>From f9a0f4d3c215bf27f86d61da0fcbba2300a600e2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 13 Nov 2013 19:54:27 -0500 Subject: [PATCH 1/2] Autoinitialize creds on init_sec_context If the remote client tries to initialize the context without first acquiring credentials, try to acquire appropriate credentials if the service allows it. --- proxy/src/gp_rpc_init_sec_context.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c index 944389c6f08c0c8e238adf300b383401329fb9da..c8ecba4fc5bfc9b4b0414129cf041e89112f5d57 100644 --- a/proxy/src/gp_rpc_init_sec_context.c +++ b/proxy/src/gp_rpc_init_sec_context.c @@ -24,6 +24,7 @@ */ #include "gp_rpc_process.h" +#include int gp_init_sec_context(struct gp_call_ctx *gpcall, union gp_rpc_arg *arg, @@ -72,13 +73,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall, if (ret_maj) { goto done; } - } else { - /* FIXME: get ccache from gpsvc ? */ - ret_maj = GSS_S_CRED_UNAVAIL; - ret_min = 0; - goto done; } - ret_maj = gp_conv_gssx_to_name(&ret_min, isca->target_name, &target_name); if (ret_maj) { goto done; @@ -105,6 +100,23 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall, gp_conv_gssx_to_buffer(isca->input_token, &ibuf); } + if (!isca->cred_handle) { + if (gss_oid_equal(mech_type, gss_mech_krb5)) { + ret_maj = gp_add_krb5_creds(&ret_min, gpcall, + NULL, NULL, + GSS_C_INITIATE, + time_req, 0, &ich, + NULL, NULL, NULL); + } else { + ret_maj = GSS_S_NO_CRED; + ret_min = 0; + } + + if (ret_maj) { + goto done; + } + } + ret_maj = gss_init_sec_context(&ret_min, ich, &ctx, @@ -156,5 +168,6 @@ done: &iscr->status); gss_release_name(&ret_min, &target_name); gss_release_oid(&ret_min, &mech_type); + gss_release_cred(&ret_min, &ich); return ret; } -- 1.8.4.2