[PATCH] GSSAPI credentials

Howard Chu Mon, 10 May 2010 01:11:21 -0700

This patch implements the SASL_GSS_CREDS property, which was defined in sasl.hback in 2005.


http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600

Applications need this functionality to make use of Kerberos Services4Userfeatures.


http://k5wiki.kerberos.org/wiki/Projects/Services4User

Setting the credential in the SASL client will allow it to use an S4U2Proxycredential, among other things.

Additional patches will still be needed to allow a SASL server to takeadvantage of this feature, as mentioned in my previous email. But this is asmall first step just to get the ball rolling.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Index: include/saslplug.h
===================================================================
RCS file: /cvs/src/sasl/include/saslplug.h,v
retrieving revision 1.45
diff -u -r1.45 saslplug.h
--- include/saslplug.h  10 Mar 2009 14:10:52 -0000      1.45
+++ include/saslplug.h  10 May 2010 08:04:24 -0000
@@ -253,8 +253,10 @@
     sasl_security_properties_t props;
     sasl_ssf_t external_ssf;   /* external SSF active */
 
+    /* GSS credentials */
+    void *gss_creds;
+
     /* for additions which don't require a version upgrade; set to 0 */
-    void *spare_ptr1;
     void *spare_ptr2;
     void *spare_ptr3;
     void *spare_ptr4;
@@ -552,8 +554,10 @@
      */
     struct propctx *propctx;
 
+    /* GSS credentials */
+    void *gss_creds;
+
     /* for additions which don't require a version upgrade; set to 0 */
-    void *spare_ptr1;
     void *spare_ptr2;
     void *spare_ptr3;
     void *spare_ptr4;
Index: lib/common.c
===================================================================
RCS file: /cvs/src/sasl/lib/common.c,v
retrieving revision 1.124
diff -u -r1.124 common.c
--- lib/common.c        20 Feb 2009 23:10:53 -0000      1.124
+++ lib/common.c        10 May 2010 08:04:24 -0000
@@ -1238,6 +1238,13 @@
       }
       break;
 
+  case SASL_GSS_CREDS:
+      if(conn->type == SASL_CONN_CLIENT)
+          ((sasl_client_conn_t *)conn)->cparams->gss_creds = value;
+      else
+          ((sasl_server_conn_t *)conn)->sparams->gss_creds = value;
+      break;
+
   default:
       sasl_seterror(conn, 0, "Unknown parameter type");
       result = SASL_BADPARAM;
Index: plugins/gssapi.c
===================================================================
RCS file: /cvs/src/sasl/plugins/gssapi.c,v
retrieving revision 1.109
diff -u -r1.109 gssapi.c
--- plugins/gssapi.c    24 Feb 2010 22:41:18 -0000      1.109
+++ plugins/gssapi.c    10 May 2010 08:04:24 -0000
@@ -657,6 +657,7 @@
     OM_uint32 max_input;
     gss_buffer_desc name_token;
     int ret, out_flags = 0 ;
+    gss_cred_id_t server_creds = params->gss_creds;
     
     input_token = &real_input_token;
     output_token = &real_output_token;
@@ -716,22 +717,26 @@
                GSS_UNLOCK_MUTEX(params->utils);
                text->server_creds = GSS_C_NO_CREDENTIAL;
            }
+
+           /* If caller didn't provide creds already */
+           if ( server_creds == GSS_C_NO_CREDENTIAL) {
+               GSS_LOCK_MUTEX(params->utils);
+               maj_stat = gss_acquire_cred(&min_stat, 
+                                           text->server_name,
+                                           GSS_C_INDEFINITE, 
+                                           GSS_C_NO_OID_SET,
+                                           GSS_C_ACCEPT,
+                                           &text->server_creds, 
+                                           NULL, 
+                                           NULL);
+               GSS_UNLOCK_MUTEX(params->utils);
            
-           GSS_LOCK_MUTEX(params->utils);
-           maj_stat = gss_acquire_cred(&min_stat, 
-                                       text->server_name,
-                                       GSS_C_INDEFINITE, 
-                                       GSS_C_NO_OID_SET,
-                                       GSS_C_ACCEPT,
-                                       &text->server_creds, 
-                                       NULL, 
-                                       NULL);
-           GSS_UNLOCK_MUTEX(params->utils);
-           
-           if (GSS_ERROR(maj_stat)) {
-               sasl_gss_seterror(text->utils, maj_stat, min_stat);
-               sasl_gss_free_context_contents(text);
-               return SASL_FAIL;
+               if (GSS_ERROR(maj_stat)) {
+                   sasl_gss_seterror(text->utils, maj_stat, min_stat);
+                   sasl_gss_free_context_contents(text);
+                   return SASL_FAIL;
+               }
+               server_creds = text->server-creds;
            }
        }
        
@@ -745,7 +750,7 @@
        maj_stat =
            gss_accept_sec_context(&min_stat,
                                   &(text->gss_ctx),
-                                  text->server_creds,
+                                  server_creds,
                                   input_token,
                                   GSS_C_NO_CHANNEL_BINDINGS,
                                   &text->client_name,
@@ -1380,6 +1385,7 @@
     output_token->value = NULL;
     input_token->value = NULL; 
     input_token->length = 0;
+    gss_cred_id_t client_creds = (gss_cred_id_t)params->gss_creds;
     
     *clientout = NULL;
     *clientoutlen = 0;
@@ -1493,7 +1499,7 @@
 
        GSS_LOCK_MUTEX(params->utils);
        maj_stat = gss_init_sec_context(&min_stat,
-                                       GSS_C_NO_CREDENTIAL,
+                                       client_creds, /* GSS_C_NO_CREDENTIAL */
                                        &text->gss_ctx,
                                        text->server_name,
                                        GSS_C_NO_OID,

[PATCH] GSSAPI credentials

Reply via email to