diff options
| author | Simo Sorce <simo@redhat.com> | 2013-04-01 14:13:56 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-04-10 10:15:53 -0400 |
| commit | 56a4c90094d23c89d35b61142a414f64f591da83 (patch) | |
| tree | 80df9074bd7b84fe30e5511be866727e34951ded /proxy/src | |
| parent | 2fa0fdc2c184d70bb45dad89f42e427d7813ca09 (diff) | |
| download | gss-proxy-56a4c90094d23c89d35b61142a414f64f591da83.tar.gz gss-proxy-56a4c90094d23c89d35b61142a414f64f591da83.tar.xz gss-proxy-56a4c90094d23c89d35b61142a414f64f591da83.zip | |
Use new GSSAPI Credential Store API
This is the only thread safe way to pass in aribitrary values for all the bits
of environment we want to use when doing impersonation within gss-proxy.
Requires MIT version 1.12 for the client_keytab part to be operational.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Diffstat (limited to 'proxy/src')
| -rw-r--r-- | proxy/src/gp_creds.c | 71 |
1 files changed, 22 insertions, 49 deletions
diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c index 43ab169..162caf6 100644 --- a/proxy/src/gp_creds.c +++ b/proxy/src/gp_creds.c @@ -270,15 +270,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min, char *ccache_name = NULL; char *client_keytab = NULL; char *keytab_name = NULL; - krb5_context kctx; - krb5_principal principal = NULL; - krb5_keytab keytab = NULL; - krb5_ccache ccache = NULL; - krb5_error_code kerr; uint32_t ret_maj = 0; uint32_t ret_min = 0; uint32_t discard; gss_name_t req_name = GSS_C_NO_NAME; + gss_OID_set_desc desired_mechs = { 1, &gp_mech_krb5 }; + gss_key_value_element_desc cred_elems[3]; + gss_key_value_set_desc cred_store; + int c; if (!min || !output_cred_handle) { return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -298,12 +297,6 @@ uint32_t gp_add_krb5_creds(uint32_t *min, return GSS_S_CRED_UNAVAIL; } - kerr = krb5_init_context(&kctx); - if (kerr != 0) { - *min = kerr; - return GSS_S_FAILURE; - } - if (cred_usage == GSS_C_ACCEPT && svc->krb5.keytab == NULL) { ret_maj = GSS_S_CRED_UNAVAIL; goto done; @@ -317,45 +310,32 @@ uint32_t gp_add_krb5_creds(uint32_t *min, goto done; } - if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_INITIATE) { - kerr = krb5_cc_resolve(kctx, ccache_name, &ccache); - if (kerr) { - ret_maj = GSS_S_FAILURE; - ret_min = kerr; - goto done; - } - - /* FIXME: initiate ? */ + cred_store.elements = cred_elems; + c = 0; + if (ccache_name) { + cred_elems[c].key = "ccache"; + cred_elems[c].value = ccache_name; + c++; + } + if (client_keytab) { + cred_elems[c].key = "client_keytab"; + cred_elems[c].value = client_keytab; + c++; } - if (keytab_name) { - kerr = krb5_kt_resolve(kctx, keytab_name, &keytab); - if (kerr != 0) { - ret_maj = GSS_S_FAILURE; - ret_min = kerr; - goto done; - } + cred_elems[c].key = "keytab"; + cred_elems[c].value = keytab_name; + c++; } + cred_store.count = c; - ret_maj = gss_krb5_import_cred(&ret_min, - ccache, principal, keytab, - output_cred_handle); + ret_maj = gss_acquire_cred_from(&ret_min, req_name, GSS_C_INDEFINITE, + &desired_mechs, cred_usage, &cred_store, + output_cred_handle, actual_mechs, NULL); if (ret_maj) { goto done; } - if (actual_mechs) { - ret_maj = gss_create_empty_oid_set(&ret_min, actual_mechs); - if (ret_maj) { - goto done; - } - ret_maj = gss_add_oid_set_member(&ret_min, - &gp_mech_krb5, actual_mechs); - if (ret_maj) { - goto done; - } - } - if (initiator_time_rec || acceptor_time_rec) { ret_maj = gss_inquire_cred_by_mech(&ret_min, *output_cred_handle, @@ -379,13 +359,6 @@ done: } } *min = ret_min; - if (ccache) { - krb5_cc_close(kctx, ccache); - } - if (keytab) { - krb5_kt_close(kctx, keytab); - } - krb5_free_context(kctx); return ret_maj; } |