teach gss_acquire_cred_from() about "client_keytab"krb5-1.11.1-6.fc20 krb5-1.11.1-6.fc19

- pull in Simo's patch to recognize "client_keytab" as a key type which can be passed in to gss_acquire_cred_from()
author: Nalin Dahyabhai <nalin@redhat.com> 2013-03-28 16:13:41 -0400
committer: Nalin Dahyabhai <nalin@redhat.com> 2013-03-28 16:13:41 -0400
commit: 7b92138ee85cc0a47a8e138cc14fb10cd9bf541c (patch)
tree: b5e682ddd97d5ae6d75309810e5d3f7cd4abe76b
parent: 30e39857ae7e692cc6c2113a4ca704217dd77d0d (diff)
download: krb5-7b92138ee85cc0a47a8e138cc14fb10cd9bf541c.tar.gz
krb5-7b92138ee85cc0a47a8e138cc14fb10cd9bf541c.tar.xz
krb5-7b92138ee85cc0a47a8e138cc14fb10cd9bf541c.zip
2 files changed, 135 insertions, 0 deletions
diff --git a/krb5-1.11-gss-client-keytab.patch b/krb5-1.11-gss-client-keytab.patch
new file mode 100644
index 0000000..3c1e964
--- /dev/null
+++ b/krb5-1.11-gss-client-keytab.patch
@@ -0,0 +1,131 @@
+Originally http://fedorapeople.org/cgit/simo/public_git/krb5.git/commit/?h=gss_cs&id=a3b9bf20df1d976775ed929d8cb5f4844e03b1bf
+
+commit a3b9bf20df1d976775ed929d8cb5f4844e03b1bf
+Author: Simo Sorce <simo@redhat.com>
+Date:   Thu Mar 28 12:53:01 2013 -0400
+
+    Add support for client keytab from cred store
+    
+    The new credential store extensions added support for specifying a
+    specific ccache name and also a specific keytab to be used for accepting
+    security contexts, but did not add a way to specify a client keytab
+    to be used in conjunction with the Keytab initiation support added also
+    in 1.11
+    
+    This patch introduces a new URN named client_keytab through which a
+    specific client_keytab can be set when calling gss_acquire_cred_from()
+    and Keytab Initiation will use that keytab to initialize credentials.
+
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index 4d499e4..8540bf3 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -636,6 +636,7 @@ acquire_init_cred(krb5_context context,
+                   OM_uint32 *minor_status,
+                   krb5_ccache req_ccache,
+                   gss_buffer_t password,
++                  krb5_keytab client_keytab,
+                   krb5_gss_cred_id_rec *cred)
+ {
+     krb5_error_code code;
+@@ -659,9 +660,13 @@ acquire_init_cred(krb5_context context,
+             goto error;
+     }
+ 
+-    code = krb5_kt_client_default(context, &cred->client_keytab);
+-    if (code)
+-        goto error;
++    if (client_keytab != NULL)
++        cred->client_keytab = client_keytab;
++    else {
++        code = krb5_kt_client_default(context, &cred->client_keytab);
++        if (code)
++            goto error;
++    }
+ 
+     if (password != GSS_C_NO_BUFFER) {
+         pwdata = make_data(password->value, password->length);
+@@ -719,8 +724,9 @@ static OM_uint32
+ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
+                      gss_name_t desired_name, gss_buffer_t password,
+                      OM_uint32 time_req, gss_cred_usage_t cred_usage,
+-                     krb5_ccache ccache, krb5_keytab keytab,
+-                     krb5_boolean iakerb, gss_cred_id_t *output_cred_handle,
++                     krb5_ccache ccache, krb5_keytab client_keytab,
++                     krb5_keytab keytab, krb5_boolean iakerb,
++                     gss_cred_id_t *output_cred_handle,
+                      OM_uint32 *time_rec)
+ {
+     krb5_gss_cred_id_t cred = NULL;
+@@ -787,7 +793,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
+      * in cred->name if it wasn't set above.
+      */
+     if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
+-        ret = acquire_init_cred(context, minor_status, ccache, password, cred);
++        ret = acquire_init_cred(context, minor_status, ccache, password,
++                                client_keytab, cred);
+         if (ret != GSS_S_COMPLETE)
+             goto error_out;
+     }
+@@ -864,8 +871,8 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name,
+     }
+ 
+     ret = acquire_cred_context(context, minor_status, desired_name, password,
+-                               time_req, cred_usage, ccache, keytab, iakerb,
+-                               output_cred_handle, time_rec);
++                               time_req, cred_usage, ccache, NULL, keytab,
++                               iakerb, output_cred_handle, time_rec);
+ 
+ out:
+     krb5_free_context(context);
+@@ -1130,6 +1137,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
+ {
+     krb5_context context = NULL;
+     krb5_error_code code = 0;
++    krb5_keytab client_keytab = NULL;
+     krb5_keytab keytab = NULL;
+     krb5_ccache ccache = NULL;
+     const char *value;
+@@ -1162,6 +1170,19 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
+         }
+     }
+ 
++    ret = kg_value_from_cred_store(cred_store, KRB5_CS_CLI_KEYTAB_URN, &value);
++    if (GSS_ERROR(ret))
++        goto out;
++
++    if (value) {
++        code = krb5_kt_resolve(context, value, &client_keytab);
++        if (code != 0) {
++            *minor_status = code;
++            ret = GSS_S_CRED_UNAVAIL;
++            goto out;
++        }
++    }
++
+     ret = kg_value_from_cred_store(cred_store, KRB5_CS_KEYTAB_URN, &value);
+     if (GSS_ERROR(ret))
+         goto out;
+@@ -1176,8 +1197,8 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
+     }
+ 
+     ret = acquire_cred_context(context, minor_status, desired_name, NULL,
+-                               time_req, cred_usage, ccache, keytab, 0,
+-                               output_cred_handle, time_rec);
++                               time_req, cred_usage, ccache, client_keytab,
++                               keytab, 0, output_cred_handle, time_rec);
+ 
+ out:
+     if (ccache != NULL)
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 8215b10..310ff58 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -1227,6 +1227,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer)
+ 
+ /* Credential store extensions */
+ 
++#define KRB5_CS_CLI_KEYTAB_URN "client_keytab"
+ #define KRB5_CS_KEYTAB_URN "keytab"
+ #define KRB5_CS_CCACHE_URN "ccache"
+ 
diff --git a/krb5.spec b/krb5.spec
index b3a5dac..928d119 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -76,6 +76,7 @@ Patch113: krb5-1.11-alpha1-init.patch
 Patch114: krb5-lookup_etypes-leak.patch
 Patch115: krb5-1.11.1-interposers.patch
 Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch
+Patch117: krb5-1.11-gss-client-keytab.patch
 
 Patch201: 0001-add-libk5radius.patch
 Patch202: 0002-Add-internal-KDC_DIR-macro.patch
@@ -294,6 +295,7 @@ ln -s NOTICE LICENSE
 %patch114 -p1 -b .lookup_etypes-leak
 %patch115 -p1 -b .interposers
 %patch116 -p1 -b .aarch64
+%patch117 -p1 -b .gss-client-keytab
 
 %patch201 -p1 -b .add-libk5radius
 %patch202 -p1 -b .add-internal-kdc_dir
@@ -819,6 +821,8 @@ exit 0
   since that's what the libraries actually look for
 - add buildrequires on nss-myhostname, in an attempt to get more of the tests
   to run properly during builds
+- pull in Simo's patch to recognize "client_keytab" as a key type which can
+  be passed in to gss_acquire_cred_from()
 
 * Tue Mar 26 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.1-5
 - pull up Simo's patch to mark the correct mechanism on imported GSSAPI
author	Nalin Dahyabhai <nalin@redhat.com>	2013-03-28 16:13:41 -0400
committer	Nalin Dahyabhai <nalin@redhat.com>	2013-03-28 16:13:41 -0400
commit	7b92138ee85cc0a47a8e138cc14fb10cd9bf541c (patch)
tree	b5e682ddd97d5ae6d75309810e5d3f7cd4abe76b
parent	30e39857ae7e692cc6c2113a4ca704217dd77d0d (diff)
download	krb5-7b92138ee85cc0a47a8e138cc14fb10cd9bf541c.tar.gz krb5-7b92138ee85cc0a47a8e138cc14fb10cd9bf541c.tar.xz krb5-7b92138ee85cc0a47a8e138cc14fb10cd9bf541c.zip