diff options
| author | Simo Sorce <simo@redhat.com> | 2013-03-26 20:39:28 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-03-27 10:30:35 -0400 |
| commit | f71e3dc31704e2b23f9c013da7169da97fab019d (patch) | |
| tree | 4e554d6ca4737c461711bd72cdba41c9b9827330 /proxy | |
| parent | 1d6400f2ac9d0268b87d0910853e328b7ca840e6 (diff) | |
| download | gss-proxy-f71e3dc31704e2b23f9c013da7169da97fab019d.tar.gz gss-proxy-f71e3dc31704e2b23f9c013da7169da97fab019d.tar.xz gss-proxy-f71e3dc31704e2b23f9c013da7169da97fab019d.zip | |
Add extension to set allowable enctypes
The krb5 mechanism has a non standard extention to allow setting a list
of allowed enctypes to use with a particular set of crdentials.
This patch adds an extension, registerd by a client as a gssx_cred's
option, so that at the first use of this crdentials the proxy can try
to set the requsted options.
For now failure to set the option is only logged in debug mode and
the operation to import credentials does not fail if the allowed
enctypes cannot be set.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Diffstat (limited to 'proxy')
| -rw-r--r-- | proxy/src/gp_export.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c index 5cee23c..2cb7ab7 100644 --- a/proxy/src/gp_export.c +++ b/proxy/src/gp_export.c @@ -304,6 +304,42 @@ done: return ret_maj; } +#define KRB5_SET_ALLOWED_ENCTYPE "krb5_set_allowed_enctype_values" + +static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t gss_cred) +{ + struct gssx_cred_element *ce; + struct gssx_option *op; + uint32_t num_ktypes = 0; + krb5_enctype *ktypes; + uint32_t maj, min; + int i, j; + + for (i = 0; i < cred->elements.elements_len; i++) { + ce = &cred->elements.elements_val[i]; + for (j = 0; j < ce->options.options_len; j++) { + op = &ce->options.options_val[j]; + if ((op->option.octet_string_len == + sizeof(KRB5_SET_ALLOWED_ENCTYPE)) && + (strncmp(KRB5_SET_ALLOWED_ENCTYPE, + op->option.octet_string_val, + op->option.octet_string_len) == 0)) { + num_ktypes = op->value.octet_string_len / sizeof(krb5_enctype); + ktypes = (krb5_enctype *)op->value.octet_string_val; + break; + } + } + } + + if (num_ktypes) { + maj = gss_krb5_set_allowable_enctypes(&min, gss_cred, + num_ktypes, ktypes); + if (maj != GSS_S_COMPLETE) { + GPDEBUG("Failed to set allowable enctypes\n"); + } + } +} + uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_service *svc, gssx_cred *cred, gss_cred_id_t *out) { @@ -339,6 +375,9 @@ uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_service *svc, ret_maj = gss_import_cred(&ret_min, &token, out); + /* check if there is any client option we need to set on credentials */ + gp_set_cred_options(cred, *out); + done: *min = ret_min; free(token.value); |