diff options
| author | Simo Sorce <simo@redhat.com> | 2013-11-15 10:33:52 -0500 |
|---|---|---|
| committer | Günther Deschner <gdeschner@redhat.com> | 2013-11-19 14:34:47 +0100 |
| commit | 556ea844a5783f9876ee748e1c686bb268f54e8a (patch) | |
| tree | e21df0795873b1f5a77b6e82bc4d8d69dee99ee2 /proxy/src/gp_export.c | |
| parent | b8901d1d20a5d0ef1a3118bfe5816e04c09e6cf5 (diff) | |
| download | gss-proxy-556ea844a5783f9876ee748e1c686bb268f54e8a.tar.gz gss-proxy-556ea844a5783f9876ee748e1c686bb268f54e8a.tar.xz gss-proxy-556ea844a5783f9876ee748e1c686bb268f54e8a.zip | |
Fix continuations in context establishment calls
Properly support continuations, including returning the rigth error code
and exporting partial contexts.
Fixes multistep authentications in particular for the initialization case
which always uses continuations.
Resolves: https://fedorahosted.org/gss-proxy/ticket/108
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Diffstat (limited to 'proxy/src/gp_export.c')
| -rw-r--r-- | proxy/src/gp_export.c | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c index 51dd686..3cd5148 100644 --- a/proxy/src/gp_export.c +++ b/proxy/src/gp_export.c @@ -390,6 +390,7 @@ done: #define LINUX_LUCID_V1 "linux_lucid_v1" enum exp_ctx_types { + EXP_CTX_PARTIAL = -1, /* cannot be specified by client */ EXP_CTX_DEFAULT = 0, EXP_CTX_LINUX_LUCID_V1 = 1, }; @@ -418,6 +419,11 @@ int gp_get_exported_context_type(struct gssx_call_ctx *ctx) return EXP_CTX_DEFAULT; } +int gp_get_continue_needed_type(void) +{ + return EXP_CTX_PARTIAL; +} + #define KRB5_CTX_FLAG_INITIATOR 0x00000001 #define KRB5_CTX_FLAG_CFX 0x00000002 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 @@ -513,7 +519,7 @@ done: } -uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, +uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech, gss_ctx_id_t *in, gssx_ctx *out) { uint32_t ret_maj; @@ -529,9 +535,6 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, int is_open; int ret; -/* TODO: For mechs that need multiple roundtrips to complete */ - /* out->state; */ - /* we do not need the client to release anything until we handle state */ out->needs_release = false; @@ -539,6 +542,11 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, &lifetime_rec, &mech_type, &ctx_flags, &is_locally_initiated, &is_open); if (ret_maj) { + if (type == EXP_CTX_PARTIAL) { + /* This may happen on partially established context, + * so just go on and put in what we can */ + goto export; + } goto done; } @@ -571,9 +579,26 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, out->open = true; } +export: /* note: once converted the original context token is not usable anymore, * so this must be the last call to use it */ switch (type) { + case EXP_CTX_PARTIAL: + /* this happens only when a init_sec_context call returns a partially + * initialized context so we return only what we have, not much */ + ret = gp_conv_oid_to_gssx(mech, &out->mech); + if (ret) { + ret_maj = GSS_S_FAILURE; + ret_min = ret; + goto done; + } + + out->locally_initiated = true; + out->open = false; + + /* out->state; */ + + /* fall through */ case EXP_CTX_DEFAULT: ret_maj = gss_export_sec_context(&ret_min, in, &export_buffer); if (ret_maj) { |