diff options
author | Simo Sorce <simo@redhat.com> | 2013-11-16 17:01:24 -0500 |
---|---|---|
committer | Günther Deschner <gdeschner@redhat.com> | 2013-11-20 15:25:12 +0100 |
commit | 6a096c0a0a37d2fa9e0b03edce05929a7d98f390 (patch) | |
tree | 2615b4d416103a50e5c64abad4d1179103a2a6ba /proxy/src | |
parent | 32b1d5aa0497c4e3677b4575cc7e299590df5618 (diff) | |
download | gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.tar.gz gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.tar.xz gss-proxy-6a096c0a0a37d2fa9e0b03edce05929a7d98f390.zip |
config: Add code to source flag filters
2 New configuration options are made available:
- filter_flags
- enforce_flags
Any GSS Flags listed in the filter_flags option is forcibly filtered
out before a gss_init_sec_context() call is invoked.
Any GSS Flags listed in the enforce_flags option is forcibly added
to the list of flags requested by a gss_init_sec_context() call is
invoked.
Flags can be either literals or numeric and must be preceded by the
sign + (to add to the list) or - (to remove from the list).
Resolves: https://fedorahosted.org/gss-proxy/ticket/109
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Diffstat (limited to 'proxy/src')
-rw-r--r-- | proxy/src/gp_config.c | 88 | ||||
-rw-r--r-- | proxy/src/gp_proxy.h | 2 |
2 files changed, 90 insertions, 0 deletions
diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c index 8da291b..e21e70d 100644 --- a/proxy/src/gp_config.c +++ b/proxy/src/gp_config.c @@ -32,6 +32,27 @@ #include "gp_config.h" #include "gp_selinux.h" +#include <gssapi/gssapi.h> + +struct gp_flag_def { + const char *name; + uint32_t value; +}; + +struct gp_flag_def flag_names[] = { + { "DELEGATE", GSS_C_DELEG_FLAG }, + { "MUTUAL_AUTH", GSS_C_MUTUAL_FLAG }, + { "REPLAY_DETECT", GSS_C_REPLAY_FLAG }, + { "SEQUENCE", GSS_C_SEQUENCE_FLAG }, + { "CONFIDENTIALITY", GSS_C_CONF_FLAG }, + { "INTEGRITIY", GSS_C_INTEG_FLAG }, + { "ANONYMOUS", GSS_C_ANON_FLAG }, + { NULL, 0 } +}; + +#define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG +#define DEFAULT_ENFORCED_FLAGS 0 + static void free_str_array(const char ***a, int *count) { const char **array; @@ -117,6 +138,60 @@ static int get_krb5_mech_cfg(struct gp_service *svc, return ret; } +static int parse_flags(const char *value, uint32_t *storage) +{ + char *handle; + char *token; + char *str; + bool add; + unsigned long int conv; + uint32_t flagval; + int i; + + str = strdup(value); + if (!str) { + return ENOMEM; + } + + token = strtok_r(str, ", ", &handle); + for (token = strtok_r(str, ", ", &handle); + token != NULL; + token = strtok_r(NULL, ", ", &handle)) { + switch (token[0]) { + case '+': + add = true; + break; + case '-': + add = false; + break; + default: + GPERROR("Ignoring flag [%s], missing +/- qualifier.\n", token); + continue; + } + token++; + for (i = 0; flag_names[i].name != NULL; i++) { + if (strcasecmp(token, flag_names[i].name) == 0) { + flagval = flag_names[i].value; + break; + } + } + if (flag_names[i].name == NULL) { + conv = strtoul(token, &handle, 0); + if (conv == 0 || conv == ULONG_MAX || *handle != '\0') { + GPERROR("Ignoring flag [%s], unrecognized value.\n", token); + continue; + } + flagval = conv; + } + GPDEBUG("%s Flag %s (%u).\n", add?"Add":"Remove", token, flagval); + if (add) *storage |= flagval; + else *storage &= ~flagval; + } + safefree(str); + + return 0; +} + static int setup_service_creds_handle(struct gp_service *svc) { uint32_t ret_maj, ret_min; @@ -297,6 +372,19 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx) goto done; } } + + cfg->svcs[n]->filter_flags = DEFAULT_FILTERED_FLAGS; + ret = gp_config_get_string(ctx, secname, "filter_flags", &value); + if (ret == 0) { + parse_flags(value, &cfg->svcs[n]->filter_flags); + } + + cfg->svcs[n]->enforce_flags = DEFAULT_ENFORCED_FLAGS; + ret = gp_config_get_string(ctx, secname, "enforce_flags", &value); + if (ret == 0) { + ret = parse_flags(value, &cfg->svcs[n]->enforce_flags); + if (ret) goto done; + } } safefree(secname); } diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h index 8390f5d..b6c64ae 100644 --- a/proxy/src/gp_proxy.h +++ b/proxy/src/gp_proxy.h @@ -57,6 +57,8 @@ struct gp_service { char *socket; SELINUX_CTX selinux_ctx; gss_cred_usage_t cred_usage; + uint32_t filter_flags; + uint32_t enforce_flags; uint32_t mechs; struct gp_cred_krb5 krb5; |