diff options
Diffstat (limited to 'proxy')
| -rw-r--r-- | proxy/BUILD.txt | 17 | ||||
| -rw-r--r-- | proxy/src/gp_creds.c | 71 |
2 files changed, 38 insertions, 50 deletions
diff --git a/proxy/BUILD.txt b/proxy/BUILD.txt index a833217..10a727b 100644 --- a/proxy/BUILD.txt +++ b/proxy/BUILD.txt @@ -12,7 +12,7 @@ In order to build gss-proxy the following development packages are needed: doxygen findutils gettext-devel - iniparser-devel + iniparser-devel or libini_config-devel (preferred) keyutils-libs-devel krb5-devel libselinux-devel @@ -23,3 +23,18 @@ In order to build gss-proxy the following development packages are needed: m4 pkgconfig popt-devel + +NOTE: +The minimum supported Kerberos version is MIT Kerberos 1.11.2 as it includes +[1] and [2] +The keytab initiation feature where Gss-Proxy acquires crdentials on behalf +of clients using a ketab will only be available in MIT in 1.12 +This patch [3] can be used to backport the feature in 1.11.2, this new feature +simply allows combining two [4][5] features introduced in MIT 1.11 + +[1] http://k5wiki.kerberos.org/wiki/Projects/Interposer_Mechanism +[2] https://github.com/krb5/krb5/commit/36c76aa3c625afc9291b9e1df071db51ccf37dab +[3] https://github.com/krb5/krb5/commit/38cc076579888695a5820ceb44fe43020f5b61e1 +[4] http://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions +[5] http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation + diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c index 43ab169..162caf6 100644 --- a/proxy/src/gp_creds.c +++ b/proxy/src/gp_creds.c @@ -270,15 +270,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min, char *ccache_name = NULL; char *client_keytab = NULL; char *keytab_name = NULL; - krb5_context kctx; - krb5_principal principal = NULL; - krb5_keytab keytab = NULL; - krb5_ccache ccache = NULL; - krb5_error_code kerr; uint32_t ret_maj = 0; uint32_t ret_min = 0; uint32_t discard; gss_name_t req_name = GSS_C_NO_NAME; + gss_OID_set_desc desired_mechs = { 1, &gp_mech_krb5 }; + gss_key_value_element_desc cred_elems[3]; + gss_key_value_set_desc cred_store; + int c; if (!min || !output_cred_handle) { return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -298,12 +297,6 @@ uint32_t gp_add_krb5_creds(uint32_t *min, return GSS_S_CRED_UNAVAIL; } - kerr = krb5_init_context(&kctx); - if (kerr != 0) { - *min = kerr; - return GSS_S_FAILURE; - } - if (cred_usage == GSS_C_ACCEPT && svc->krb5.keytab == NULL) { ret_maj = GSS_S_CRED_UNAVAIL; goto done; @@ -317,45 +310,32 @@ uint32_t gp_add_krb5_creds(uint32_t *min, goto done; } - if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_INITIATE) { - kerr = krb5_cc_resolve(kctx, ccache_name, &ccache); - if (kerr) { - ret_maj = GSS_S_FAILURE; - ret_min = kerr; - goto done; - } - - /* FIXME: initiate ? */ + cred_store.elements = cred_elems; + c = 0; + if (ccache_name) { + cred_elems[c].key = "ccache"; + cred_elems[c].value = ccache_name; + c++; + } + if (client_keytab) { + cred_elems[c].key = "client_keytab"; + cred_elems[c].value = client_keytab; + c++; } - if (keytab_name) { - kerr = krb5_kt_resolve(kctx, keytab_name, &keytab); - if (kerr != 0) { - ret_maj = GSS_S_FAILURE; - ret_min = kerr; - goto done; - } + cred_elems[c].key = "keytab"; + cred_elems[c].value = keytab_name; + c++; } + cred_store.count = c; - ret_maj = gss_krb5_import_cred(&ret_min, - ccache, principal, keytab, - output_cred_handle); + ret_maj = gss_acquire_cred_from(&ret_min, req_name, GSS_C_INDEFINITE, + &desired_mechs, cred_usage, &cred_store, + output_cred_handle, actual_mechs, NULL); if (ret_maj) { goto done; } - if (actual_mechs) { - ret_maj = gss_create_empty_oid_set(&ret_min, actual_mechs); - if (ret_maj) { - goto done; - } - ret_maj = gss_add_oid_set_member(&ret_min, - &gp_mech_krb5, actual_mechs); - if (ret_maj) { - goto done; - } - } - if (initiator_time_rec || acceptor_time_rec) { ret_maj = gss_inquire_cred_by_mech(&ret_min, *output_cred_handle, @@ -379,13 +359,6 @@ done: } } *min = ret_min; - if (ccache) { - krb5_cc_close(kctx, ccache); - } - if (keytab) { - krb5_kt_close(kctx, keytab); - } - krb5_free_context(kctx); return ret_maj; } |