From: Tom Yu Date: Tue, 26 Oct 2004 00:14:53 +0000 (+0000) Subject: Kevin Coffman's patches to support passing gss context state to kernel X-Git-Tag: krb5-1.4-beta1~8 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4;p=krb5.git Kevin Coffman's patches to support passing gss context state to kernel ticket: 2743 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16836 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/kadm5/clnt/ChangeLog b/src/lib/kadm5/clnt/ChangeLog index 2bdcf07d8..6d0a14ecd 100644 --- a/src/lib/kadm5/clnt/ChangeLog +++ b/src/lib/kadm5/clnt/ChangeLog @@ -1,3 +1,8 @@ +2004-10-25 Tom Yu + + * client_init.c (_kadm5_init_any): Pass req_flags and cred to + auth_gss_create(). + 2004-08-20 Tom Yu * client_init.c (_kadm5_init_any): Remove INIT_TEST ifdefs. Use diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index c5bd4b971..d3c63bde8 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -519,6 +519,8 @@ static kadm5_ret_t _kadm5_init_any(char *client_name, sec.mech = gss_mech_krb5; sec.qop = GSS_C_QOP_DEFAULT; sec.svc = RPCSEC_GSS_SVC_PRIVACY; + sec.cred = gss_client_creds; + sec.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; handle->clnt->cl_auth = authgss_create(handle->clnt, gss_target, &sec); diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index be87db97d..d3070b4b7 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,18 @@ +2004-10-25 Tom Yu + + * auth_gss.c (authgss_get_private_data): New function. + (authgss_refresh): Remove explicit OID checks. + (authgss_create): Copy initiator name. + (authgss_destroy): Release copied initiator name. + (print_rpc_gss_sec): Explicitly code OID stringification. + + * auth_gss.h: Add cred and req_flags to struct rpc_gss_sec. New + structure authgss_private_data so kernel implementations can + retrieve context state. + + * auth_gss.h, libgssrpc.exports, rename.h: Add + authgss_get_private_data. + 2004-10-18 Tom Yu * Makefile.in (install-unix): Install headers. diff --git a/src/lib/rpc/auth_gss.c b/src/lib/rpc/auth_gss.c index 982973a7c..4e92699e1 100644 --- a/src/lib/rpc/auth_gss.c +++ b/src/lib/rpc/auth_gss.c @@ -96,66 +96,51 @@ static struct auth_ops authgss_ops = { void print_rpc_gss_sec(struct rpc_gss_sec *ptr) { -#if HAVE_HEIMDAL int i; char *p; - log_debug("rpc_gss_sec:\n"); + log_debug("rpc_gss_sec:"); if(ptr->mech == NULL) - log_debug("NULL gss_OID mech\n"); + log_debug("NULL gss_OID mech"); else { - log_debug(" gss_OID len: %d\n gss_OID elements:", - ptr->mech->length); + fprintf(stderr, " mechanism_OID: {"); p = (char *)ptr->mech->elements; - log_debug(" "); - for(i=0;imech->length;i++) - log_debug("%u", (u_char)*p++); - log_debug("\n"); - } - log_debug(" qop: %d\n",ptr->qop); - log_debug(" service: %d\n",ptr->svc); -#else - OM_uint32 min_stat; - gss_buffer_desc msg; - - if (ptr->mech == NULL) - log_debug("rpc_gss_sec: mech NULL, qop %d, svc %d", - ptr->qop, ptr->svc); - else { - gss_oid_to_str(&min_stat, ptr->mech, &msg); - - log_debug("rpc_gss_sec: mech %.*s, qop %d, svc %d", - msg.length, (char *)msg.value, - ptr->qop, ptr->svc); - - gss_release_buffer(&min_stat, &msg); + for (i=0; i < ptr->mech->length; i++) + /* First byte of OIDs encoded to save a byte */ + if (i == 0) { + int first, second; + if (*p < 40) { + first = 0; + second = *p; + } + else if (40 <= *p && *p < 80) { + first = 1; + second = *p - 40; + } + else if (80 <= *p && *p < 127) { + first = 2; + second = *p - 80; + } + else { + /* Invalid value! */ + first = -1; + second = -1; + } + fprintf(stderr, " %u %u", first, second); + p++; + } + else { + fprintf(stderr, " %u", (unsigned char)*p++); + } + fprintf(stderr, " }\n"); } -#endif + fprintf(stderr, " qop: %d\n", ptr->qop); + fprintf(stderr, " service: %d\n", ptr->svc); + fprintf(stderr, " cred: %p\n", ptr->cred); + fprintf(stderr, " req_flags: 0x%08x", ptr->req_flags); } #endif /*DEBUG*/ -/* Krb 5 default mechanism oid */ -#define KRB5OID "1.2.840.113554.1.2.2" - -#define g_OID_equal(o1,o2) \ - (((o1)->length == (o2)->length) && \ - ((o1)->elements != 0) && ((o2)->elements != 0) && \ - (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0)) - -extern const gss_OID_desc * const gss_mech_krb5; -#ifdef SPKM -extern const gss_OID_desc * const gss_mech_spkm3; -#endif /*SPKM*/ - -/* from kerberos source, gssapi_krb5.c */ -static gss_OID_desc krb5oid = - {9, "\052\206\110\206\367\022\001\002\002"}; - -#if SPKM -static gss_OID_desc spkm3oid = - {7, "\052\006\001\005\005\001\003"}; -#endif /*SPKM*/ - struct rpc_gss_data { bool_t established; /* context established */ bool_t inprogress; @@ -178,6 +163,7 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec) { AUTH *auth, *save_auth; struct rpc_gss_data *gd; + OM_uint32 min_stat = 0; log_debug("in authgss_create()"); @@ -194,8 +180,19 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec) free(auth); return (NULL); } + if (name != GSS_C_NO_NAME) { + if (gss_duplicate_name(&min_stat, name, &gd->name) + != GSS_S_COMPLETE) { + rpc_createerr.cf_stat = RPC_SYSTEMERROR; + rpc_createerr.cf_error.re_errno = ENOMEM; + free(auth); + return (NULL); + } + } + else + gd->name = name; + gd->clnt = clnt; - gd->name = name; gd->ctx = GSS_C_NO_CONTEXT; gd->sec = *sec; @@ -244,13 +241,35 @@ authgss_create_default(CLIENT *clnt, char *service, struct rpc_gss_sec *sec) auth = authgss_create(clnt, name, sec); - if(auth) + if (name != GSS_C_NO_NAME) gss_release_name(&min_stat, &name); log_debug("authgss_create_default returning auth 0x%08x", auth); return (auth); } +bool_t +authgss_get_private_data(AUTH *auth, struct authgss_private_data *pd) +{ + struct rpc_gss_data *gd; + + log_debug("in authgss_get_private_data()"); + + if (!auth || !pd) + return (FALSE); + + gd = AUTH_PRIVATE(auth); + + if (!gd || !gd->established) + return (FALSE); + + pd->pd_ctx = gd->ctx; + pd->pd_ctx_hndl = gd->gc.gc_ctx; + pd->pd_seq_win = gd->win; + + return (TRUE); +} + static void authgss_nextverf(AUTH *auth) { @@ -395,22 +414,14 @@ authgss_refresh(AUTH *auth, struct rpc_msg *msg) print_rpc_gss_sec(&gd->sec); #endif /*DEBUG*/ - if (g_OID_equal(gd->sec.mech, &krb5oid)) - req_flags |= GSS_C_MUTUAL_FLAG; - -#ifdef SPKM - if (g_OID_equal(gd->sec.mech, gss_mech_spkm3)) - req_flags |= GSS_C_ANON_FLAG; -#endif /*SPKM*/ - for (;;) { gd->inprogress = TRUE; maj_stat = gss_init_sec_context(&min_stat, - GSS_C_NO_CREDENTIAL, + gd->sec.cred, &gd->ctx, gd->name, gd->sec.mech, - req_flags, + gd->sec.req_flags, 0, /* time req */ NULL, /* channel */ recv_tokenp, @@ -581,13 +592,7 @@ authgss_destroy(AUTH *auth) if (gd->name != GSS_C_NO_NAME) gss_release_name(&min_stat, &gd->name); -#if 0 -#ifdef HAVE_HEIMDAL - gss_release_name(&min_stat, &gd->name); -#else - gss_release_name(&min_stat, gd->name); -#endif -#endif + free(gd); free(auth); } diff --git a/src/lib/rpc/auth_gss.h b/src/lib/rpc/auth_gss.h index 1ea12cb4e..ea5db92b9 100644 --- a/src/lib/rpc/auth_gss.h +++ b/src/lib/rpc/auth_gss.h @@ -70,6 +70,15 @@ struct rpc_gss_sec { gss_OID mech; /* mechanism */ gss_qop_t qop; /* quality of protection */ rpc_gss_svc_t svc; /* service */ + gss_cred_id_t cred; /* cred handle */ + uint32_t req_flags; /* req flags for init_sec_context */ +}; + +/* Private data required for kernel implementation */ +struct authgss_private_data { + gss_ctx_id_t pd_ctx; /* Session context handle */ + gss_buffer_desc pd_ctx_hndl; /* Credentials context handle */ + uint32_t pd_seq_win; /* Sequence window */ }; /* Krb 5 default mechanism @@ -127,7 +136,8 @@ bool_t xdr_rpc_gss_unwrap_data (XDR *xdrs, xdrproc_t xdr_func, caddr_t AUTH *authgss_create (CLIENT *, gss_name_t, struct rpc_gss_sec *); AUTH *authgss_create_default (CLIENT *, char *, struct rpc_gss_sec *); -bool_t authgss_service(AUTH *auth, int svc); +bool_t authgss_service (AUTH *auth, int svc); +bool_t authgss_get_private_data (AUTH *auth, struct authgss_private_data *); #ifdef GSSRPC__IMPL void log_debug (const char *fmt, ...); diff --git a/src/lib/rpc/libgssrpc.exports b/src/lib/rpc/libgssrpc.exports index 8824c4d00..1437b9661 100644 --- a/src/lib/rpc/libgssrpc.exports +++ b/src/lib/rpc/libgssrpc.exports @@ -9,6 +9,7 @@ gssrpc_auth_gssapi_unwrap_data gssrpc_auth_gssapi_wrap_data gssrpc_authgss_create gssrpc_authgss_create_default +gssrpc_authgss_get_private_data gssrpc_authgss_service gssrpc_authnone_create gssrpc_authunix_create diff --git a/src/lib/rpc/rename.h b/src/lib/rpc/rename.h index 4f5971d07..b28ae9145 100644 --- a/src/lib/rpc/rename.h +++ b/src/lib/rpc/rename.h @@ -92,6 +92,7 @@ #define authgss_create gssrpc_authgss_create #define authgss_create_default gssrpc_authgss_create_default +#define authgss_get_private_data gssrpc_authgss_get_private_data #define authgss_service gssrpc_authgss_service #ifdef GSSRPC__IMPL