Kevin Coffman's patches to support passing gss context state to kernel

ticket: 2743 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16836 dc483132-0cff-0310-8789-dd5450dbe970
author: Tom Yu <tlyu@mit.edu> 2004-10-26 00:14:53 +0000
committer: Tom Yu <tlyu@mit.edu> 2004-10-26 00:14:53 +0000
commit: 1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4 (patch)
tree: 85c8552ca186ad4a1833b2dbc312cc690b25f4ef
parent: 5c9751d663cc8c86285b2f42d15661735974e000 (diff)
download: krb5-1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4.zip
krb5-1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4.tar.gz
krb5-1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4.tar.bz2
7 files changed, 109 insertions, 70 deletions
diff --git a/src/lib/kadm5/clnt/ChangeLog b/src/lib/kadm5/clnt/ChangeLog
index 2bdcf07..6d0a14e 100644
--- a/src/lib/kadm5/clnt/ChangeLog
+++ b/src/lib/kadm5/clnt/ChangeLog
@@ -1,3 +1,8 @@
+2004-10-25  Tom Yu  <tlyu@mit.edu>
+
+	* client_init.c (_kadm5_init_any): Pass req_flags and cred to
+	auth_gss_create().
+
 2004-08-20  Tom Yu  <tlyu@mit.edu>
 
 	* client_init.c (_kadm5_init_any): Remove INIT_TEST ifdefs.  Use
diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
index c5bd4b9..d3c63bd 100644
--- a/src/lib/kadm5/clnt/client_init.c
+++ b/src/lib/kadm5/clnt/client_init.c
@@ -519,6 +519,8 @@ static kadm5_ret_t _kadm5_init_any(char *client_name,
 	  sec.mech = gss_mech_krb5;
 	  sec.qop = GSS_C_QOP_DEFAULT;
 	  sec.svc = RPCSEC_GSS_SVC_PRIVACY;
+	  sec.cred = gss_client_creds;
+	  sec.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
 
 	  handle->clnt->cl_auth = authgss_create(handle->clnt,
 						 gss_target, &sec);
diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog
index be87db9..d3070b4 100644
--- a/src/lib/rpc/ChangeLog
+++ b/src/lib/rpc/ChangeLog
@@ -1,3 +1,18 @@
+2004-10-25  Tom Yu  <tlyu@mit.edu>
+
+	* auth_gss.c (authgss_get_private_data): New function.
+	(authgss_refresh): Remove explicit OID checks.
+	(authgss_create): Copy initiator name.
+	(authgss_destroy): Release copied initiator name.
+	(print_rpc_gss_sec): Explicitly code OID stringification.
+
+	* auth_gss.h: Add cred and req_flags to struct rpc_gss_sec.  New
+	structure authgss_private_data so kernel implementations can
+	retrieve context state.
+
+	* auth_gss.h, libgssrpc.exports, rename.h: Add
+	authgss_get_private_data.
+
 2004-10-18  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in (install-unix): Install headers.
diff --git a/src/lib/rpc/auth_gss.c b/src/lib/rpc/auth_gss.c
index 982973a..4e92699 100644
--- a/src/lib/rpc/auth_gss.c
+++ b/src/lib/rpc/auth_gss.c
@@ -96,66 +96,51 @@ static struct auth_ops authgss_ops = {
 void
 print_rpc_gss_sec(struct rpc_gss_sec *ptr)
 {
-#if HAVE_HEIMDAL
 	int i;
 	char *p;
 
-	log_debug("rpc_gss_sec:\n");
+	log_debug("rpc_gss_sec:");
 	if(ptr->mech == NULL)
-		log_debug("NULL gss_OID mech\n");
+		log_debug("NULL gss_OID mech");
 	else {
-		log_debug("     gss_OID len: %d\n gss_OID elements:",
-			ptr->mech->length);
+		fprintf(stderr, "     mechanism_OID: {");
 		p = (char *)ptr->mech->elements;
-		log_debug("     ");
-		for(i=0;i<ptr->mech->length;i++)
-			log_debug("%u", (u_char)*p++);
-		log_debug("\n");
-	}
-	log_debug("     qop: %d\n",ptr->qop);
-	log_debug("     service: %d\n",ptr->svc);
-#else
-	OM_uint32 min_stat;
-	gss_buffer_desc msg;
-
-	if (ptr->mech == NULL)
-		log_debug("rpc_gss_sec: mech NULL, qop %d, svc %d",
-			  ptr->qop, ptr->svc);
-	else {
-		gss_oid_to_str(&min_stat, ptr->mech, &msg);
-
-		log_debug("rpc_gss_sec: mech %.*s, qop %d, svc %d",
-			  msg.length, (char *)msg.value,
-			  ptr->qop, ptr->svc);
-
-		gss_release_buffer(&min_stat, &msg);
+		for (i=0; i < ptr->mech->length; i++)
+			/* First byte of OIDs encoded to save a byte */
+			if (i == 0) {
+				int first, second;
+				if (*p < 40) {
+					first = 0;
+					second = *p;
+				}
+				else if (40 <= *p && *p < 80) {
+					first = 1;
+					second = *p - 40;
+				}
+				else if (80 <= *p && *p < 127) {
+					first = 2;
+					second = *p - 80;
+				}
+				else {
+					/* Invalid value! */
+					first = -1;
+					second = -1;
+				}
+				fprintf(stderr, " %u %u", first, second);
+				p++;
+			}
+			else {
+				fprintf(stderr, " %u", (unsigned char)*p++);
+			}
+		fprintf(stderr, " }\n");
 	}
-#endif
+	fprintf(stderr, "     qop: %d\n", ptr->qop);
+	fprintf(stderr, "     service: %d\n", ptr->svc);
+	fprintf(stderr, "     cred: %p\n", ptr->cred);
+	fprintf(stderr, "     req_flags: 0x%08x", ptr->req_flags);
 }
 #endif /*DEBUG*/
 
-/* Krb 5 default mechanism oid */
-#define KRB5OID  "1.2.840.113554.1.2.2"
-
-#define g_OID_equal(o1,o2) \
-   (((o1)->length == (o2)->length) && \
-    ((o1)->elements != 0) && ((o2)->elements != 0) && \
-    (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0))
-
-extern const gss_OID_desc * const gss_mech_krb5;
-#ifdef SPKM
-extern const gss_OID_desc * const gss_mech_spkm3;
-#endif /*SPKM*/
-
-/* from kerberos source, gssapi_krb5.c */
-static gss_OID_desc krb5oid = 
-   {9, "\052\206\110\206\367\022\001\002\002"};
-
-#if SPKM
-static gss_OID_desc spkm3oid = 
-   {7, "\052\006\001\005\005\001\003"};
-#endif /*SPKM*/
-
 struct rpc_gss_data {
 	bool_t			 established;	/* context established */
 	bool_t			 inprogress;
@@ -178,6 +163,7 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec)
 {
 	AUTH			*auth, *save_auth;
 	struct rpc_gss_data	*gd;
+	OM_uint32		min_stat = 0;
 
 	log_debug("in authgss_create()");
 	
@@ -194,8 +180,19 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec)
 		free(auth);
 		return (NULL);
 	}
+	if (name != GSS_C_NO_NAME) {
+		if (gss_duplicate_name(&min_stat, name, &gd->name)
+						!= GSS_S_COMPLETE) {
+			rpc_createerr.cf_stat = RPC_SYSTEMERROR;
+			rpc_createerr.cf_error.re_errno = ENOMEM;
+			free(auth);
+			return (NULL);
+		}
+	}
+	else
+		gd->name = name;
+
 	gd->clnt = clnt;
-	gd->name = name;
 	gd->ctx = GSS_C_NO_CONTEXT;
 	gd->sec = *sec;
 
@@ -244,13 +241,35 @@ authgss_create_default(CLIENT *clnt, char *service, struct rpc_gss_sec *sec)
 
 	auth = authgss_create(clnt, name, sec);
 	
- 	if(auth)
+ 	if (name != GSS_C_NO_NAME)
  		gss_release_name(&min_stat, &name);
 	
 	log_debug("authgss_create_default returning auth 0x%08x", auth);
 	return (auth);
 }
 
+bool_t
+authgss_get_private_data(AUTH *auth, struct authgss_private_data *pd)
+{
+	struct rpc_gss_data	*gd;
+
+	log_debug("in authgss_get_private_data()");
+
+	if (!auth || !pd)
+		return (FALSE);
+
+	gd = AUTH_PRIVATE(auth);
+
+	if (!gd || !gd->established)
+		return (FALSE);
+
+	pd->pd_ctx = gd->ctx;
+	pd->pd_ctx_hndl = gd->gc.gc_ctx;
+	pd->pd_seq_win = gd->win;
+
+	return (TRUE);
+}
+
 static void
 authgss_nextverf(AUTH *auth)
 {
@@ -395,22 +414,14 @@ authgss_refresh(AUTH *auth, struct rpc_msg *msg)
 	print_rpc_gss_sec(&gd->sec);
 #endif /*DEBUG*/
 
-	if (g_OID_equal(gd->sec.mech, &krb5oid))
-		req_flags |= GSS_C_MUTUAL_FLAG;
-  
-#ifdef SPKM
-	if (g_OID_equal(gd->sec.mech, gss_mech_spkm3))
-		req_flags |= GSS_C_ANON_FLAG;
-#endif /*SPKM*/
-   
 	for (;;) {
 		gd->inprogress = TRUE;
 		maj_stat = gss_init_sec_context(&min_stat,
-						GSS_C_NO_CREDENTIAL,
+						gd->sec.cred,
 						&gd->ctx,
 						gd->name,
 						gd->sec.mech,
-						req_flags,
+						gd->sec.req_flags,
 						0,		/* time req */
 						NULL,		/* channel */
 						recv_tokenp,
@@ -581,13 +592,7 @@ authgss_destroy(AUTH *auth)
 	
 	if (gd->name != GSS_C_NO_NAME)
 		gss_release_name(&min_stat, &gd->name);
-#if 0
-#ifdef HAVE_HEIMDAL
-		gss_release_name(&min_stat, &gd->name);
-#else
-		gss_release_name(&min_stat, gd->name);
-#endif
-#endif
+
 	free(gd);
 	free(auth);
 }
diff --git a/src/lib/rpc/auth_gss.h b/src/lib/rpc/auth_gss.h
index 1ea12cb..ea5db92 100644
--- a/src/lib/rpc/auth_gss.h
+++ b/src/lib/rpc/auth_gss.h
@@ -70,6 +70,15 @@ struct rpc_gss_sec {
 	gss_OID		mech;		/* mechanism */
 	gss_qop_t	qop;		/* quality of protection */
 	rpc_gss_svc_t	svc;		/* service */
+	gss_cred_id_t   cred;		/* cred handle */
+	uint32_t	req_flags;	/* req flags for init_sec_context */
+};
+
+/* Private data required for kernel implementation */
+struct authgss_private_data {
+	gss_ctx_id_t	pd_ctx;		/* Session context handle */
+	gss_buffer_desc	pd_ctx_hndl;	/* Credentials context handle */
+	uint32_t	pd_seq_win;	/* Sequence window */
 };
 
 /* Krb 5 default mechanism 
@@ -127,7 +136,8 @@ bool_t	xdr_rpc_gss_unwrap_data	(XDR *xdrs, xdrproc_t xdr_func, caddr_t
 
 AUTH   *authgss_create		(CLIENT *, gss_name_t, struct rpc_gss_sec *);
 AUTH   *authgss_create_default	(CLIENT *, char *, struct rpc_gss_sec *);
-bool_t authgss_service(AUTH *auth, int svc);
+bool_t authgss_service		(AUTH *auth, int svc);
+bool_t authgss_get_private_data (AUTH *auth, struct authgss_private_data *);
 
 #ifdef GSSRPC__IMPL
 void	log_debug		(const char *fmt, ...);
diff --git a/src/lib/rpc/libgssrpc.exports b/src/lib/rpc/libgssrpc.exports
index 8824c4d..1437b96 100644
--- a/src/lib/rpc/libgssrpc.exports
+++ b/src/lib/rpc/libgssrpc.exports
@@ -9,6 +9,7 @@ gssrpc_auth_gssapi_unwrap_data
 gssrpc_auth_gssapi_wrap_data
 gssrpc_authgss_create
 gssrpc_authgss_create_default
+gssrpc_authgss_get_private_data
 gssrpc_authgss_service
 gssrpc_authnone_create
 gssrpc_authunix_create
diff --git a/src/lib/rpc/rename.h b/src/lib/rpc/rename.h
index 4f5971d..b28ae91 100644
--- a/src/lib/rpc/rename.h
+++ b/src/lib/rpc/rename.h
@@ -92,6 +92,7 @@
 
 #define authgss_create		gssrpc_authgss_create
 #define authgss_create_default	gssrpc_authgss_create_default
+#define authgss_get_private_data	gssrpc_authgss_get_private_data
 #define authgss_service		gssrpc_authgss_service
 
 #ifdef GSSRPC__IMPL
author	Tom Yu <tlyu@mit.edu>	2004-10-26 00:14:53 +0000
committer	Tom Yu <tlyu@mit.edu>	2004-10-26 00:14:53 +0000
commit	1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4 (patch)
tree	85c8552ca186ad4a1833b2dbc312cc690b25f4ef
parent	5c9751d663cc8c86285b2f42d15661735974e000 (diff)
download	krb5-1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4.zip krb5-1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4.tar.gz krb5-1c7b9d44d5f2809ee308be4c9ef364ad7b36f4b4.tar.bz2