Add option to request (or not) delegated credentials back

author: Simo Sorce <simo@redhat.com> 2012-03-22 01:23:40 -0400
committer: Simo Sorce <simo@redhat.com> 2012-03-22 02:33:52 -0400
commit: 402e927b928f5d51d36df72f69211fbc5a2136c8 (patch)
tree: 0714c7b4504ca2861973f748ab4ec4a69b34cbaa /proxy
parent: 1e99cc43f9f1983080b37bc5768a76dae0946183 (diff)
download: gss-proxy-402e927b928f5d51d36df72f69211fbc5a2136c8.tar.gz
gss-proxy-402e927b928f5d51d36df72f69211fbc5a2136c8.tar.xz
gss-proxy-402e927b928f5d51d36df72f69211fbc5a2136c8.zip
3 files changed, 10 insertions, 2 deletions
diff --git a/proxy/rpcgen/gss_proxy.h b/proxy/rpcgen/gss_proxy.h
index 2b54858..6e98510 100644
--- a/proxy/rpcgen/gss_proxy.h
+++ b/proxy/rpcgen/gss_proxy.h
@@ -408,6 +408,7 @@ struct gssx_arg_accept_sec_context {
 	gssx_cred *cred_handle;
 	gssx_buffer input_token;
 	gssx_cb *input_cb;
+	bool_t ret_deleg_cred;
 	struct {
 		u_int options_len;
 		gssx_option *options_val;
diff --git a/proxy/rpcgen/gss_proxy_xdr.c b/proxy/rpcgen/gss_proxy_xdr.c
index 25d9168..576b9c9 100644
--- a/proxy/rpcgen/gss_proxy_xdr.c
+++ b/proxy/rpcgen/gss_proxy_xdr.c
@@ -596,6 +596,8 @@ xdr_gssx_arg_accept_sec_context (XDR *xdrs, gssx_arg_accept_sec_context *objp)
 		 return FALSE;
 	 if (!xdr_pointer (xdrs, (char **)&objp->input_cb, sizeof (gssx_cb), (xdrproc_t) xdr_gssx_cb))
 		 return FALSE;
+	 if (!xdr_bool (xdrs, &objp->ret_deleg_cred))
+		 return FALSE;
 	 if (!xdr_array (xdrs, (char **)&objp->options.options_val, (u_int *) &objp->options.options_len, ~0,
 		sizeof (gssx_option), (xdrproc_t) xdr_gssx_option))
 		 return FALSE;
diff --git a/proxy/src/gp_rpc_accept_sec_context.c b/proxy/src/gp_rpc_accept_sec_context.c
index 5e85748..62d2387 100644
--- a/proxy/src/gp_rpc_accept_sec_context.c
+++ b/proxy/src/gp_rpc_accept_sec_context.c
@@ -43,6 +43,7 @@ int gp_accept_sec_context(struct gssproxy_ctx *gpctx,
     gss_buffer_desc obuf = GSS_C_EMPTY_BUFFER;
     uint32_t ret_flags;
     gss_cred_id_t dch = GSS_C_NO_CREDENTIAL;
+    gss_cred_id_t *pdch = NULL;
     int ret;
 
     asca = &arg->accept_sec_context;
@@ -66,6 +67,10 @@ int gp_accept_sec_context(struct gssproxy_ctx *gpctx,
         pcbs = GSS_C_NO_CHANNEL_BINDINGS;
     }
 
+    if (asca->ret_deleg_cred) {
+        pdch = &dch;
+    }
+
     ret_maj = gss_accept_sec_context(&ret_min,
                                      &ctx,
                                      ach,
@@ -76,7 +81,7 @@ int gp_accept_sec_context(struct gssproxy_ctx *gpctx,
                                      &obuf,
                                      &ret_flags,
                                      NULL,
-                                     &dch);
+                                     pdch);
     if (ret_maj) {
         goto done;
     }
@@ -105,7 +110,7 @@ int gp_accept_sec_context(struct gssproxy_ctx *gpctx,
         goto done;
     }
 
-    if (ret_flags & GSS_C_DELEG_FLAG) {
+    if ((ret_flags & GSS_C_DELEG_FLAG) && asca->ret_deleg_cred) {
         ascr->delegated_cred_handle = calloc(1, sizeof(gssx_cred));
         if (!ascr->delegated_cred_handle) {
             ret_maj = GSS_S_FAILURE;
author	Simo Sorce <simo@redhat.com>	2012-03-22 01:23:40 -0400
committer	Simo Sorce <simo@redhat.com>	2012-03-22 02:33:52 -0400
commit	402e927b928f5d51d36df72f69211fbc5a2136c8 (patch)
tree	0714c7b4504ca2861973f748ab4ec4a69b34cbaa /proxy
parent	1e99cc43f9f1983080b37bc5768a76dae0946183 (diff)
download	gss-proxy-402e927b928f5d51d36df72f69211fbc5a2136c8.tar.gz gss-proxy-402e927b928f5d51d36df72f69211fbc5a2136c8.tar.xz gss-proxy-402e927b928f5d51d36df72f69211fbc5a2136c8.zip