From 591fad86aba3520a76eaf75aa0fd5e585fac94a5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 13 Nov 2013 19:54:27 -0500 Subject: Autoinitialize creds on init_sec_context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the remote client tries to initialize the context without first acquiring credentials, try to acquire appropriate credentials if the service allows it. Reviewed-by: Günther Deschner --- proxy/src/gp_rpc_init_sec_context.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c index 2781238..76ffaab 100644 --- a/proxy/src/gp_rpc_init_sec_context.c +++ b/proxy/src/gp_rpc_init_sec_context.c @@ -24,6 +24,7 @@ */ #include "gp_rpc_process.h" +#include int gp_init_sec_context(struct gp_call_ctx *gpcall, union gp_rpc_arg *arg, @@ -74,13 +75,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall, if (ret_maj) { goto done; } - } else { - /* FIXME: get ccache from gpsvc ? */ - ret_maj = GSS_S_CRED_UNAVAIL; - ret_min = 0; - goto done; } - ret_maj = gp_conv_gssx_to_name(&ret_min, isca->target_name, &target_name); if (ret_maj) { goto done; @@ -107,6 +102,23 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall, gp_conv_gssx_to_buffer(isca->input_token, &ibuf); } + if (!isca->cred_handle) { + if (gss_oid_equal(mech_type, gss_mech_krb5)) { + ret_maj = gp_add_krb5_creds(&ret_min, gpcall, + NULL, NULL, + GSS_C_INITIATE, + time_req, 0, &ich, + NULL, NULL, NULL); + } else { + ret_maj = GSS_S_NO_CRED; + ret_min = 0; + } + + if (ret_maj) { + goto done; + } + } + ret_maj = gss_init_sec_context(&ret_min, ich, &ctx, @@ -170,5 +182,6 @@ done: &iscr->status); gss_release_name(&ret_min, &target_name); gss_release_oid(&ret_min, &mech_type); + gss_release_cred(&ret_min, &ich); return ret; } -- cgit