| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a 4 coverity issues, ranging from memory leaks, to uninitialized
variables, to potential NULL derefernce.
Also a TOCTOU report that is in one of the accessory test scripts.
The bug itself is not reallya TOCTOU, but the check done in the script is
unecessary, so I just removed it.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
We first need to fix our tests and implementation.
Temporary workaround for:
https://fedorahosted.org/gss-proxy/ticket/81
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
We do not want to generate an exported name buffer.
Let's the mechglue code in MIT generate it for use from the display name.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Only LOCAL_ONLY,LOCAL_FIRST and REMOTE_FIRST allowed.
REMOTE_ONLY is recognized but configure aborts as long as it is not supported.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Always use remote name by default, otherwise canonicalization will loose
information about the original name, for example it will convert names of
the special type GSS_C_NT_STRING_UID_NAME or GSS_NT_MACHINE_UID_NAME in a
non reversible way and the proxy will not be a le to use them as intended
(for impersonation by trusted services).
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Still a couple resource leaks after the last Coverity scan
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
When using remote credentials, intercept set_cred_option calls and
register an option into the existing set of crdentials with the
request to set allowed entypes at the first use of said crdentials.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The krb5 mechanism supports multiple oids for historical reasons.
Add a function to generically check if a mech oid is any of the krb5
mechanism known oids for functions that do not care which exact oid is
being used of the krb5 family.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
| |
We need to do the wrapping in order to get back an actual local context.
Otherwise we get back an interposed context from gssapi.
|
| |
|
|
| |
Wrap the token in a helper function so that the code can be reused elsewhere.
|
| |
|
|
|
|
| |
lifetime is alredy returned as remaining seconds of lifetime.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Use spmech->length as we are replacing the original oid with spmech.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
This is enabled via --with-gssidebug.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The variable _GSSPROXY_LOOPS has been changed in favor of GSS_USE_PROXY. From
now on, applications needs to explicitly enable the usage of the gssproxy
interposer inception.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Use the new spi call in order to be able to properly implement
a context locally.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The mechglue stores a map of errors/mech oids, this means that we should never
return the same error we got from a mechanism after re-entering the mechglue as
we then may get the mechglue confused and prevent us from asking an interposed
mech for the error. Also we want to try to aqvoid collisions from errors
returned from the proxy, as they could end up fetching errors from the wrong
mechanism.
For now just make a very simple mapping by always adding a special error base.
|
| |
|
|
|
|
|
|
| |
When the interposer wants to call the mechglue and have it call a real
mechanism it does so by providing a speecial mechanism oid.
This is an oid composed of the procy plugin oid and the real mechanism oid
that the mechglue transforms back into a real OID before selecting the
appropriate mechanism.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
For now return fixed list of mechanisms.
Later on we can try to fetch this list from the proxy.
Also split RPC client code from actual plugin
|
| |
|
|
|
|
|
| |
Make space for the actual mechglue plugin interface. The mechglue interface
will use the client library to communicate with the gss-proxy but will
reimplement all GSSAPI SPI as wrappers in order to properly handle fallbacks to
local mechanism and other input/output transformations.
|
| | |
|
| |
|
|
|
|
|
| |
This is to allow gss_display_status to return a meaningful error if
there is an internal client error as opposed to a returned proxy server
error. If we do not do this a call to gpm_display_status() after a failure
would return a NULL string and give no clue about the error.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Fix some assumptions in gpm_display_status and make it clearly state
no error is available, when we do not have one. This is so that the plugin
code later on will know when to properly fall back to ask to the local
provider.
|
