From 556ea844a5783f9876ee748e1c686bb268f54e8a Mon Sep 17 00:00:00 2001

From: Simo Sorce <simo@redhat.com>

Date: Fri, 15 Nov 2013 10:33:52 -0500

Subject: [PATCH] Fix continuations in context establishment calls

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Properly support continuations, including returning the rigth error code

and exporting partial contexts.

Fixes multistep authentications in particular for the initialization case

which always uses continuations.

Resolves: https://fedorahosted.org/gss-proxy/ticket/108

Reviewed-by: Günther Deschner <gdeschner@redhat.com>

---

 proxy/src/client/gpm_init_sec_context.c | 21 ++++++++++-----------

 proxy/src/gp_export.c                   | 33 +++++++++++++++++++++++++++++----

 proxy/src/gp_export.h                   |  3 ++-

 proxy/src/gp_rpc_accept_sec_context.c   | 20 +++++++++++++++++---

 proxy/src/gp_rpc_get_mic.c              |  2 +-

 proxy/src/gp_rpc_init_sec_context.c     | 16 +++++++++++++++-

 proxy/src/gp_rpc_unwrap.c               |  2 +-

 proxy/src/gp_rpc_verify_mic.c           |  2 +-

 proxy/src/gp_rpc_wrap.c                 |  2 +-

 9 files changed, 77 insertions(+), 24 deletions(-)

diff --git a/proxy/src/client/gpm_init_sec_context.c b/proxy/src/client/gpm_init_sec_context.c

index b6ce34f..f6dfe53 100644

--- a/proxy/src/client/gpm_init_sec_context.c

+++ b/proxy/src/client/gpm_init_sec_context.c

@@ -104,13 +104,6 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,

         }

     }

-    if (res->status.major_status) {

-        gpm_save_status(&res->status);

-        ret_maj = res->status.major_status;

-        ret_min = res->status.minor_status;

-        goto done;

-    }

-

     if (res->context_handle) {

         ctx = res->context_handle;

         /* we are stealing the delegated creds on success, so we do not want

@@ -118,12 +111,18 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,

         res->context_handle = NULL;

     }

-    ret = gp_conv_gssx_to_buffer_alloc(res->output_token, &outbuf);

-    if (ret) {

-        gpm_save_internal_status(ret, strerror(ret));

-        goto done;

+    if (res->output_token) {

+        ret = gp_conv_gssx_to_buffer_alloc(res->output_token, &outbuf);

+        if (ret) {

+            gpm_save_internal_status(ret, strerror(ret));

+            goto done;

+        }

     }

+    ret_maj = res->status.major_status;

+    ret_min = res->status.minor_status;

+    gpm_save_status(&res->status);

+

 done:

     if (ret != 0) {

         ret_min = ret;

diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c

index 51dd686..3cd5148 100644

--- a/proxy/src/gp_export.c

+++ b/proxy/src/gp_export.c

@@ -390,6 +390,7 @@ done:

 #define LINUX_LUCID_V1      "linux_lucid_v1"

 enum exp_ctx_types {

+    EXP_CTX_PARTIAL = -1, /* cannot be specified by client */

     EXP_CTX_DEFAULT = 0,

     EXP_CTX_LINUX_LUCID_V1 = 1,

 };

@@ -418,6 +419,11 @@ int gp_get_exported_context_type(struct gssx_call_ctx *ctx)

     return EXP_CTX_DEFAULT;

 }

+int gp_get_continue_needed_type(void)

+{

+    return EXP_CTX_PARTIAL;

+}

+

 #define KRB5_CTX_FLAG_INITIATOR         0x00000001

 #define KRB5_CTX_FLAG_CFX               0x00000002

 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004

@@ -513,7 +519,7 @@ done:

 }

-uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,

+uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech,

                                   gss_ctx_id_t *in, gssx_ctx *out)

 {

     uint32_t ret_maj;

@@ -529,9 +535,6 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,

     int is_open;

     int ret;

-/* TODO: For mechs that need multiple roundtrips to complete */

-    /* out->state; */

-

     /* we do not need the client to release anything until we handle state */

     out->needs_release = false;

@@ -539,6 +542,11 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,

                                   &lifetime_rec, &mech_type, &ctx_flags,

                                   &is_locally_initiated, &is_open);

     if (ret_maj) {

+        if (type == EXP_CTX_PARTIAL) {

+            /* This may happen on partially established context,

+             * so just go on and put in what we can */

+            goto export;

+        }

         goto done;

     }

@@ -571,9 +579,26 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,

         out->open = true;

     }

+export:

     /* note: once converted the original context token is not usable anymore,

      * so this must be the last call to use it */

     switch (type) {

+    case EXP_CTX_PARTIAL:

+        /* this happens only when a init_sec_context call returns a partially

+         * initialized context so we return only what we have, not much */

+        ret = gp_conv_oid_to_gssx(mech, &out->mech);

+        if (ret) {

+            ret_maj = GSS_S_FAILURE;

+            ret_min = ret;

+            goto done;

+        }

+

+        out->locally_initiated = true;

+        out->open = false;

+

+        /* out->state; */

+

+        /* fall through */

     case EXP_CTX_DEFAULT:

         ret_maj = gss_export_sec_context(&ret_min, in, &export_buffer);

         if (ret_maj) {

diff --git a/proxy/src/gp_export.h b/proxy/src/gp_export.h

index 58c0040..03e5d18 100644

--- a/proxy/src/gp_export.h

+++ b/proxy/src/gp_export.h

@@ -37,7 +37,8 @@ uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,

                              gssx_cred *cred, gss_cred_id_t *out);

 int gp_get_exported_context_type(struct gssx_call_ctx *ctx);

-uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,

+int gp_get_continue_needed_type(void);

+uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech,

                                   gss_ctx_id_t *in, gssx_ctx *out);

 uint32_t gp_import_gssx_to_ctx_id(uint32_t *min, int type,

                                   gssx_ctx *in, gss_ctx_id_t *out);

diff --git a/proxy/src/gp_rpc_accept_sec_context.c b/proxy/src/gp_rpc_accept_sec_context.c

index 40370aa..efbf07a 100644

--- a/proxy/src/gp_rpc_accept_sec_context.c

+++ b/proxy/src/gp_rpc_accept_sec_context.c

@@ -46,6 +46,8 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,

     gss_cred_id_t *pdch = NULL;

     int exp_ctx_type;

     int exp_creds_type;

+    uint32_t acpt_maj;

+    uint32_t acpt_min;

     int ret;

     asca = &arg->accept_sec_context;

@@ -109,17 +111,25 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,

                                      &ret_flags,

                                      NULL,

                                      pdch);

-    if (ret_maj) {

+    if (ret_maj != GSS_S_COMPLETE &&

+        ret_maj != GSS_S_CONTINUE_NEEDED) {

         goto done;

+    } else {

+        acpt_maj = ret_maj;

+        acpt_min = ret_min;

+    }

+    if (acpt_maj == GSS_S_CONTINUE_NEEDED) {

+        exp_ctx_type = gp_get_continue_needed_type();

     }

+

     ascr->context_handle = calloc(1, sizeof(gssx_ctx));

     if (!ascr->context_handle) {

         ret_maj = GSS_S_FAILURE;

         ret_min = ENOMEM;

         goto done;

     }

-    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,

+    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, oid,

                                        &ctx, ascr->context_handle);

     if (ret_maj) {

         goto done;

@@ -138,7 +148,7 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,

         goto done;

     }

-    if ((ret_flags & GSS_C_DELEG_FLAG) && asca->ret_deleg_cred) {

+    if ((ret_flags & GSS_C_DELEG_FLAG) && asca->ret_deleg_cred && dch) {

         ascr->delegated_cred_handle = calloc(1, sizeof(gssx_cred));

         if (!ascr->delegated_cred_handle) {

             ret_maj = GSS_S_FAILURE;

@@ -159,6 +169,10 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,

                                               &ascr->options.options_val);

 done:

+    if (ret_maj == GSS_S_COMPLETE) {

+        ret_maj = acpt_maj;

+        ret_min = acpt_min;

+    }

     ret = gp_conv_status_to_gssx(&asca->call_ctx,

                                  ret_maj, ret_min, oid,

                                  &ascr->status);

diff --git a/proxy/src/gp_rpc_get_mic.c b/proxy/src/gp_rpc_get_mic.c

index ca60fe4..2db7d3f 100644

--- a/proxy/src/gp_rpc_get_mic.c

+++ b/proxy/src/gp_rpc_get_mic.c

@@ -73,7 +73,7 @@ int gp_get_mic(struct gp_call_ctx *gpcall,

         goto done;

     }

-    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,

+    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, GSS_C_NO_OID,

                                        &context_handle,

                                        gmr->context_handle);

     if (ret_maj) {

diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c

index 944389c..2781238 100644

--- a/proxy/src/gp_rpc_init_sec_context.c

+++ b/proxy/src/gp_rpc_init_sec_context.c

@@ -45,6 +45,8 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,

     gss_buffer_desc obuf = GSS_C_EMPTY_BUFFER;

     uint32_t ret_maj;

     uint32_t ret_min;

+    uint32_t init_maj;

+    uint32_t init_min;

     int exp_ctx_type;

     int ret;

@@ -121,6 +123,12 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,

     if (ret_maj != GSS_S_COMPLETE &&

         ret_maj != GSS_S_CONTINUE_NEEDED) {

         goto done;

+    } else {

+        init_maj = ret_maj;

+        init_min = ret_min;

+    }

+    if (init_maj == GSS_S_CONTINUE_NEEDED) {

+        exp_ctx_type = gp_get_continue_needed_type();

     }

     iscr->context_handle = calloc(1, sizeof(gssx_ctx));

@@ -129,7 +137,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,

         ret_min = ENOMEM;

         goto done;

     }

-    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,

+    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, mech_type,

                                        &ctx, iscr->context_handle);

     if (ret_maj) {

         goto done;

@@ -150,7 +158,13 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,

         }

     }

+    ret_maj = GSS_S_COMPLETE;

+

 done:

+    if (ret_maj == GSS_S_COMPLETE) {

+        ret_maj = init_maj;

+        ret_min = init_min;

+    }

     ret = gp_conv_status_to_gssx(&isca->call_ctx,

                                  ret_maj, ret_min, mech_type,

                                  &iscr->status);

diff --git a/proxy/src/gp_rpc_unwrap.c b/proxy/src/gp_rpc_unwrap.c

index a20b8ea..faffa82 100644

--- a/proxy/src/gp_rpc_unwrap.c

+++ b/proxy/src/gp_rpc_unwrap.c

@@ -85,7 +85,7 @@ int gp_unwrap(struct gp_call_ctx *gpcall,

         goto done;

     }

-    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,

+    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, GSS_C_NO_OID,

                                        &context_handle,

                                        uwr->context_handle);

     if (ret_maj) {

diff --git a/proxy/src/gp_rpc_verify_mic.c b/proxy/src/gp_rpc_verify_mic.c

index 68369a0..a2d3f7e 100644

--- a/proxy/src/gp_rpc_verify_mic.c

+++ b/proxy/src/gp_rpc_verify_mic.c

@@ -76,7 +76,7 @@ int gp_verify_mic(struct gp_call_ctx *gpcall,

         goto done;

     }

-    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,

+    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, GSS_C_NO_OID,

                                        &context_handle,

                                        vmr->context_handle);

     if (ret_maj) {

diff --git a/proxy/src/gp_rpc_wrap.c b/proxy/src/gp_rpc_wrap.c

index d17c292..c2da7ba 100644

--- a/proxy/src/gp_rpc_wrap.c

+++ b/proxy/src/gp_rpc_wrap.c

@@ -85,7 +85,7 @@ int gp_wrap(struct gp_call_ctx *gpcall,

         goto done;

     }

-    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,

+    ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, GSS_C_NO_OID,

                                        &context_handle, wr->context_handle);

     if (ret_maj) {

         goto done;

-- 

1.8.3.1