|
 |
472fdf |
From 24d776205605f3c113fdc2cb356d4c28b8033676 Mon Sep 17 00:00:00 2001
|
|
|
472fdf |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
472fdf |
Date: Fri, 15 Sep 2017 18:07:28 -0400
|
|
|
472fdf |
Subject: [PATCH] Handle outdated encrypted ccaches
|
|
|
472fdf |
|
|
|
472fdf |
When the encrypting keytab changes, all credentials that it was used
|
|
|
472fdf |
to encrypt must be re-created. Otherwise, we log obtuse messages and
|
|
|
472fdf |
fail to do what the user wants.
|
|
|
472fdf |
|
|
|
472fdf |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
472fdf |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
472fdf |
Merges: #214
|
|
|
472fdf |
(cherry picked from commit 657d3c8339309dd8e2bfa4ee10f005e0f0c055e8)
|
|
|
472fdf |
---
|
|
|
472fdf |
proxy/src/gp_export.c | 11 ++++++-----
|
|
|
472fdf |
proxy/src/gp_rpc_accept_sec_context.c | 28 +++++++++++++++++++++++++++
|
|
|
472fdf |
proxy/src/gp_rpc_init_sec_context.c | 2 +-
|
|
|
472fdf |
3 files changed, 35 insertions(+), 6 deletions(-)
|
|
|
472fdf |
|
|
|
472fdf |
diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
|
|
|
472fdf |
index ab08bb7..0c39045 100644
|
|
|
472fdf |
--- a/proxy/src/gp_export.c
|
|
|
472fdf |
+++ b/proxy/src/gp_export.c
|
|
|
472fdf |
@@ -268,7 +268,7 @@ static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key,
|
|
|
472fdf |
&enc_handle,
|
|
|
472fdf |
&data_out);
|
|
|
472fdf |
if (ret) {
|
|
|
472fdf |
- return EINVAL;
|
|
|
472fdf |
+ return ret;
|
|
|
472fdf |
}
|
|
|
472fdf |
|
|
|
472fdf |
*len = data_out.length;
|
|
|
472fdf |
@@ -446,8 +446,8 @@ uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
|
|
|
472fdf |
{
|
|
|
472fdf |
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
|
|
|
472fdf |
struct gp_creds_handle *handle = NULL;
|
|
|
472fdf |
- uint32_t ret_maj;
|
|
|
472fdf |
- uint32_t ret_min;
|
|
|
472fdf |
+ uint32_t ret_maj = GSS_S_COMPLETE;
|
|
|
472fdf |
+ uint32_t ret_min = 0;
|
|
|
472fdf |
int ret;
|
|
|
472fdf |
|
|
|
472fdf |
handle = gp_service_get_creds_handle(gpcall->service);
|
|
|
472fdf |
@@ -469,8 +469,9 @@ uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
|
|
|
472fdf |
&cred->cred_handle_reference,
|
|
|
472fdf |
&token.length, token.value);
|
|
|
472fdf |
if (ret) {
|
|
|
472fdf |
- ret_maj = GSS_S_FAILURE;
|
|
|
472fdf |
- ret_min = ENOENT;
|
|
|
472fdf |
+ /* Allow for re-issuance of the keytab. */
|
|
|
472fdf |
+ GPDEBUG("Stored ccache failed to decrypt; treating as empty\n");
|
|
|
472fdf |
+ *out = GSS_C_NO_CREDENTIAL;
|
|
|
472fdf |
goto done;
|
|
|
472fdf |
}
|
|
|
472fdf |
|
|
|
472fdf |
diff --git a/proxy/src/gp_rpc_accept_sec_context.c b/proxy/src/gp_rpc_accept_sec_context.c
|
|
|
472fdf |
index ae4de55..2cdc94b 100644
|
|
|
472fdf |
--- a/proxy/src/gp_rpc_accept_sec_context.c
|
|
|
472fdf |
+++ b/proxy/src/gp_rpc_accept_sec_context.c
|
|
|
472fdf |
@@ -25,6 +25,13 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,
|
|
|
472fdf |
int exp_creds_type;
|
|
|
472fdf |
uint32_t acpt_maj;
|
|
|
472fdf |
uint32_t acpt_min;
|
|
|
472fdf |
+ struct gp_cred_check_handle gcch = {
|
|
|
472fdf |
+ .ctx = gpcall,
|
|
|
472fdf |
+ .options.options_len = arg->accept_sec_context.options.options_len,
|
|
|
472fdf |
+ .options.options_val = arg->accept_sec_context.options.options_val,
|
|
|
472fdf |
+ };
|
|
|
472fdf |
+ uint32_t gccn_before = 0;
|
|
|
472fdf |
+ uint32_t gccn_after = 0;
|
|
|
472fdf |
int ret;
|
|
|
472fdf |
|
|
|
472fdf |
asca = &arg->accept_sec_context;
|
|
|
472fdf |
@@ -52,6 +59,8 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,
|
|
|
472fdf |
if (ret_maj) {
|
|
|
472fdf |
goto done;
|
|
|
472fdf |
}
|
|
|
472fdf |
+
|
|
|
472fdf |
+ gccn_before = gp_check_sync_creds(&gcch, ach);
|
|
|
472fdf |
}
|
|
|
472fdf |
|
|
|
472fdf |
if (ach == GSS_C_NO_CREDENTIAL) {
|
|
|
472fdf |
@@ -146,6 +155,25 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,
|
|
|
472fdf |
src_name, oid,
|
|
|
472fdf |
&ascr->options.options_len,
|
|
|
472fdf |
&ascr->options.options_val);
|
|
|
472fdf |
+ if (ret_maj) {
|
|
|
472fdf |
+ goto done;
|
|
|
472fdf |
+ }
|
|
|
472fdf |
+
|
|
|
472fdf |
+ gccn_after = gp_check_sync_creds(&gcch, ach);
|
|
|
472fdf |
+
|
|
|
472fdf |
+ if (gccn_before != gccn_after) {
|
|
|
472fdf |
+ /* export creds back to client for sync up */
|
|
|
472fdf |
+ ret_maj = gp_export_sync_creds(&ret_min, gpcall, &ach,
|
|
|
472fdf |
+ &ascr->options.options_val,
|
|
|
472fdf |
+ &ascr->options.options_len);
|
|
|
472fdf |
+ if (ret_maj) {
|
|
|
472fdf |
+ /* not fatal, log and continue */
|
|
|
472fdf |
+ GPDEBUG("Failed to export sync creds (%d: %d)",
|
|
|
472fdf |
+ (int)ret_maj, (int)ret_min);
|
|
|
472fdf |
+ }
|
|
|
472fdf |
+ }
|
|
|
472fdf |
+
|
|
|
472fdf |
+ ret_maj = GSS_S_COMPLETE;
|
|
|
472fdf |
|
|
|
472fdf |
done:
|
|
|
472fdf |
if (ret_maj == GSS_S_COMPLETE) {
|
|
|
472fdf |
diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c
|
|
|
472fdf |
index e4af495..f362dbc 100644
|
|
|
472fdf |
--- a/proxy/src/gp_rpc_init_sec_context.c
|
|
|
472fdf |
+++ b/proxy/src/gp_rpc_init_sec_context.c
|
|
|
472fdf |
@@ -91,7 +91,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
|
|
|
472fdf |
gp_conv_gssx_to_buffer(isca->input_token, &ibuf);
|
|
|
472fdf |
}
|
|
|
472fdf |
|
|
|
472fdf |
- if (!isca->cred_handle) {
|
|
|
472fdf |
+ if (!ich) {
|
|
|
472fdf |
if (gss_oid_equal(mech_type, gss_mech_krb5)) {
|
|
|
472fdf |
ret_maj = gp_add_krb5_creds(&ret_min, gpcall,
|
|
|
472fdf |
ACQ_NORMAL, NULL, NULL,
|