fa2debd61d66e4e8b366 (patch) | |
| tree | 677ea2697ab757fc6a80c6b1a8e323d4b82494d9 /proxy/src | |
| parent | ed45d1fad6c566f96b6a874e6f228bfcb54354a1 (diff) | |
| download | gss-proxy-d273dcc03df00cb048a4fa2debd61d66e4e8b366.tar.gz gss-proxy-d273dcc03df00cb048a4fa2debd61d66e4e8b366.tar.xz gss-proxy-d273dcc03df00cb048a4fa2debd61d66e4e8b366.zip | |
Use new gss_import/export_cred functions
This allows us to remove the ring_buffer hack and become completely
stateless as well as remove a possible DoS avenue.
R.I.P. Ring Buffer :-)
Diffstat (limited to 'proxy/src')
| -rw-r--r-- | proxy/src/gp_config.c | 87 | ||||
| -rw-r--r-- | proxy/src/gp_export.c | 326 | ||||
| -rw-r--r-- | proxy/src/gp_export.h | 8 | ||||
| -rw-r--r-- | proxy/src/gp_proxy.h | 15 | ||||
| -rw-r--r-- | proxy/src/gp_ring_buffer.h | 37 | ||||
| -rw-r--r-- | proxy/src/gp_rpc_accept_sec_context.c | 6 | ||||
| -rw-r--r-- | proxy/src/gp_rpc_acquire_cred.c | 7 | ||||
| -rw-r--r-- | proxy/src/gp_rpc_init_sec_context.c | 7 | ||||
| -rw-r--r-- | proxy/src/gp_rpc_release_handle.c | 8 |
9 files changed, 98 insertions, 403 deletions
diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c index 6776ed5..e6ad49c 100644 --- a/proxy/src/gp_config.c +++ b/proxy/src/gp_config.c @@ -30,10 +30,8 @@ #include <errno.h> #include "gp_proxy.h" #include "iniparser.h" -#include "gp_ring_buffer.h" #define GP_SOCKET_NAME "gssproxy.socket" -#define GP_RING_BUFFER_SIZE 4096 static void gp_service_free(struct gp_service *svc) { @@ -43,6 +41,7 @@ static void gp_service_free(struct gp_service *svc) free(svc->krb5.keytab); free(svc->krb5.ccache); } + gp_free_creds_handle(&svc->creds_handle); memset(svc, 0, sizeof(struct gp_service)); } @@ -126,39 +125,15 @@ static int get_krb5_mech_cfg(struct gp_service *svc, return 0; } -static int setup_service_ring_buffer(struct gp_config *cfg, - struct gp_service *svc, - int buffer_size) +static int setup_service_creds_handle(struct gp_service *svc) { uint32_t ret_maj, ret_min; - struct gp_ring_buffer **newrb; - uint32_t num; - if (buffer_size == -1) { - /* a reasonable default ? */ - buffer_size = GP_RING_BUFFER_SIZE; - } - - num = cfg->num_ring_buffers; - newrb = realloc(cfg->ring_buffers, - sizeof(struct gp_ring_buffer *) * (num + 1)); - if (!newrb) { - return ENOMEM; - } - cfg->ring_buffers = newrb; - - ret_maj = gp_init_ring_buffer(&ret_min, - svc->name, - buffer_size, - &cfg->ring_buffers[num]); + ret_maj = gp_init_creds_handle(&ret_min, &svc->creds_handle); if (ret_maj) { return ret_min; } - cfg->num_ring_buffers++; - - svc->ring_buffer = cfg->ring_buffers[num]; - return 0; } @@ -219,21 +194,9 @@ static int load_services(struct gp_config *cfg, dictionary *dict) } } - if (cfg->svcs[n]->trusted) { - /* buffer 0 is trusted */ - cfg->svcs[n]->ring_buffer = cfg->ring_buffers[0]; - } else { - /* buffer 1 is untrusted */ - cfg->svcs[n]->ring_buffer = cfg->ring_buffers[1]; - } - - value = get_char_value(dict, secname, "dedicated_ring_buffer"); - if (value && option_is_set(value)) { - valnum = get_int_value(dict, secname, "ring_buffer_size"); - ret = setup_service_ring_buffer(cfg, cfg->svcs[n], valnum); - if (ret) { - goto done; - } + ret = setup_service_creds_handle(cfg->svcs[n]); + if (ret) { + goto done; } value = get_char_value(dict, secname, "mechs"); @@ -322,34 +285,6 @@ int load_config(struct gp_config *cfg) cfg->num_workers = iniparser_getint(d, "gssproxy:worker threads", 0); - /* The two main ring_buffers need to be initialized before any dedicated - * ring_buffers (from services) are appended - gd */ - - cfg->num_ring_buffers = 2; - cfg->ring_buffers = calloc(cfg->num_ring_buffers, sizeof(struct gp_ring_buffer *)); - if (!cfg->ring_buffers) { - ret = ENOMEM; - goto done; - } - - ret_maj = gp_init_ring_buffer(&ret_min, - "default_trusted", - GP_RING_BUFFER_SIZE, - &cfg->ring_buffers[0]); - if (ret_maj) { - ret = ret_min; - goto done; - } - - ret_maj = gp_init_ring_buffer(&ret_min, - "default_untrusted", - GP_RING_BUFFER_SIZE, - &cfg->ring_buffers[1]); - if (ret_maj) { - ret = ret_min; - goto done; - } - ret = load_services(cfg, d); done: @@ -400,9 +335,9 @@ struct gp_config *read_config(char *config_file, int opt_daemonize) return cfg; } -struct gp_ring_buffer *gp_service_get_ring_buffer(struct gp_service *svc) +struct gp_creds_handle *gp_service_get_creds_handle(struct gp_service *svc) { - return svc->ring_buffer; + return svc->creds_handle; } void free_config(struct gp_config *config) @@ -421,10 +356,4 @@ void free_config(struct gp_config *config) } free(config->svcs); - - for (i=0; i < config->num_ring_buffers; i++) { - gp_free_ring_buffer(config->ring_buffers[i]); - } - - free(config->ring_buffers); } diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c index 8a0efb7..ed0a8ab 100644 --- a/proxy/src/gp_export.c +++ b/proxy/src/gp_export.c @@ -37,122 +37,56 @@ #include <grp.h> #include <pthread.h> -#define GP_RING_BUFFER_KEY_ENCTYPE ENCTYPE_AES256_CTS_HMAC_SHA1_96 +#define GP_CREDS_HANDLE_KEY_ENCTYPE ENCTYPE_AES256_CTS_HMAC_SHA1_96 -struct gp_ring_buffer_cred { - uint64_t count; - gss_cred_id_t cred; -}; - -struct gp_ring_buffer { - char *name; - uint32_t end; - uint64_t count; - pthread_mutex_t lock; - struct gp_ring_buffer_cred **creds; - uint32_t num_creds; +struct gp_creds_handle { krb5_keyblock key; krb5_context context; }; -struct gp_credential_handle { - uint32_t index; - uint64_t count; -}; - -static void gp_free_ring_buffer_cred(struct gp_ring_buffer_cred *cred) +void gp_free_creds_handle(struct gp_creds_handle **in) { - uint32_t ret_min; + struct gp_creds_handle *handle = *in; - if (!cred) { + if (!handle) { return; } - gss_release_cred(&ret_min, &cred->cred); - - free(cred); -} - -void gp_free_ring_buffer(struct gp_ring_buffer *buffer) -{ - uint32_t i; - - if (!buffer) { - return; - } - - free(buffer->name); - - for (i=0; i < buffer->num_creds; i++) { - gp_free_ring_buffer_cred(buffer->creds[i]); - } - - free(buffer->creds); - - if (buffer->context) { - krb5_free_keyblock_contents(buffer->context, &buffer->key); - krb5_free_context(buffer->context); + if (handle->context) { + krb5_free_keyblock_contents(handle->context, &handle->key); + krb5_free_context(handle->context); } - pthread_mutex_destroy(&buffer->lock); - - free(buffer); + free(handle); + *in = NULL; + return; } -uint32_t gp_init_ring_buffer(uint32_t *min, - const char *name, - uint32_t ring_size, - struct gp_ring_buffer **buffer_out) +uint32_t gp_init_creds_handle(uint32_t *min, struct gp_creds_handle **out) { - struct gp_ring_buffer *buffer; + struct gp_creds_handle *handle; uint32_t ret_maj = 0; uint32_t ret_min = 0; int ret; - GPDEBUG("gp_init_ring_buffer %s (size: %d)\n", name, ring_size); - - buffer = calloc(1, sizeof(struct gp_ring_buffer)); - if (!buffer) { + handle = calloc(1, sizeof(struct gp_creds_handle)); + if (!handle) { ret_min = ENOMEM; ret_maj = GSS_S_FAILURE; goto done; } - buffer->name = strdup(name); - if (!buffer->name) { - ret_min = ENOMEM; - ret_maj = GSS_S_FAILURE; - goto done; - } - - buffer->num_creds = ring_size; - - buffer->creds = calloc(sizeof(struct gp_ring_buffer_cred *), buffer->num_creds); - if (!buffer->creds) { - ret_min = ENOMEM; - ret_maj = GSS_S_FAILURE; - goto done; - } - - ret = pthread_mutex_init(&buffer->lock, NULL); - if (ret) { - ret_min = ret; - ret_maj = GSS_S_FAILURE; - goto done; - } - /* initialize key */ - - ret = krb5_init_context(&buffer->context); + ret = krb5_init_context(&handle->context); if (ret) { ret_min = ret; ret_maj = GSS_S_FAILURE; goto done; } - ret = krb5_c_make_random_key(buffer->context, - GP_RING_BUFFER_KEY_ENCTYPE, - &buffer->key); + ret = krb5_c_make_random_key(handle->context, + GP_CREDS_HANDLE_KEY_ENCTYPE, + &handle->key); if (ret) { ret_min = ret; ret_maj = GSS_S_FAILURE; @@ -165,102 +99,13 @@ uint32_t gp_init_ring_buffer(uint32_t *min, done: *min = ret_min; if (ret_maj) { - gp_free_ring_buffer(buffer); + gp_free_creds_handle(&handle); } - *buffer_out = buffer; + *out = handle; return ret_maj; } -static uint32_t gp_write_gss_cred_to_ring_buffer(uint32_t *min, - struct gp_ring_buffer *buffer, - gss_cred_id_t *cred, - struct gp_credential_handle *handle) -{ - struct gp_ring_buffer_cred *bcred = NULL; - - if (!buffer || !cred) { - *min = EINVAL; - return GSS_S_FAILURE; - } - - bcred = calloc(1, sizeof(struct gp_ring_buffer_cred)); - if (!bcred) { - *min = ENOMEM; - return GSS_S_FAILURE; - } - - /* ======> LOCK */ - pthread_mutex_lock(&buffer->lock); - - /* setup ring buffer credential */ - bcred->count = buffer->count; - bcred->cred = *cred; - - /* setup credential handle */ - handle->count = buffer->count; - handle->index = buffer->end; - - /* store ring buffer credential */ - gp_free_ring_buffer_cred(buffer->creds[buffer->end]); - - buffer->creds[buffer->end] = bcred; - buffer->end = (buffer->end + 1) % buffer->num_creds; - - buffer->count++; - - /* <====== LOCK */ - pthread_mutex_unlock(&buffer->lock); - - *min = 0; - - return GSS_S_COMPLETE; -} - -static uint32_t gp_read_gss_creds_from_ring_buffer(uint32_t *min, - struct gp_ring_buffer *buffer, - struct gp_credential_handle *handle, - gss_cred_id_t *cred) -{ - struct gp_ring_buffer_cred *bcred; - - if (!buffer || !cred || !handle) { - *min = EINVAL; - return GSS_S_FAILURE; - } - - /* some basic sanity checks */ - if (handle->index > buffer->num_creds) { - *min = EINVAL; - return GSS_S_FAILURE; - } - - /* ======> LOCK */ - pthread_mutex_lock(&buffer->lock); - - /* pick ring buffer credential */ - bcred = buffer->creds[handle->index]; - if (bcred && - (bcred->count == handle->count)) { - *cred = bcred->cred; - } else { - *cred = NULL; - } - - /* <====== LOCK */ - pthread_mutex_unlock(&buffer->lock); - - if (*cred == NULL) { - *min = GSS_S_CRED_UNAVAIL; - return GSS_S_FAILURE; - } - - *min = 0; - - return GSS_S_COMPLETE; -} - - static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key, size_t len, void *buf, octet_string *out) { @@ -274,7 +119,7 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key, memset(&enc_handle, '\0', sizeof(krb5_enc_data)); ret = krb5_c_encrypt_length(context, - GP_RING_BUFFER_KEY_ENCTYPE, + GP_CREDS_HANDLE_KEY_ENCTYPE, data_in.length, (size_t *)&enc_handle.ciphertext.length); if (ret) { @@ -311,7 +156,7 @@ done: } static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key, - octet_string *in, size_t len, void *buf) + octet_string *in, size_t *len, void *buf) { int ret; krb5_data data_out; @@ -319,11 +164,11 @@ static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key, memset(&enc_handle, '\0', sizeof(krb5_enc_data)); - enc_handle.enctype = GP_RING_BUFFER_KEY_ENCTYPE; + enc_handle.enctype = GP_CREDS_HANDLE_KEY_ENCTYPE; enc_handle.ciphertext.data = in->octet_string_val; enc_handle.ciphertext.length = in->octet_string_len; - data_out.length = len; + data_out.length = *len; data_out.data = buf; ret = krb5_c_decrypt(context, @@ -336,11 +181,12 @@ static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key, return EINVAL; } + *len = data_out.length; + return 0; } -uint32_t gp_export_gssx_cred(uint32_t *min, - struct gp_service *svc, +uint32_t gp_export_gssx_cred(uint32_t *min, struct gp_service *svc, gss_cred_id_t *in, gssx_cred *out) { uint32_t ret_maj; @@ -354,8 +200,8 @@ uint32_t gp_export_gssx_cred(uint32_t *min, struct gssx_cred_element *el; int ret; int i, j; - struct gp_ring_buffer *ring_buffer = NULL; - struct gp_credential_handle handle; + struct gp_creds_handle *handle = NULL; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; ret_maj = gss_inquire_cred(&ret_min, *in, &name, &lifetime, &cred_usage, &mechanisms); @@ -421,37 +267,32 @@ uint32_t gp_export_gssx_cred(uint32_t *min, el->acceptor_time_rec = acceptor_lifetime; } - ring_buffer = gp_service_get_ring_buffer(svc); - if (!ring_buffer) { + handle = gp_service_get_creds_handle(svc); + if (!handle) { ret_maj = GSS_S_FAILURE; ret_min = EINVAL; goto done; } - ret = gp_write_gss_cred_to_ring_buffer(&ret_min, - ring_buffer, - in, - &handle); - if (ret) { - ret_maj = GSS_S_FAILURE; - ret_min = ret; + ret_maj = gss_export_cred(&ret_min, *in, &token); + if (ret_maj) { goto done; } - ret = gp_encrypt_buffer(ring_buffer->context, &ring_buffer->key, - sizeof(handle), &handle, + ret = gp_encrypt_buffer(handle->context, &handle->key, + token.length, token.value, &out->cred_handle_reference); if (ret) { ret_maj = GSS_S_FAILURE; ret_min = ret; goto done; } - out->needs_release = true; + out->needs_release = false; + /* now we have serialized creds in the hands of the client. + * we can safey free them here so that we can remain sateless and + * not leak memory */ + gss_release_cred(&ret_min, in); - /* we take over control of the credentials from here on */ - /* when we will have gss_export_cred() we will actually free - * them immediately instead */ - *in = NULL; ret_maj = GSS_S_COMPLETE; ret_min = 0; @@ -462,74 +303,45 @@ done: return ret_maj; } -static int gp_import_gssx_cred(struct gp_ring_buffer *ring_buffer, - struct gp_credential_handle *in, - gss_cred_id_t *out) -{ - uint32_t ret = 0; - uint32_t ret_min = 0; - - ret = gp_read_gss_creds_from_ring_buffer(&ret_min, - ring_buffer, - in, - out); - if (ret) { - return ret_min; - } - - return 0; -} - - - -int gp_find_cred_int(struct gp_ring_buffer *ring_buffer, gssx_cred *cred, - gss_cred_id_t *out, struct gp_credential_handle *handle) +uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_service *svc, + gssx_cred *cred, gss_cred_id_t *out) { + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + struct gp_creds_handle *handle = NULL; + uint32_t ret_maj; + uint32_t ret_min; int ret; - ret = gp_decrypt_buffer(ring_buffer->context, &ring_buffer->key, - &cred->cred_handle_reference, - sizeof(*handle), handle); - if (ret) { - return ENOENT; - } - - return gp_import_gssx_cred(ring_buffer, handle, out); -} - -int gp_find_cred(struct gp_service *svc, gssx_cred *cred, gss_cred_id_t *out) -{ - struct gp_ring_buffer *ring_buffer; - struct gp_credential_handle handle; - - ring_buffer = gp_service_get_ring_buffer(svc); - if (!ring_buffer) { - return EINVAL; + handle = gp_service_get_creds_handle(svc); + if (!handle) { + ret_maj = GSS_S_FAILURE; + ret_min = EINVAL; + goto done; } - return gp_find_cred_int(ring_buffer, cred, out, &handle); -} - -int gp_find_and_free_cred(struct gp_service *svc, gssx_cred *cred) -{ - struct gp_ring_buffer *ring_buffer; - struct gp_credential_handle handle; - gss_cred_id_t gss_cred; - int ret; - - ring_buffer = gp_service_get_ring_buffer(svc); - if (!ring_buffer) { - return EINVAL; + token.length = cred->cred_handle_reference.octet_string_len; + token.value = malloc(token.length); + if (!token.value) { + ret_maj = GSS_S_FAILURE; + ret_min = ENOMEM; + goto done; } - ret = gp_find_cred_int(ring_buffer, cred, &gss_cred, &handle); + ret = gp_decrypt_buffer(handle->context, &handle->key, + &cred->cred_handle_reference, + &token.length, token.value); if (ret) { - return ret; + ret_maj = GSS_S_FAILURE; + ret_min = ENOENT; + goto done; } - gp_free_ring_buffer_cred(ring_buffer->creds[handle.index]); + ret_maj = gss_import_cred(&ret_min, &token, out); - return 0; +done: + *min = ret_min; + free(token.value); + return ret_maj; } /* Exported Contexts */ diff --git a/proxy/src/gp_export.h b/proxy/src/gp_export.h index 5606c65..28d2229 100644 --- a/proxy/src/gp_export.h +++ b/proxy/src/gp_export.h @@ -31,12 +31,10 @@ struct gp_service; -uint32_t gp_export_gssx_cred(uint32_t *min, - struct gp_service *svc, +uint32_t gp_export_gssx_cred(uint32_t *min, struct gp_service *svc, gss_cred_id_t *in, gssx_cred *out); -int gp_find_cred(struct gp_service *svc, gssx_cred *cred, gss_cred_id_t *out); -int gp_find_and_free_cred(struct gp_service *svc, - gssx_cred *cred); +uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_service *svc, + gssx_cred *cred, gss_cred_id_t *out); int gp_get_exported_context_type(struct gssx_call_ctx *ctx); uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h index 3d52cfe..c599eee 100644 --- a/proxy/src/gp_proxy.h +++ b/proxy/src/gp_proxy.h @@ -42,7 +42,7 @@ struct gp_cred_krb5 { char *ccache; }; -struct gp_ring_buffer; +struct gp_creds_handle; struct gp_service { char *name; @@ -52,11 +52,9 @@ struct gp_service { uint32_t mechs; struct gp_cred_krb5 krb5; - struct gp_ring_buffer *ring_buffer; + struct gp_creds_handle *creds_handle; }; -struct gp_ring_buffer; - struct gp_config { char *config_file; /* gssproxy configuration file */ bool daemonize; /* let gssproxy daemonize */ @@ -65,9 +63,6 @@ struct gp_config { struct gp_service **svcs; int num_svcs; - - struct gp_ring_buffer **ring_buffers; - int num_ring_buffers; }; struct gp_workers; @@ -82,7 +77,7 @@ struct gp_conn; /* from gp_config.c */ struct gp_config *read_config(char *config_file, int opt_daemonize); -struct gp_ring_buffer *gp_service_get_ring_buffer(struct gp_service *svc); +struct gp_creds_handle *gp_service_get_creds_handle(struct gp_service *svc); void free_config(struct gp_config *config); /* from gp_init.c */ @@ -114,4 +109,8 @@ int gp_rpc_process_call(struct gssproxy_ctx *gpctx, struct gp_service *gp_creds_match_conn(struct gssproxy_ctx *gpctx, struct gp_conn *conn); +/* from gp_export.c */ +uint32_t gp_init_creds_handle(uint32_t *min, struct gp_creds_handle **out); +void gp_free_creds_handle(struct gp_creds_handle **in); + #endif /* _GP_PROXY_H_ */ diff --git a/proxy/src/gp_ring_buffer.h b/proxy/src/gp_ring_buffer.h deleted file mode 100644 index ea95f59..0000000 --- a/proxy/src/gp_ring_buffer.h +++ /dev/null @@ -1,37 +0,0 @@ -/* - GSS-PROXY - - Copyright (C) 2012 Red Hat, Inc. - Copyright (C) 2012 Guenther Deschner <guenther.deschner@redhat.com> - - Permission is hereby granted, free of charge, to any person obtaining a - copy of this software and associated documentation files (the "Software"), - to deal in the Software without restriction, including without limitation - the rights to use, copy, modify, merge, publish, distribute, sublicense, - and/or sell copies of the Software, and to permit persons to whom the - Software is furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in - all copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL - THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - DEALINGS IN THE SOFTWARE. -*/ - -#ifndef _GP_RING_BUFFER_H_ -#define _GP_RING_BUFFER_H_ - -#include <gssapi/gssapi.h> - -uint32_t gp_init_ring_buffer(uint32_t *min, - const char *name, - uint32_t ring_size, - struct gp_ring_buffer **buffer_out); -void gp_free_ring_buffer(struct gp_ring_buffer *buffer); - -#endif /* _GP_RING_BUFFER_H_ */ diff --git a/proxy/src/gp_rpc_accept_sec_context.c b/proxy/src/gp_rpc_accept_sec_context.c index eb93471..e43b72a 100644 --- a/proxy/src/gp_rpc_accept_sec_context.c +++ b/proxy/src/gp_rpc_accept_sec_context.c @@ -67,10 +67,8 @@ int gp_accept_sec_context(struct gssproxy_ctx *gpctx, } if (asca->cred_handle) { - ret = gp_find_cred(gpsvc, asca->cred_handle, &ach); - if (ret) { - ret_maj = GSS_S_NO_CRED; - ret_min = ret; + ret_maj = gp_import_gssx_cred(&ret_min, gpsvc, asca->cred_handle, &ach); + if (ret_maj) { goto done; } } diff --git a/proxy/src/gp_rpc_acquire_cred.c b/proxy/src/gp_rpc_acquire_cred.c index 31e6346..5c34732 100644 --- a/proxy/src/gp_rpc_acquire_cred.c +++ b/proxy/src/gp_rpc_acquire_cred.c @@ -50,10 +50,9 @@ int gp_acquire_cred(struct gssproxy_ctx *gpctx, acr = &res->acquire_cred; if (aca->input_cred_handle) { - ret = gp_find_cred(gpsvc, aca->input_cred_handle, &in_cred); - if (ret) { - ret_maj = GSS_S_NO_CRED; - ret_min = ret; + ret_maj = gp_import_gssx_cred(&ret_min, gpsvc, + aca->input_cred_handle, &in_cred); + if (ret_maj) { goto done; } } diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c index 480c4b7..fa87b15 100644 --- a/proxy/src/gp_rpc_init_sec_context.c +++ b/proxy/src/gp_rpc_init_sec_context.c @@ -68,10 +68,9 @@ int gp_init_sec_context(struct gssproxy_ctx *gpctx, } if (isca->cred_handle) { - ret = gp_find_cred(gpsvc, isca->cred_handle, &ich); - if (ret) { - ret_maj = GSS_S_NO_CRED; - ret_min = ret; + ret_maj = gp_import_gssx_cred(&ret_min, gpsvc, + isca->cred_handle, &ich); + if (ret_maj) { goto done; } } diff --git a/proxy/src/gp_rpc_release_handle.c b/proxy/src/gp_rpc_release_handle.c index 72aa7b8..a9f5ee2 100644 --- a/proxy/src/gp_rpc_release_handle.c +++ b/proxy/src/gp_rpc_release_handle.c @@ -47,11 +47,9 @@ int gp_release_handle(struct gssproxy_ctx *gpctx, ret_min = 0; break; case GSSX_C_HANDLE_CRED: - ret = gp_find_and_free_cred(gpsvc, &rha->cred_handle.gssx_handle_u.cred_info); - if (ret) { - ret_maj = GSS_S_UNAVAILABLE; - ret_min = 0; - } + /* We do not need release for any creds now */ + ret_maj = GSS_S_UNAVAILABLE; + ret_min = 0; break; default: ret_maj = GSS_S_CALL_BAD_STRUCTURE; |