diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-01-21 18:31:27 -0500 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-01-21 18:31:27 -0500 |
commit | e4496aca6bc180c7dbb19b1dd495cb9c1bdba261 (patch) | |
tree | 5247efac6847fc5d6ae13f361968c1f435754d2f /krb5-1.11-rcache-acquirecred-source.patch | |
parent | 1965ae5f262039a396e4e91c235e77695009b557 (diff) | |
download | krb5-e4496aca6bc180c7dbb19b1dd495cb9c1bdba261.tar.gz krb5-e4496aca6bc180c7dbb19b1dd495cb9c1bdba261.tar.xz krb5-e4496aca6bc180c7dbb19b1dd495cb9c1bdba261.zip |
Backport changes to allow "rcache" credstores
- pull in and backport multiple changes to allow replay caches to be
added to a GSS credential store as "rcache"-type credentials
(RT#7818/#7819/#7836, #1056078/#1056080)
Diffstat (limited to 'krb5-1.11-rcache-acquirecred-source.patch')
-rw-r--r-- | krb5-1.11-rcache-acquirecred-source.patch | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/krb5-1.11-rcache-acquirecred-source.patch b/krb5-1.11-rcache-acquirecred-source.patch new file mode 100644 index 0000000..d67d5c7 --- /dev/null +++ b/krb5-1.11-rcache-acquirecred-source.patch @@ -0,0 +1,138 @@ +Adapted. + +commit 7dad0bee30fbbde8cfc0eacd2d1487c198a004a1 +Author: Simo Sorce <simo@redhat.com> +Date: Thu Dec 26 19:05:34 2013 -0500 + + Add rcache feature to gss_acquire_cred_from + + The "rcache" cred store entry can specify a replay cache type and name + to be used with the credentials being acquired. + + [ghudson@mit.edu: split up, simplified, and altered to fit preparatory + commits] + + ticket: 7819 (new) + +diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c +index f625c0c..5d680f9 100644 +--- a/src/lib/gssapi/krb5/acquire_cred.c ++++ b/src/lib/gssapi/krb5/acquire_cred.c +@@ -180,7 +180,8 @@ cleanup: + + static OM_uint32 + acquire_accept_cred(krb5_context context, OM_uint32 *minor_status, +- krb5_keytab req_keytab, krb5_gss_cred_id_rec *cred) ++ krb5_keytab req_keytab, const char *rcname, ++ krb5_gss_cred_id_rec *cred) + { + OM_uint32 major; + krb5_error_code code; +@@ -189,6 +190,20 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status, + + assert(cred->keytab == NULL); + ++ /* If we have an explicit rcache name, open it. */ ++ if (rcname != NULL) { ++ code = krb5_rc_resolve_full(context, &rc, rcname); ++ if (code) { ++ major = GSS_S_FAILURE; ++ goto cleanup; ++ } ++ code = krb5_rc_recover_or_initialize(context, rc, context->clockskew); ++ if (code) { ++ major = GSS_S_FAILURE; ++ goto cleanup; ++ } ++ } ++ + if (req_keytab != NULL) { + char ktname[BUFSIZ]; + +@@ -221,12 +236,14 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status, + goto cleanup; + } + +- /* Open the replay cache for this principal. */ +- code = krb5_get_server_rcache(context, &cred->name->princ->data[0], +- &rc); +- if (code) { +- major = GSS_S_FAILURE; +- goto cleanup; ++ if (rc == NULL) { ++ /* Open the replay cache for this principal. */ ++ code = krb5_get_server_rcache(context, &cred->name->princ->data[0], ++ &rc); ++ if (code) { ++ major = GSS_S_FAILURE; ++ goto cleanup; ++ } + } + } else { + /* Make sure we have a keytab with keys in it. */ +@@ -718,8 +735,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, + gss_name_t desired_name, gss_buffer_t password, + OM_uint32 time_req, gss_cred_usage_t cred_usage, + krb5_ccache ccache, krb5_keytab client_keytab, +- krb5_keytab keytab, krb5_boolean iakerb, +- gss_cred_id_t *output_cred_handle, ++ krb5_keytab keytab, const char *rcname, ++ krb5_boolean iakerb, gss_cred_id_t *output_cred_handle, + OM_uint32 *time_rec) + { + krb5_gss_cred_id_t cred = NULL; +@@ -775,7 +792,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, + * in cred->name if desired_princ is specified. + */ + if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { +- ret = acquire_accept_cred(context, minor_status, keytab, cred); ++ ret = acquire_accept_cred(context, minor_status, keytab, rcname, cred); + if (ret != GSS_S_COMPLETE) + goto error_out; + } +@@ -867,7 +884,7 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name, + + ret = acquire_cred_context(context, minor_status, desired_name, password, + time_req, cred_usage, ccache, NULL, keytab, +- iakerb, output_cred_handle, time_rec); ++ NULL, iakerb, output_cred_handle, time_rec); + + out: + krb5_free_context(context); +@@ -1135,7 +1152,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, + krb5_keytab client_keytab = NULL; + krb5_keytab keytab = NULL; + krb5_ccache ccache = NULL; +- const char *value; ++ const char *rcname, *value; + OM_uint32 ret; + + code = gss_krb5int_initialize_library(); +@@ -1191,9 +1208,14 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, + } + } + ++ ret = kg_value_from_cred_store(cred_store, KRB5_CS_RCACHE_URN, &rcname); ++ if (GSS_ERROR(ret)) ++ goto out; ++ + ret = acquire_cred_context(context, minor_status, desired_name, NULL, + time_req, cred_usage, ccache, client_keytab, +- keytab, 0, output_cred_handle, time_rec); ++ keytab, rcname, 0, output_cred_handle, ++ time_rec); + + out: + if (ccache != NULL) +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index 0167816..8e4f6d9 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -1260,6 +1260,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer) + #define KRB5_CS_CLI_KEYTAB_URN "client_keytab" + #define KRB5_CS_KEYTAB_URN "keytab" + #define KRB5_CS_CCACHE_URN "ccache" ++#define KRB5_CS_RCACHE_URN "rcache" + + OM_uint32 + kg_value_from_cred_store(gss_const_key_value_set_t cred_store, |