[gssproxy] 01/03: Add support for the NO_CI_FLAG credentials option

Tuesday, 7 March 2017

This is an automated email from the git hooks/post-receive script.

rharwood pushed a commit to branch master
in repository gssproxy.

commit 7150e488e0f7b2a3bbc55f24a8ebd8e0dce4796a
Author: Simo Sorce <simo(a)redhat.com&gt;
Date:   Fri Mar 3 16:10:58 2017 -0500

    Add support for the NO_CI_FLAG credentials option
    
    Signed-off-by: Simo Sorce <simo(a)redhat.com&gt;
    Closes #160
    Reviewed-by: Robbie Harwood <rharwood(a)redhat.com&gt;
    PR: #163
---
 proxy/src/gp_export.c          | 18 ++++++++++++
 proxy/src/gp_util.c            | 14 +++++----
 proxy/src/mechglue/gpp_creds.c | 64 +++++++++++++++++++++++++-----------------
 3 files changed, 65 insertions(+), 31 deletions(-)

diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
index 5f25f56..12b8d5f 100644
--- a/proxy/src/gp_export.c
+++ b/proxy/src/gp_export.c
@@ -389,6 +389,7 @@ done:
 }
 
 #define KRB5_SET_ALLOWED_ENCTYPE "krb5_set_allowed_enctype_values"
+#define KRB5_SET_NO_CI_FLAGS "krb5_set_no_ci_flags"
 
 static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t gss_cred)
 {
@@ -396,6 +397,7 @@ static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t
gss_cred)
     struct gssx_option *op;
     uint32_t num_ktypes = 0;
     krb5_enctype *ktypes;
+    bool no_ci_flags = false;
     uint32_t maj, min;
     int i, j;
 
@@ -411,6 +413,12 @@ static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t
gss_cred)
                 num_ktypes = op->value.octet_string_len / sizeof(krb5_enctype);
                 ktypes = (krb5_enctype *)op->value.octet_string_val;
                 break;
+            } else if ((op->option.octet_string_len ==
+                        sizeof(KRB5_SET_NO_CI_FLAGS)) &&
+                (strncmp(KRB5_SET_NO_CI_FLAGS,
+                         op->option.octet_string_val,
+                         op->option.octet_string_len) == 0)) {
+                no_ci_flags = true;
             }
         }
     }
@@ -422,6 +430,16 @@ static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t
gss_cred)
             GPDEBUG("Failed to set allowable enctypes\n");
         }
     }
+
+    if (no_ci_flags) {
+        gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+        maj = gss_set_cred_option(&min, &gss_cred,
+                                  discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X),
+                                  &empty_buffer);
+        if (maj != GSS_S_COMPLETE) {
+            GPDEBUG("Failed to set NO CI Flags\n");
+        }
+    }
 }
 
 uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
diff --git a/proxy/src/gp_util.c b/proxy/src/gp_util.c
index a91f392..ca83eb3 100644
--- a/proxy/src/gp_util.c
+++ b/proxy/src/gp_util.c
@@ -160,13 +160,15 @@ uint32_t gp_add_option(gssx_option **options_val, u_int
*options_len,
     memcpy(opt.option.octet_string_val, option, option_len);
     opt.option.octet_string_len = option_len;
 
-    opt.value.octet_string_val = malloc(value_len);
-    if (!opt.value.octet_string_val) {
-        ret = ENOMEM;
-        goto done;
+    if (value_len != 0) {
+        opt.value.octet_string_val = malloc(value_len);
+        if (!opt.value.octet_string_val) {
+            ret = ENOMEM;
+            goto done;
+        }
+        memcpy(opt.value.octet_string_val, value, value_len);
+        opt.value.octet_string_len = value_len;
     }
-    memcpy(opt.value.octet_string_val, value, value_len);
-    opt.value.octet_string_len = value_len;
 
     out = realloc(*options_val, (*options_len + 1) * sizeof(gssx_option));
     if (!out) {
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
index 12709b2..9fe9bd1 100644
--- a/proxy/src/mechglue/gpp_creds.c
+++ b/proxy/src/mechglue/gpp_creds.c
@@ -561,12 +561,9 @@ static uint32_t gpp_set_opt_allowable_entypes(uint32_t *min,
gssx_cred *cred,
     struct gpp_allowable_enctypes *ae;
     struct gssx_cred_element *ce = NULL;
     gss_OID_desc mech;
-    gssx_option *to;
-    gssx_buffer *tb;
-    int i;
 
     /* Find the first element that matches one of the krb related OIDs */
-    for (i = 0; i < cred->elements.elements_len; i++) {
+    for (unsigned i = 0; i < cred->elements.elements_len; i++) {
         gp_conv_gssx_to_oid(&cred->elements.elements_val[i].mech, &mech);
         if (gpp_is_krb5_oid(&mech)) {
             ce = &cred->elements.elements_val[i];
@@ -579,36 +576,51 @@ static uint32_t gpp_set_opt_allowable_entypes(uint32_t *min,
gssx_cred *cred,
         return GSS_S_FAILURE;
     }
 
-    to = realloc(ce->options.options_val,
-                 sizeof(gssx_option) * (ce->options.options_len + 1));
-    if (!to) {
-        *min = ENOMEM;
+    ae = (struct gpp_allowable_enctypes *)value->value;
+    *min = gp_add_option(&ce->options.options_val,
+                         &ce->options.options_len,
+                         KRB5_SET_ALLOWED_ENCTYPE,
+                         sizeof(KRB5_SET_ALLOWED_ENCTYPE),
+                         ae->ktypes,
+                         sizeof(krb5_enctype) * ae->num_ktypes);
+    if (*min != 0) {
         return GSS_S_FAILURE;
     }
-    ce->options.options_val = to;
-    i = ce->options.options_len;
 
-    tb = &ce->options.options_val[i].option;
-    tb->octet_string_len = sizeof(KRB5_SET_ALLOWED_ENCTYPE);
-    tb->octet_string_val = strdup(KRB5_SET_ALLOWED_ENCTYPE);
-    if (!tb->octet_string_val) {
-        *min = ENOMEM;
-        return GSS_S_FAILURE;
+    return GSS_S_COMPLETE;
+}
+
+#define KRB5_SET_NO_CI_FLAGS "krb5_set_no_ci_flags"
+
+static uint32_t gpp_set_no_ci_flags(uint32_t *min, gssx_cred *cred,
+                                    const gss_buffer_t value)
+{
+    struct gssx_cred_element *ce = NULL;
+    gss_OID_desc mech;
+
+    /* Find the first element that matches one of the krb related OIDs */
+    for (unsigned i = 0; i < cred->elements.elements_len; i++) {
+        gp_conv_gssx_to_oid(&cred->elements.elements_val[i].mech, &mech);
+        if (gpp_is_krb5_oid(&mech)) {
+            ce = &cred->elements.elements_val[i];
+            break;
+        }
     }
 
-    ae = (struct gpp_allowable_enctypes *)value->value;
-    tb = &ce->options.options_val[i].value;
-    tb->octet_string_len = sizeof(krb5_enctype) * ae->num_ktypes;
-    tb->octet_string_val = malloc(tb->octet_string_len);
-    if (!tb->octet_string_val) {
-        *min = ENOMEM;
+    if (!ce) {
+        *min = EINVAL;
         return GSS_S_FAILURE;
     }
-    memcpy(tb->octet_string_val, ae->ktypes, tb->octet_string_len);
 
-    ce->options.options_len++;
+    *min = gp_add_option(&ce->options.options_val,
+                         &ce->options.options_len,
+                         KRB5_SET_NO_CI_FLAGS,
+                         sizeof(KRB5_SET_NO_CI_FLAGS),
+                         NULL, 0);
+    if (*min != 0) {
+        return GSS_S_FAILURE;
+    }
 
-    *min = 0;
     return GSS_S_COMPLETE;
 }
 
@@ -620,6 +632,8 @@ static uint32_t gpp_remote_options(uint32_t *min, gssx_cred *cred,
 
     if (gss_oid_equal(&gpp_allowed_enctypes_oid, desired_object)) {
         maj = gpp_set_opt_allowable_entypes(min, cred, value);
+    } else if (gss_oid_equal(GSS_KRB5_CRED_NO_CI_FLAGS_X, desired_object)) {
+        maj = gpp_set_no_ci_flags(min, cred, value);
     }
 
     return maj;

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[gssproxy] 01/03: Add support for the NO_CI_FLAG credentials option