summaryrefslogtreecommitdiffstats
path: root/proxy/src
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2016-11-28 12:27:30 -0500
committerSimo Sorce <simo@redhat.com>2017-01-09 12:08:13 -0500
commitab676cdc5d023858f45fec2b7a180d5a5a8f05cd (patch)
tree641ee2a143fc19040ff8fc12359242b49174a972 /proxy/src
parent4e968b12bd7b632b481fbaee30f5a022f28d8a9d (diff)
Add cred_store support for local calls.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Diffstat (limited to 'proxy/src')
-rw-r--r--proxy/src/mechglue/gpp_acquire_cred.c73
-rw-r--r--proxy/src/mechglue/gpp_creds.c45
-rw-r--r--proxy/src/mechglue/gss_plugin.h33
3 files changed, 122 insertions, 29 deletions
diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c
index faf5914..dade19c 100644
--- a/proxy/src/mechglue/gpp_acquire_cred.c
+++ b/proxy/src/mechglue/gpp_acquire_cred.c
@@ -8,6 +8,7 @@ static OM_uint32 acquire_local(OM_uint32 *minor_status,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
+ gss_const_key_value_set_t cred_store,
struct gpp_cred_handle *out_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
@@ -43,14 +44,15 @@ static OM_uint32 acquire_local(OM_uint32 *minor_status,
goto done;
}
- maj = gss_acquire_cred(&min,
- name ? name->local : NULL,
- time_req,
- special_mechs,
- cred_usage,
- &out_cred_handle->local,
- actual_mechs,
- time_rec);
+ maj = gss_acquire_cred_from(&min,
+ name ? name->local : NULL,
+ time_req,
+ special_mechs,
+ cred_usage,
+ cred_store,
+ &out_cred_handle->local,
+ actual_mechs,
+ time_rec);
done:
*minor_status = min;
@@ -67,6 +69,21 @@ OM_uint32 gssi_acquire_cred(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
+ return gssi_acquire_cred_from(minor_status, desired_name, time_req,
+ desired_mechs, cred_usage, NULL,
+ output_cred_handle, actual_mechs, time_rec);
+}
+
+OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
+ const gss_name_t desired_name,
+ OM_uint32 time_req,
+ const gss_OID_set desired_mechs,
+ gss_cred_usage_t cred_usage,
+ gss_const_key_value_set_t cred_store,
+ gss_cred_id_t *output_cred_handle,
+ gss_OID_set *actual_mechs,
+ OM_uint32 *time_rec)
+{
enum gpp_behavior behavior;
struct gpp_name_handle *name;
struct gpp_cred_handle *out_cred_handle = NULL;
@@ -97,7 +114,7 @@ OM_uint32 gssi_acquire_cred(OM_uint32 *minor_status,
if (behavior == GPP_LOCAL_ONLY || behavior == GPP_LOCAL_FIRST) {
maj = acquire_local(&min, NULL, name,
- time_req, desired_mechs, cred_usage,
+ time_req, desired_mechs, cred_usage, cred_store,
out_cred_handle, actual_mechs, time_rec);
if (maj == GSS_S_COMPLETE || behavior == GPP_LOCAL_ONLY) {
@@ -132,7 +149,7 @@ OM_uint32 gssi_acquire_cred(OM_uint32 *minor_status,
if (behavior == GPP_REMOTE_FIRST) {
/* So remote failed, but we can fallback to local, try that */
maj = acquire_local(&min, NULL, name,
- time_req, desired_mechs, cred_usage,
+ time_req, desired_mechs, cred_usage, cred_store,
out_cred_handle, actual_mechs, time_rec);
}
@@ -164,6 +181,26 @@ OM_uint32 gssi_add_cred(OM_uint32 *minor_status,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
+ return gssi_add_cred_from(minor_status, input_cred_handle, desired_name,
+ desired_mech, cred_usage, initiator_time_req,
+ acceptor_time_req, NULL, output_cred_handle,
+ actual_mechs, initiator_time_rec,
+ acceptor_time_rec);
+}
+
+OM_uint32 gssi_add_cred_from(OM_uint32 *minor_status,
+ const gss_cred_id_t input_cred_handle,
+ const gss_name_t desired_name,
+ const gss_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ OM_uint32 initiator_time_req,
+ OM_uint32 acceptor_time_req,
+ gss_const_key_value_set_t cred_store,
+ gss_cred_id_t *output_cred_handle,
+ gss_OID_set *actual_mechs,
+ OM_uint32 *initiator_time_rec,
+ OM_uint32 *acceptor_time_rec)
+{
gss_OID_set desired_mechs = GSS_C_NO_OID_SET;
OM_uint32 time_req, time_rec;
OM_uint32 maj, min;
@@ -206,14 +243,9 @@ OM_uint32 gssi_add_cred(OM_uint32 *minor_status,
time_req = 0;
}
- maj = gssi_acquire_cred(minor_status,
- desired_name,
- time_req,
- desired_mechs,
- cred_usage,
- output_cred_handle,
- actual_mechs,
- &time_rec);
+ maj = gssi_acquire_cred_from(minor_status, desired_name, time_req,
+ desired_mechs, cred_usage, NULL,
+ output_cred_handle, actual_mechs, &time_rec);
if (maj == GSS_S_COMPLETE) {
if (acceptor_time_rec &&
(cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH)) {
@@ -375,7 +407,7 @@ OM_uint32 gssi_acquire_cred_impersonate_name(OM_uint32 *minor_status,
if (behavior == GPP_LOCAL_ONLY || behavior == GPP_LOCAL_FIRST) {
maj = acquire_local(&min, impersonator_cred_handle, name,
- time_req, desired_mechs, cred_usage,
+ time_req, desired_mechs, cred_usage, NULL,
out_cred_handle, actual_mechs, time_rec);
if (maj == GSS_S_COMPLETE || behavior == GPP_LOCAL_ONLY) {
@@ -412,7 +444,7 @@ OM_uint32 gssi_acquire_cred_impersonate_name(OM_uint32 *minor_status,
if (behavior == GPP_REMOTE_FIRST) {
/* So remote failed, but we can fallback to local, try that */
maj = acquire_local(&min, impersonator_cred_handle, name,
- time_req, desired_mechs, cred_usage,
+ time_req, desired_mechs, cred_usage, NULL,
out_cred_handle, actual_mechs, time_rec);
}
@@ -431,4 +463,3 @@ done:
*minor_status = gpp_map_error(min);
return maj;
}
-
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
index 31ad9d4..a0f28c2 100644
--- a/proxy/src/mechglue/gpp_creds.c
+++ b/proxy/src/mechglue/gpp_creds.c
@@ -6,7 +6,9 @@
#define GPKRB_SRV_NAME "Encrypted/Credentials/v1@X-GSSPROXY:"
#define GPKRB_MAX_CRED_SIZE 1024 * 512
-uint32_t gpp_store_remote_creds(uint32_t *min, gssx_cred *creds)
+uint32_t gpp_store_remote_creds(uint32_t *min,
+ gss_const_key_value_set_t cred_store,
+ gssx_cred *creds)
{
krb5_context ctx = NULL;
krb5_ccache ccache = NULL;
@@ -24,8 +26,20 @@ uint32_t gpp_store_remote_creds(uint32_t *min, gssx_cred *creds)
ret = krb5_init_context(&ctx);
if (ret) return ret;
- ret = krb5_cc_default(ctx, &ccache);
- if (ret) goto done;
+ if (cred_store) {
+ for (unsigned i = 0; i < cred_store->count; i++) {
+ if (strcmp(cred_store->elements[i].key, "ccache") == 0) {
+ ret = krb5_cc_resolve(ctx, cred_store->elements[i].value,
+ &ccache);
+ if (ret) goto done;
+ break;
+ }
+ }
+ }
+ if (!ccache) {
+ ret = krb5_cc_default(ctx, &ccache);
+ if (ret) goto done;
+ }
ret = krb5_parse_name(ctx,
creds->desired_name.display_name.octet_string_val,
@@ -497,6 +511,21 @@ OM_uint32 gssi_store_cred(OM_uint32 *minor_status,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
+ return gssi_store_cred_into(minor_status, input_cred_handle, input_usage,
+ desired_mech, overwrite_cred, default_cred,
+ NULL, elements_stored, cred_usage_stored);
+}
+
+OM_uint32 gssi_store_cred_into(OM_uint32 *minor_status,
+ const gss_cred_id_t input_cred_handle,
+ gss_cred_usage_t input_usage,
+ const gss_OID desired_mech,
+ OM_uint32 overwrite_cred,
+ OM_uint32 default_cred,
+ gss_const_key_value_set_t cred_store,
+ gss_OID_set *elements_stored,
+ gss_cred_usage_t *cred_usage_stored)
+{
struct gpp_cred_handle *cred = NULL;
OM_uint32 maj, min;
@@ -509,14 +538,14 @@ OM_uint32 gssi_store_cred(OM_uint32 *minor_status,
cred = (struct gpp_cred_handle *)input_cred_handle;
if (cred->remote) {
- maj = gpp_store_remote_creds(&min, cred->remote);
+ maj = gpp_store_remote_creds(&min, cred_store, cred->remote);
goto done;
}
- maj = gss_store_cred(&min, cred->local, input_usage,
- gpp_special_mech(desired_mech),
- overwrite_cred, default_cred,
- elements_stored, cred_usage_stored);
+ maj = gss_store_cred_into(&min, cred->local, input_usage,
+ gpp_special_mech(desired_mech),
+ overwrite_cred, default_cred, cred_store,
+ elements_stored, cred_usage_stored);
done:
*minor_status = gpp_map_error(min);
return maj;
diff --git a/proxy/src/mechglue/gss_plugin.h b/proxy/src/mechglue/gss_plugin.h
index d7ab0b4..ac491e6 100644
--- a/proxy/src/mechglue/gss_plugin.h
+++ b/proxy/src/mechglue/gss_plugin.h
@@ -81,6 +81,16 @@ OM_uint32 gssi_acquire_cred(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec);
+OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
+ const gss_name_t desired_name,
+ OM_uint32 time_req,
+ const gss_OID_set desired_mechs,
+ gss_cred_usage_t cred_usage,
+ gss_const_key_value_set_t cred_store,
+ gss_cred_id_t *output_cred_handle,
+ gss_OID_set *actual_mechs,
+ OM_uint32 *time_rec);
+
OM_uint32 gssi_add_cred(OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,
@@ -93,6 +103,19 @@ OM_uint32 gssi_add_cred(OM_uint32 *minor_status,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec);
+OM_uint32 gssi_add_cred_from(OM_uint32 *minor_status,
+ const gss_cred_id_t input_cred_handle,
+ const gss_name_t desired_name,
+ const gss_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ OM_uint32 initiator_time_req,
+ OM_uint32 acceptor_time_req,
+ gss_const_key_value_set_t cred_store,
+ gss_cred_id_t *output_cred_handle,
+ gss_OID_set *actual_mechs,
+ OM_uint32 *initiator_time_rec,
+ OM_uint32 *acceptor_time_rec);
+
OM_uint32 gssi_acquire_cred_with_password(OM_uint32 *minor_status,
const gss_name_t desired_name,
const gss_buffer_t password,
@@ -153,6 +176,16 @@ OM_uint32 gssi_store_cred(OM_uint32 *minor_status,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored);
+OM_uint32 gssi_store_cred_into(OM_uint32 *minor_status,
+ const gss_cred_id_t input_cred_handle,
+ gss_cred_usage_t input_usage,
+ const gss_OID desired_mech,
+ OM_uint32 overwrite_cred,
+ OM_uint32 default_cred,
+ gss_const_key_value_set_t cred_store,
+ gss_OID_set *elements_stored,
+ gss_cred_usage_t *cred_usage_stored);
+
OM_uint32 gssi_release_cred(OM_uint32 *minor_status,
gss_cred_id_t *cred_handle);
generated by cgit (git 2.34.1) at 2026-04-25 01:04:36 +0000