| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Avoid duplicating the same helper functions everywhere.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
|
|
|
|
|
|
|
|
|
| |
In this case we want to prefer sourcing the "acceptor" credentials from
a keytab if available, as that's what applications expect if they have
no credentials.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
|
|
|
|
|
|
|
|
| |
This will allow to (ab)use the krb5 ccache to store encrypted
credentials in the user's ccache for later reuse.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
|
|
|
|
|
|
|
|
| |
This is used by a client that wants to peform a s4u2self operation
using its server credentials.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
|
|
|
|
|
|
|
| |
Use it in gp_export.c where the code is duplicate already.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwoood <rharwood@redhat.com>
|
|
|
|
|
|
|
| |
Print everything, except octet string buffers which are truncated.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
|
|
|
|
| |
Print only messages that are at that level or lower.
Also add timestamps to debug messages.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc5 changed the default standard; in order to support older platforms,
specify our target explicitly. Setting the C stanndard to c99 doesn't
work (it really does need to be a gnu standard), and there is not yet an
autoconf macro for C11 support.
See also: https://gcc.gnu.org/gcc-5/changes.html
See also: https://www.gnu.org/software/autoconf/manual/autoconf-2.64/html_node/C-Compiler.html
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
Remove dead code, and set length only if allocation was successful.
Also resolve valgrind complaints about uninitialized memory.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
|
|
|
| |
This could lead to a free() being called on a constant, and that wuld be bad.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
|
|
|
| |
Clean the generated file not the source file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This resolves a segfault appearing on ARM.
Ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1235902
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Also, cause all failures on accessing this interface to exit GSS-Proxy similar
to config file errors.
Ticket: https://fedorahosted.org/gss-proxy/ticket/126
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Ticket: https://fedorahosted.org/gss-proxy/ticket/152
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
The common send/recv functions where zeroing the ret variable only
once causing a loop if EINTR as actually ever set.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
For sockets, we will only reinitialize those that have changed. Additionally,
the old text about SIGHUP behavior was incorrect.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Ticket: https://fedorahosted.org/gss-proxy/ticket/125
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Not being able to do this is a relic of a previous design.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
As per gssproxy.conf(5), setting allow_any_uid without also setting socket or
selinux_context is known to cause problems.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Option '-C|--configdir' has been added, and defaults to /etc/gssproxy. File
"gssproxy.conf" and all files of the form "##-foo.conf" will be read from that
directory.
Ticket: https://fedorahosted.org/gss-proxy/ticket/122
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
A handful of parameter name differences (`key` vs. `keyname`) have been
tweaked but the function bodies are otherwise unchanged.
Signed-off-by: Robbie Harwood (frozencemetery) <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Fixes: https://fedorahosted.org/gss-proxy/ticket/151
Signed-off-by: Robbie Harwood (frozencemetery) <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Moving out of /var/tmp allows for improved separation with selinux and fixes
an AVC denial.
Signed-off-by: Robbie Harwood (frozencemetery) <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/gss-proxy/ticket/145
Ticket: https://fedorahosted.org/gss-proxy/ticket/130
Closes #1
|
|
|
|
|
|
|
|
|
| |
Update BUILD.txt, including package requirements for tests
Fixes: https://fedorahosted.org/gss-proxy/ticket/148
Signed-off-by: Roland Mainz <rmainz@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This library already does not support some features we need and
we want to drop its usage as the code quality is bad.
Fixes: https://fedorahosted.org/gss-proxy/ticket/139
Signed-off-by: Roland Mainz <rmainz@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Remove -fno-strict-aliasing (this is not required because gssproxy is
mostly a good ISO C99/C11 citizen) and replace it with
-Werror=strict-aliasing to ensure that if *anything* creeps up the
build will just fail (this requires in gcc4.x's case the use of
-fstrict-aliasing, too).
Signed-off-by: Roland Mainz <rmainz@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Fixes: https://fedorahosted.org/gss-proxy/ticket/138
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a previous call has decided to use only local (to the process)
credentials, then we need to override all the way to the end.
A previous patch also swapped the order in which credential handler
and context handler are initialized, make sure also to swap the
fallback checks.
Set the behavior to the process default only if it wasn't forced to
local.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gssx_ctx is released in case of error. After the latest changes,
the old ctx is always replaced to new one and output argument is set.
Although it would not be used because return code would not be success
it's safer to set NULL to the pointer and avoid warnings from static analyzers.
src/client/gpm_init_sec_context.c:108:
alias: Assigning: "ctx" = "res->context_handle".
Now both point to the same storage.
src/client/gpm_init_sec_context.c:156: freed_arg: "free" frees "ctx".
src/client/gpm_init_sec_context.c:173: use_after_free: Using freed pointer "ctx".
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Functions implemented in gp_util.c have prototypes in header file
gp_common.h, but it was not included. This patch prevent potential
conflicts between ptototype and definition of function.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Error: UNUSED_VALUE
src/gp_rpc_import_and_canon_name.c:87:
value_overwrite: Overwriting previous write to "ret" with value
from "gp_conv_status_to_gssx(&icna->call_ctx, ret_maj, ret_min, mech,
&icnr->status)".
src/gp_rpc_import_and_canon_name.c:52:
assigned_value: Assigning value "22" to "ret" here, but that stored
value is overwritten before it can be used.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The kernel makes no use of this data, and ita causes allocation issues
in some cases with waste of space on the kernel side.
Fixes: https://fedorahosted.org/gss-proxy/ticket/129
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On error we need to make sure we do not return a pointer to a
security context that may have been already freed.
So make sure to always unconditionally return the context that we've
been returned by our callees.
Also reorganize the code so we do not accidently wipe the context
and leak memoy on error.
This fixed a double-free bug found by NFS folks @ Red Hat
Fixes: https://fedorahosted.org/gss-proxy/ticket/137
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
|