Re: [PATCH] GSSAPI credentials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alexey Melnikov wrote:
Howard Chu wrote:

Alexey Melnikov wrote:

Howard Chu wrote:

This patch implements the SASL_GSS_CREDS property, which was defined
in sasl.h back in 2005.

http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600



Applications need this functionality to make use of Kerberos
Services4User features.

http://k5wiki.kerberos.org/wiki/Projects/Services4User

Setting the credential in the SASL client will allow it to use an
S4U2Proxy credential, among other things.

Additional patches will still be needed to allow a SASL server to take
advantage of this feature, as mentioned in my previous email. But this
is a small first step just to get the ball rolling.

Hi Howard,
This looks fine, but let me ask some questions on your patch:

What about updating sasl_getprop() to match?

Sure. I didn't think it was too important since the calling app is the
only thing that can set it, it must already have it.

Let's make everything symmetrical, if it is easy. Pretty much all props
that can be set are also retrievable with sasl_getprop().

OK. Assuming you only meant to retrieve the previously-set cred, this patch will do. If you mean to retrieve whatever cred got used, including e.g. what the server obtained through gss_acquire_cred() that gets a bit trickier; need to worry about who disposes of it and such.

Index: plugins/gssapi.c
===================================================================
RCS file: /cvs/src/sasl/plugins/gssapi.c,v
retrieving revision 1.109
diff -u -r1.109 gssapi.c
--- plugins/gssapi.c    24 Feb 2010 22:41:18 -0000    1.109
+++ plugins/gssapi.c    10 May 2010 08:04:24 -0000
@@ -657,6 +657,7 @@
      OM_uint32 max_input;
      gss_buffer_desc name_token;
      int ret, out_flags = 0 ;
+    gss_cred_id_t server_creds = params->gss_creds;

GSS_C_NO_CREDENTIAL is defined as "((gss_cred_id_t) 0)" in RFC 2744, so
no extra initialization is needed.

This is not simply initialization, it's retrieving the value that a
caller set, if any.

I was talking about the case when the application doesn't set anything.
I think the plugin should work as before your change. I think it does, I
was mostly talking aloud to convince myself that that was the case.

OK. Yes, no extra init is needed.

Have you compiled this change against both MIT and Heimdal?

Yes, using MIT Kerb 1.8.1 and Heimdal 1.2.1. (Not the latest Heimdal I
know, but I don't think this is particularly version dependent.)

Ok, great. That is good enough.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
Index: include/saslplug.h
===================================================================
RCS file: /cvs/src/sasl/include/saslplug.h,v
retrieving revision 1.45
diff -u -r1.45 saslplug.h
--- include/saslplug.h	10 Mar 2009 14:10:52 -0000	1.45
+++ include/saslplug.h	11 May 2010 16:42:40 -0000
@@ -253,8 +253,10 @@
     sasl_security_properties_t props;
     sasl_ssf_t external_ssf;	/* external SSF active */
 
+    /* GSS credentials */
+    void *gss_creds;
+
     /* for additions which don't require a version upgrade; set to 0 */
-    void *spare_ptr1;
     void *spare_ptr2;
     void *spare_ptr3;
     void *spare_ptr4;
@@ -552,8 +554,10 @@
      */
     struct propctx *propctx;
 
+    /* GSS credentials */
+    void *gss_creds;
+
     /* for additions which don't require a version upgrade; set to 0 */
-    void *spare_ptr1;
     void *spare_ptr2;
     void *spare_ptr3;
     void *spare_ptr4;
Index: lib/common.c
===================================================================
RCS file: /cvs/src/sasl/lib/common.c,v
retrieving revision 1.124
diff -u -r1.124 common.c
--- lib/common.c	20 Feb 2009 23:10:53 -0000	1.124
+++ lib/common.c	11 May 2010 16:42:40 -0000
@@ -1027,6 +1027,14 @@
   case SASL_SEC_PROPS:
       *((const sasl_security_properties_t **)pvalue) = &conn->props;
       break;
+  case SASL_GSS_CREDS:
+      if(conn->type == SASL_CONN_CLIENT)
+	  *(void **)pvalue = 
+              ((sasl_client_conn_t *)conn)->cparams->gss_creds;
+      else
+	  *(void **)pvalue = 
+              ((sasl_server_conn_t *)conn)->sparams->gss_creds;
+      break;
   default: 
       result = SASL_BADPARAM;
   }
@@ -1238,6 +1246,13 @@
       }
       break;
 
+  case SASL_GSS_CREDS:
+      if(conn->type == SASL_CONN_CLIENT)
+          ((sasl_client_conn_t *)conn)->cparams->gss_creds = value;
+      else
+          ((sasl_server_conn_t *)conn)->sparams->gss_creds = value;
+      break;
+
   default:
       sasl_seterror(conn, 0, "Unknown parameter type");
       result = SASL_BADPARAM;
Index: plugins/gssapi.c
===================================================================
RCS file: /cvs/src/sasl/plugins/gssapi.c,v
retrieving revision 1.109
diff -u -r1.109 gssapi.c
--- plugins/gssapi.c	24 Feb 2010 22:41:18 -0000	1.109
+++ plugins/gssapi.c	11 May 2010 16:42:40 -0000
@@ -657,6 +657,7 @@
     OM_uint32 max_input;
     gss_buffer_desc name_token;
     int ret, out_flags = 0 ;
+    gss_cred_id_t server_creds = params->gss_creds;
     
     input_token = &real_input_token;
     output_token = &real_output_token;
@@ -716,22 +717,26 @@
 	    	GSS_UNLOCK_MUTEX(params->utils);
 		text->server_creds = GSS_C_NO_CREDENTIAL;
 	    }
+
+	    /* If caller didn't provide creds already */
+	    if ( server_creds == GSS_C_NO_CREDENTIAL) {
+		GSS_LOCK_MUTEX(params->utils);
+		maj_stat = gss_acquire_cred(&min_stat, 
+					    text->server_name,
+					    GSS_C_INDEFINITE, 
+					    GSS_C_NO_OID_SET,
+					    GSS_C_ACCEPT,
+					    &text->server_creds, 
+					    NULL, 
+					    NULL);
+		GSS_UNLOCK_MUTEX(params->utils);
 	    
-	    GSS_LOCK_MUTEX(params->utils);
-	    maj_stat = gss_acquire_cred(&min_stat, 
-					text->server_name,
-					GSS_C_INDEFINITE, 
-					GSS_C_NO_OID_SET,
-					GSS_C_ACCEPT,
-					&text->server_creds, 
-					NULL, 
-					NULL);
-	    GSS_UNLOCK_MUTEX(params->utils);
-	    
-	    if (GSS_ERROR(maj_stat)) {
-		sasl_gss_seterror(text->utils, maj_stat, min_stat);
-		sasl_gss_free_context_contents(text);
-		return SASL_FAIL;
+		if (GSS_ERROR(maj_stat)) {
+		    sasl_gss_seterror(text->utils, maj_stat, min_stat);
+		    sasl_gss_free_context_contents(text);
+		    return SASL_FAIL;
+		}
+		server_creds = text->server-creds;
 	    }
 	}
 	
@@ -745,7 +750,7 @@
 	maj_stat =
 	    gss_accept_sec_context(&min_stat,
 				   &(text->gss_ctx),
-				   text->server_creds,
+				   server_creds,
 				   input_token,
 				   GSS_C_NO_CHANNEL_BINDINGS,
 				   &text->client_name,
@@ -1380,6 +1385,7 @@
     output_token->value = NULL;
     input_token->value = NULL; 
     input_token->length = 0;
+    gss_cred_id_t client_creds = (gss_cred_id_t)params->gss_creds;
     
     *clientout = NULL;
     *clientoutlen = 0;
@@ -1493,7 +1499,7 @@
 
 	GSS_LOCK_MUTEX(params->utils);
 	maj_stat = gss_init_sec_context(&min_stat,
-					GSS_C_NO_CREDENTIAL,
+					client_creds, /* GSS_C_NO_CREDENTIAL */
 					&text->gss_ctx,
 					text->server_name,
 					GSS_C_NO_OID,

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux