[PATCH] GSSAPI credentials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This patch implements the SASL_GSS_CREDS property, which was defined in sasl.h back in 2005. 

http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600
Applications need this functionality to make use of Kerberos Services4User features. 

http://k5wiki.kerberos.org/wiki/Projects/Services4User
Setting the credential in the SASL client will allow it to use an S4U2Proxy credential, among other things.
Additional patches will still be needed to allow a SASL server to take advantage of this feature, as mentioned in my previous email. But this is a small first step just to get the ball rolling. 
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Index: include/saslplug.h
===================================================================
RCS file: /cvs/src/sasl/include/saslplug.h,v
retrieving revision 1.45
diff -u -r1.45 saslplug.h
--- include/saslplug.h	10 Mar 2009 14:10:52 -0000	1.45
+++ include/saslplug.h	10 May 2010 08:04:24 -0000
@@ -253,8 +253,10 @@
     sasl_security_properties_t props;
     sasl_ssf_t external_ssf;	/* external SSF active */
 
+    /* GSS credentials */
+    void *gss_creds;
+
     /* for additions which don't require a version upgrade; set to 0 */
-    void *spare_ptr1;
     void *spare_ptr2;
     void *spare_ptr3;
     void *spare_ptr4;
@@ -552,8 +554,10 @@
      */
     struct propctx *propctx;
 
+    /* GSS credentials */
+    void *gss_creds;
+
     /* for additions which don't require a version upgrade; set to 0 */
-    void *spare_ptr1;
     void *spare_ptr2;
     void *spare_ptr3;
     void *spare_ptr4;
Index: lib/common.c
===================================================================
RCS file: /cvs/src/sasl/lib/common.c,v
retrieving revision 1.124
diff -u -r1.124 common.c
--- lib/common.c	20 Feb 2009 23:10:53 -0000	1.124
+++ lib/common.c	10 May 2010 08:04:24 -0000
@@ -1238,6 +1238,13 @@
       }
       break;
 
+  case SASL_GSS_CREDS:
+      if(conn->type == SASL_CONN_CLIENT)
+          ((sasl_client_conn_t *)conn)->cparams->gss_creds = value;
+      else
+          ((sasl_server_conn_t *)conn)->sparams->gss_creds = value;
+      break;
+
   default:
       sasl_seterror(conn, 0, "Unknown parameter type");
       result = SASL_BADPARAM;
Index: plugins/gssapi.c
===================================================================
RCS file: /cvs/src/sasl/plugins/gssapi.c,v
retrieving revision 1.109
diff -u -r1.109 gssapi.c
--- plugins/gssapi.c	24 Feb 2010 22:41:18 -0000	1.109
+++ plugins/gssapi.c	10 May 2010 08:04:24 -0000
@@ -657,6 +657,7 @@
     OM_uint32 max_input;
     gss_buffer_desc name_token;
     int ret, out_flags = 0 ;
+    gss_cred_id_t server_creds = params->gss_creds;
     
     input_token = &real_input_token;
     output_token = &real_output_token;
@@ -716,22 +717,26 @@
 	    	GSS_UNLOCK_MUTEX(params->utils);
 		text->server_creds = GSS_C_NO_CREDENTIAL;
 	    }
+
+	    /* If caller didn't provide creds already */
+	    if ( server_creds == GSS_C_NO_CREDENTIAL) {
+		GSS_LOCK_MUTEX(params->utils);
+		maj_stat = gss_acquire_cred(&min_stat, 
+					    text->server_name,
+					    GSS_C_INDEFINITE, 
+					    GSS_C_NO_OID_SET,
+					    GSS_C_ACCEPT,
+					    &text->server_creds, 
+					    NULL, 
+					    NULL);
+		GSS_UNLOCK_MUTEX(params->utils);
 	    
-	    GSS_LOCK_MUTEX(params->utils);
-	    maj_stat = gss_acquire_cred(&min_stat, 
-					text->server_name,
-					GSS_C_INDEFINITE, 
-					GSS_C_NO_OID_SET,
-					GSS_C_ACCEPT,
-					&text->server_creds, 
-					NULL, 
-					NULL);
-	    GSS_UNLOCK_MUTEX(params->utils);
-	    
-	    if (GSS_ERROR(maj_stat)) {
-		sasl_gss_seterror(text->utils, maj_stat, min_stat);
-		sasl_gss_free_context_contents(text);
-		return SASL_FAIL;
+		if (GSS_ERROR(maj_stat)) {
+		    sasl_gss_seterror(text->utils, maj_stat, min_stat);
+		    sasl_gss_free_context_contents(text);
+		    return SASL_FAIL;
+		}
+		server_creds = text->server-creds;
 	    }
 	}
 	
@@ -745,7 +750,7 @@
 	maj_stat =
 	    gss_accept_sec_context(&min_stat,
 				   &(text->gss_ctx),
-				   text->server_creds,
+				   server_creds,
 				   input_token,
 				   GSS_C_NO_CHANNEL_BINDINGS,
 				   &text->client_name,
@@ -1380,6 +1385,7 @@
     output_token->value = NULL;
     input_token->value = NULL; 
     input_token->length = 0;
+    gss_cred_id_t client_creds = (gss_cred_id_t)params->gss_creds;
     
     *clientout = NULL;
     *clientoutlen = 0;
@@ -1493,7 +1499,7 @@
 
 	GSS_LOCK_MUTEX(params->utils);
 	maj_stat = gss_init_sec_context(&min_stat,
-					GSS_C_NO_CREDENTIAL,
+					client_creds, /* GSS_C_NO_CREDENTIAL */
 					&text->gss_ctx,
 					text->server_name,
 					GSS_C_NO_OID,
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux