diff options
author | Simo Sorce <simo@redhat.com> | 2012-01-23 18:25:45 -0500 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2012-01-25 00:15:46 -0500 |
commit | 0ef7969ebba0c24e3b20c225db2448652e640d41 (patch) | |
tree | 2f9521104909c18b7a55d5618a95ddba66fd00f5 /proxy | |
parent | 3da72377d3b34a46389769808eb2458467254618 (diff) | |
download | gss-proxy-0ef7969ebba0c24e3b20c225db2448652e640d41.tar.gz gss-proxy-0ef7969ebba0c24e3b20c225db2448652e640d41.tar.xz gss-proxy-0ef7969ebba0c24e3b20c225db2448652e640d41.zip |
Add functions to export/import credentials
This is a temporary quick and simple implementation to proceed with
prototyping, it will be later replaced with a correct implementation.
Diffstat (limited to 'proxy')
-rw-r--r-- | proxy/Makefile.am | 1 | ||||
-rw-r--r-- | proxy/src/gp_export.c | 149 | ||||
-rw-r--r-- | proxy/src/gp_export.h | 35 |
3 files changed, 185 insertions, 0 deletions
diff --git a/proxy/Makefile.am b/proxy/Makefile.am index d8f2562..88f17ad 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -93,6 +93,7 @@ gssproxy_SOURCES = \ $(GP_RPCGEN_OBJ) \ src/gp_rpc_process.c \ src/gp_conv.c \ + src/gp_export.c \ src/gssproxy.c gssproxy_LDADD = \ diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c new file mode 100644 index 0000000..89e14eb --- /dev/null +++ b/proxy/src/gp_export.c @@ -0,0 +1,149 @@ +/* + GSS-PROXY + + Copyright (C) 2011 Red Hat, Inc. + Copyright (C) 2011 Simo Sorce <simo.sorce@redhat.com> + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. +*/ + +#include "config.h" +#include <stdio.h> +#include <stdbool.h> +#include <errno.h> +#include "gp_conv.h" +#include "gp_export.h" + +/* FIXME: F I X M E + * + * FFFFF I X X M M EEEEE + * F I X X MM MM E + * FFF I XX M MM M EEE + * F I X X M M E + * F I X X M M EEEEE + * + * Credential functions should either be implemented with gss_export_cred() + * or, lacking those calls in the gssapi implementation, by keeping state + * in a table/list and returning a token. + * In both cases the content should be encrypted. + * + * Temporarily we simply return straight out the gss_cred_id_t pointer as + * a handle. + * + * THIS IS ONLY FOR THE PROTOTYPE + * + * *MUST* BE FIXED BEFORE ANY OFFICIAL RELEASE. + */ + +int gp_export_gssx_cred(gss_cred_id_t *in, gssx_cred *out) +{ + uint32_t ret_maj; + uint32_t ret_min; + gss_name_t name = NULL; + uint32_t lifetime; + gss_cred_usage_t cred_usage; + gss_OID_set mechanisms = NULL; + uint32_t initiator_lifetime; + uint32_t acceptor_lifetime; + struct gssx_cred_element *el; + int ret; + int i; + + ret_maj = gss_inquire_cred(&ret_min, *in, + &name, &lifetime, &cred_usage, &mechanisms); + if (ret_maj) { + ret = EINVAL; + goto done; + } + + ret = gp_conv_name_to_gssx(name, &out->desired_name); + if (ret) { + goto done; + } + gss_release_name(&ret_min, &name); + name = NULL; + + out->elements.elements_len = mechanisms->count; + out->elements.elements_val = calloc(out->elements.elements_len, + sizeof(gssx_cred_element)); + if (!out->elements.elements_val) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < mechanisms->count; i++) { + + el = &out->elements.elements_val[i]; + + ret_maj = gss_inquire_cred_by_mech(&ret_min, *in, + &mechanisms->elements[i], + &name, + &initiator_lifetime, + &acceptor_lifetime, + &cred_usage); + if (ret_maj) { + ret = EINVAL; + goto done; + } + + ret = gp_conv_name_to_gssx(name, &el->MN); + if (ret) { + goto done; + } + gss_release_name(&ret_min, &name); + name = NULL; + + ret = gp_conv_oid_to_gssx(&mechanisms->elements[i], &el->mech); + if (ret) { + goto done; + } + el->cred_usage = gp_conv_gssx_to_cred_usage(cred_usage); + + el->initiator_time_rec = initiator_lifetime; + el->acceptor_time_rec = acceptor_lifetime; + } + + ret = gp_conv_octet_string(sizeof(gss_cred_id_t), *in, + &out->cred_handle_reference); + if (ret) { + goto done; + } + out->needs_release = true; + + /* we take over control of the credentials from here on */ + /* when we will have gss_export_cred() we will actually free + * them immediately instead */ + *in = NULL; + +done: + gss_release_name(&ret_min, &name); + gss_release_oid_set(&ret_min, &mechanisms); + return ret; +} + +int gp_import_gssx_cred(octet_string *in, gss_cred_id_t *out) +{ + if (in) { + *out = (gss_cred_id_t)(in->octet_string_val); + } else { + *out = NULL; + } + return 0; +} + diff --git a/proxy/src/gp_export.h b/proxy/src/gp_export.h new file mode 100644 index 0000000..bc6a226 --- /dev/null +++ b/proxy/src/gp_export.h @@ -0,0 +1,35 @@ +/* + GSS-PROXY + + Copyright (C) 2011 Red Hat, Inc. + Copyright (C) 2011 Simo Sorce <simo.sorce@redhat.com> + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. +*/ + +#ifndef _GSS_EXPORT_H_ +#define _GSS_EXPORT_H_ + +#include <gssapi/gssapi.h> +#include "rpcgen/gss_proxy.h" + +int gp_export_gssx_cred(gss_cred_id_t *in, gssx_cred *out); +int gp_import_gssx_cred(octet_string *in, gss_cred_id_t *out); + +#endif /* _GSS_EXPORT_H_ */ |