This is an automated email from the git hooks/post-receive script.
rharwood pushed a commit to branch master
in repository gssproxy.
commit 7150e488e0f7b2a3bbc55f24a8ebd8e0dce4796a
Author: Simo Sorce <simo(a)redhat.com>
Date: Fri Mar 3 16:10:58 2017 -0500
Add support for the NO_CI_FLAG credentials option
Signed-off-by: Simo Sorce <simo(a)redhat.com>
Closes #160
Reviewed-by: Robbie Harwood <rharwood(a)redhat.com>
PR: #163
---
proxy/src/gp_export.c | 18 ++++++++++++
proxy/src/gp_util.c | 14 +++++----
proxy/src/mechglue/gpp_creds.c | 64 +++++++++++++++++++++++++-----------------
3 files changed, 65 insertions(+), 31 deletions(-)
diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
index 5f25f56..12b8d5f 100644
--- a/proxy/src/gp_export.c
+++ b/proxy/src/gp_export.c
@@ -389,6 +389,7 @@ done:
}
#define KRB5_SET_ALLOWED_ENCTYPE "krb5_set_allowed_enctype_values"
+#define KRB5_SET_NO_CI_FLAGS "krb5_set_no_ci_flags"
static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t gss_cred)
{
@@ -396,6 +397,7 @@ static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t
gss_cred)
struct gssx_option *op;
uint32_t num_ktypes = 0;
krb5_enctype *ktypes;
+ bool no_ci_flags = false;
uint32_t maj, min;
int i, j;
@@ -411,6 +413,12 @@ static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t
gss_cred)
num_ktypes = op->value.octet_string_len / sizeof(krb5_enctype);
ktypes = (krb5_enctype *)op->value.octet_string_val;
break;
+ } else if ((op->option.octet_string_len ==
+ sizeof(KRB5_SET_NO_CI_FLAGS)) &&
+ (strncmp(KRB5_SET_NO_CI_FLAGS,
+ op->option.octet_string_val,
+ op->option.octet_string_len) == 0)) {
+ no_ci_flags = true;
}
}
}
@@ -422,6 +430,16 @@ static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t
gss_cred)
GPDEBUG("Failed to set allowable enctypes\n");
}
}
+
+ if (no_ci_flags) {
+ gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+ maj = gss_set_cred_option(&min, &gss_cred,
+ discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X),
+ &empty_buffer);
+ if (maj != GSS_S_COMPLETE) {
+ GPDEBUG("Failed to set NO CI Flags\n");
+ }
+ }
}
uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
diff --git a/proxy/src/gp_util.c b/proxy/src/gp_util.c
index a91f392..ca83eb3 100644
--- a/proxy/src/gp_util.c
+++ b/proxy/src/gp_util.c
@@ -160,13 +160,15 @@ uint32_t gp_add_option(gssx_option **options_val, u_int
*options_len,
memcpy(opt.option.octet_string_val, option, option_len);
opt.option.octet_string_len = option_len;
- opt.value.octet_string_val = malloc(value_len);
- if (!opt.value.octet_string_val) {
- ret = ENOMEM;
- goto done;
+ if (value_len != 0) {
+ opt.value.octet_string_val = malloc(value_len);
+ if (!opt.value.octet_string_val) {
+ ret = ENOMEM;
+ goto done;
+ }
+ memcpy(opt.value.octet_string_val, value, value_len);
+ opt.value.octet_string_len = value_len;
}
- memcpy(opt.value.octet_string_val, value, value_len);
- opt.value.octet_string_len = value_len;
out = realloc(*options_val, (*options_len + 1) * sizeof(gssx_option));
if (!out) {
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
index 12709b2..9fe9bd1 100644
--- a/proxy/src/mechglue/gpp_creds.c
+++ b/proxy/src/mechglue/gpp_creds.c
@@ -561,12 +561,9 @@ static uint32_t gpp_set_opt_allowable_entypes(uint32_t *min,
gssx_cred *cred,
struct gpp_allowable_enctypes *ae;
struct gssx_cred_element *ce = NULL;
gss_OID_desc mech;
- gssx_option *to;
- gssx_buffer *tb;
- int i;
/* Find the first element that matches one of the krb related OIDs */
- for (i = 0; i < cred->elements.elements_len; i++) {
+ for (unsigned i = 0; i < cred->elements.elements_len; i++) {
gp_conv_gssx_to_oid(&cred->elements.elements_val[i].mech, &mech);
if (gpp_is_krb5_oid(&mech)) {
ce = &cred->elements.elements_val[i];
@@ -579,36 +576,51 @@ static uint32_t gpp_set_opt_allowable_entypes(uint32_t *min,
gssx_cred *cred,
return GSS_S_FAILURE;
}
- to = realloc(ce->options.options_val,
- sizeof(gssx_option) * (ce->options.options_len + 1));
- if (!to) {
- *min = ENOMEM;
+ ae = (struct gpp_allowable_enctypes *)value->value;
+ *min = gp_add_option(&ce->options.options_val,
+ &ce->options.options_len,
+ KRB5_SET_ALLOWED_ENCTYPE,
+ sizeof(KRB5_SET_ALLOWED_ENCTYPE),
+ ae->ktypes,
+ sizeof(krb5_enctype) * ae->num_ktypes);
+ if (*min != 0) {
return GSS_S_FAILURE;
}
- ce->options.options_val = to;
- i = ce->options.options_len;
- tb = &ce->options.options_val[i].option;
- tb->octet_string_len = sizeof(KRB5_SET_ALLOWED_ENCTYPE);
- tb->octet_string_val = strdup(KRB5_SET_ALLOWED_ENCTYPE);
- if (!tb->octet_string_val) {
- *min = ENOMEM;
- return GSS_S_FAILURE;
+ return GSS_S_COMPLETE;
+}
+
+#define KRB5_SET_NO_CI_FLAGS "krb5_set_no_ci_flags"
+
+static uint32_t gpp_set_no_ci_flags(uint32_t *min, gssx_cred *cred,
+ const gss_buffer_t value)
+{
+ struct gssx_cred_element *ce = NULL;
+ gss_OID_desc mech;
+
+ /* Find the first element that matches one of the krb related OIDs */
+ for (unsigned i = 0; i < cred->elements.elements_len; i++) {
+ gp_conv_gssx_to_oid(&cred->elements.elements_val[i].mech, &mech);
+ if (gpp_is_krb5_oid(&mech)) {
+ ce = &cred->elements.elements_val[i];
+ break;
+ }
}
- ae = (struct gpp_allowable_enctypes *)value->value;
- tb = &ce->options.options_val[i].value;
- tb->octet_string_len = sizeof(krb5_enctype) * ae->num_ktypes;
- tb->octet_string_val = malloc(tb->octet_string_len);
- if (!tb->octet_string_val) {
- *min = ENOMEM;
+ if (!ce) {
+ *min = EINVAL;
return GSS_S_FAILURE;
}
- memcpy(tb->octet_string_val, ae->ktypes, tb->octet_string_len);
- ce->options.options_len++;
+ *min = gp_add_option(&ce->options.options_val,
+ &ce->options.options_len,
+ KRB5_SET_NO_CI_FLAGS,
+ sizeof(KRB5_SET_NO_CI_FLAGS),
+ NULL, 0);
+ if (*min != 0) {
+ return GSS_S_FAILURE;
+ }
- *min = 0;
return GSS_S_COMPLETE;
}
@@ -620,6 +632,8 @@ static uint32_t gpp_remote_options(uint32_t *min, gssx_cred *cred,
if (gss_oid_equal(&gpp_allowed_enctypes_oid, desired_object)) {
maj = gpp_set_opt_allowable_entypes(min, cred, value);
+ } else if (gss_oid_equal(GSS_KRB5_CRED_NO_CI_FLAGS_X, desired_object)) {
+ maj = gpp_set_no_ci_flags(min, cred, value);
}
return maj;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.