From 7dad0bee30fbbde8cfc0eacd2d1487c198a004a1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 26 Dec 2013 19:05:34 -0500
Subject: Add rcache feature to gss_acquire_cred_from

The "rcache" cred store entry can specify a replay cache type and name
to be used with the credentials being acquired.

[ghudson@mit.edu: split up, simplified, and altered to fit preparatory
commits]

ticket: 7819 (new)
---
 src/lib/gssapi/krb5/acquire_cred.c | 48 +++++++++++++++++++++++++++-----------
 src/lib/gssapi/krb5/gssapiP_krb5.h |  1 +
 2 files changed, 36 insertions(+), 13 deletions(-)

(limited to 'src')

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index f625c0c136..5d680f9012 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -180,7 +180,8 @@ cleanup:
 
 static OM_uint32
 acquire_accept_cred(krb5_context context, OM_uint32 *minor_status,
-                    krb5_keytab req_keytab, krb5_gss_cred_id_rec *cred)
+                    krb5_keytab req_keytab, const char *rcname,
+                    krb5_gss_cred_id_rec *cred)
 {
     OM_uint32 major;
     krb5_error_code code;
@@ -189,6 +190,20 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status,
 
     assert(cred->keytab == NULL);
 
+    /* If we have an explicit rcache name, open it. */
+    if (rcname != NULL) {
+        code = krb5_rc_resolve_full(context, &rc, rcname);
+        if (code) {
+            major = GSS_S_FAILURE;
+            goto cleanup;
+        }
+        code = krb5_rc_recover_or_initialize(context, rc, context->clockskew);
+        if (code) {
+            major = GSS_S_FAILURE;
+            goto cleanup;
+        }
+    }
+
     if (req_keytab != NULL) {
         code = krb5_kt_dup(context, req_keytab, &kt);
     } else {
@@ -221,12 +236,14 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status,
             goto cleanup;
         }
 
-        /* Open the replay cache for this principal. */
-        code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
-                                      &rc);
-        if (code) {
-            major = GSS_S_FAILURE;
-            goto cleanup;
+        if (rc == NULL) {
+            /* Open the replay cache for this principal. */
+            code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
+                                          &rc);
+            if (code) {
+                major = GSS_S_FAILURE;
+                goto cleanup;
+            }
         }
     } else {
         /* Make sure we have a keytab with keys in it. */
@@ -718,8 +735,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
                      gss_name_t desired_name, gss_buffer_t password,
                      OM_uint32 time_req, gss_cred_usage_t cred_usage,
                      krb5_ccache ccache, krb5_keytab client_keytab,
-                     krb5_keytab keytab, krb5_boolean iakerb,
-                     gss_cred_id_t *output_cred_handle,
+                     krb5_keytab keytab, const char *rcname,
+                     krb5_boolean iakerb, gss_cred_id_t *output_cred_handle,
                      OM_uint32 *time_rec)
 {
     krb5_gss_cred_id_t cred = NULL;
@@ -775,7 +792,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
      * in cred->name if desired_princ is specified.
      */
     if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
-        ret = acquire_accept_cred(context, minor_status, keytab, cred);
+        ret = acquire_accept_cred(context, minor_status, keytab, rcname, cred);
         if (ret != GSS_S_COMPLETE)
             goto error_out;
     }
@@ -867,7 +884,7 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name,
 
     ret = acquire_cred_context(context, minor_status, desired_name, password,
                                time_req, cred_usage, ccache, NULL, keytab,
-                               iakerb, output_cred_handle, time_rec);
+                               NULL, iakerb, output_cred_handle, time_rec);
 
 out:
     krb5_free_context(context);
@@ -1135,7 +1152,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
     krb5_keytab client_keytab = NULL;
     krb5_keytab keytab = NULL;
     krb5_ccache ccache = NULL;
-    const char *value;
+    const char *rcname, *value;
     OM_uint32 ret;
 
     code = gss_krb5int_initialize_library();
@@ -1191,9 +1208,14 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
         }
     }
 
+    ret = kg_value_from_cred_store(cred_store, KRB5_CS_RCACHE_URN, &rcname);
+    if (GSS_ERROR(ret))
+        goto out;
+
     ret = acquire_cred_context(context, minor_status, desired_name, NULL,
                                time_req, cred_usage, ccache, client_keytab,
-                               keytab, 0, output_cred_handle, time_rec);
+                               keytab, rcname, 0, output_cred_handle,
+                               time_rec);
 
 out:
     if (ccache != NULL)
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 01678168f0..8e4f6d9478 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -1260,6 +1260,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer)
 #define KRB5_CS_CLI_KEYTAB_URN "client_keytab"
 #define KRB5_CS_KEYTAB_URN "keytab"
 #define KRB5_CS_CCACHE_URN "ccache"
+#define KRB5_CS_RCACHE_URN "rcache"
 
 OM_uint32
 kg_value_from_cred_store(gss_const_key_value_set_t cred_store,
-- 
cgit