Tree - rpms/krb5 - CentOS Git server

rpms / krb5

Blame SOURCES/krb5-1.11-gss-client-keytab.patch

Blob History Raw

		5af5b2	`Originally http://fedorapeople.org/cgit/simo/public_git/krb5.git/commit/?h=gss_cs&id=a3b9bf20df1d976775ed929d8cb5f4844e03b1bf`
		5af5b2
		5af5b2	`commit a3b9bf20df1d976775ed929d8cb5f4844e03b1bf`
		5af5b2	`Author: Simo Sorce <simo@redhat.com>`
		5af5b2	`Date: Thu Mar 28 12:53:01 2013 -0400`
		5af5b2
		5af5b2	`Add support for client keytab from cred store`
		5af5b2
		5af5b2	`The new credential store extensions added support for specifying a`
		5af5b2	`specific ccache name and also a specific keytab to be used for accepting`
		5af5b2	`security contexts, but did not add a way to specify a client keytab`
		5af5b2	`to be used in conjunction with the Keytab initiation support added also`
		5af5b2	`in 1.11`
		5af5b2
		5af5b2	`This patch introduces a new URN named client_keytab through which a`
		5af5b2	`specific client_keytab can be set when calling gss_acquire_cred_from()`
		5af5b2	`and Keytab Initiation will use that keytab to initialize credentials.`
		5af5b2
		5af5b2	`diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c`
		5af5b2	`index 4d499e4..8540bf3 100644`
		5af5b2	`--- a/src/lib/gssapi/krb5/acquire_cred.c`
		5af5b2	`+++ b/src/lib/gssapi/krb5/acquire_cred.c`
		5af5b2	`@@ -636,6 +636,7 @@ acquire_init_cred(krb5_context context,`
		5af5b2	`OM_uint32 *minor_status,`
		5af5b2	`krb5_ccache req_ccache,`
		5af5b2	`gss_buffer_t password,`
		5af5b2	`+ krb5_keytab client_keytab,`
		5af5b2	`krb5_gss_cred_id_rec *cred)`
		5af5b2	`{`
		5af5b2	`krb5_error_code code;`
		5af5b2	`@@ -659,9 +660,13 @@ acquire_init_cred(krb5_context context,`
		5af5b2	`goto error;`
		5af5b2	`}`
		5af5b2
		5af5b2	`- code = krb5_kt_client_default(context, &cred->client_keytab);`
		5af5b2	`- if (code)`
		5af5b2	`- goto error;`
		5af5b2	`+ if (client_keytab != NULL)`
		5af5b2	`+ cred->client_keytab = client_keytab;`
		5af5b2	`+ else {`
		5af5b2	`+ code = krb5_kt_client_default(context, &cred->client_keytab);`
		5af5b2	`+ if (code)`
		5af5b2	`+ goto error;`
		5af5b2	`+ }`
		5af5b2
		5af5b2	`if (password != GSS_C_NO_BUFFER) {`
		5af5b2	`pwdata = make_data(password->value, password->length);`
		5af5b2	`@@ -719,8 +724,9 @@ static OM_uint32`
		5af5b2	`acquire_cred_context(krb5_context context, OM_uint32 *minor_status,`
		5af5b2	`gss_name_t desired_name, gss_buffer_t password,`
		5af5b2	`OM_uint32 time_req, gss_cred_usage_t cred_usage,`
		5af5b2	`- krb5_ccache ccache, krb5_keytab keytab,`
		5af5b2	`- krb5_boolean iakerb, gss_cred_id_t *output_cred_handle,`
		5af5b2	`+ krb5_ccache ccache, krb5_keytab client_keytab,`
		5af5b2	`+ krb5_keytab keytab, krb5_boolean iakerb,`
		5af5b2	`+ gss_cred_id_t *output_cred_handle,`
		5af5b2	`OM_uint32 *time_rec)`
		5af5b2	`{`
		5af5b2	`krb5_gss_cred_id_t cred = NULL;`
		5af5b2	`@@ -787,7 +793,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,`
		5af5b2	`* in cred->name if it wasn't set above.`
		5af5b2	`*/`
		5af5b2	`if (cred_usage == GSS_C_INITIATE \|\| cred_usage == GSS_C_BOTH) {`
		5af5b2	`- ret = acquire_init_cred(context, minor_status, ccache, password, cred);`
		5af5b2	`+ ret = acquire_init_cred(context, minor_status, ccache, password,`
		5af5b2	`+ client_keytab, cred);`
		5af5b2	`if (ret != GSS_S_COMPLETE)`
		5af5b2	`goto error_out;`
		5af5b2	`}`
		5af5b2	`@@ -864,8 +871,8 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name,`
		5af5b2	`}`
		5af5b2
		5af5b2	`ret = acquire_cred_context(context, minor_status, desired_name, password,`
		5af5b2	`- time_req, cred_usage, ccache, keytab, iakerb,`
		5af5b2	`- output_cred_handle, time_rec);`
		5af5b2	`+ time_req, cred_usage, ccache, NULL, keytab,`
		5af5b2	`+ iakerb, output_cred_handle, time_rec);`
		5af5b2
		5af5b2	`out:`
		5af5b2	`krb5_free_context(context);`
		5af5b2	`@@ -1130,6 +1137,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,`
		5af5b2	`{`
		5af5b2	`krb5_context context = NULL;`
		5af5b2	`krb5_error_code code = 0;`
		5af5b2	`+ krb5_keytab client_keytab = NULL;`
		5af5b2	`krb5_keytab keytab = NULL;`
		5af5b2	`krb5_ccache ccache = NULL;`
		5af5b2	`const char *value;`
		5af5b2	`@@ -1162,6 +1170,19 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,`
		5af5b2	`}`
		5af5b2	`}`
		5af5b2
		5af5b2	`+ ret = kg_value_from_cred_store(cred_store, KRB5_CS_CLI_KEYTAB_URN, &value);`
		5af5b2	`+ if (GSS_ERROR(ret))`
		5af5b2	`+ goto out;`
		5af5b2	`+`
		5af5b2	`+ if (value) {`
		5af5b2	`+ code = krb5_kt_resolve(context, value, &client_keytab);`
		5af5b2	`+ if (code != 0) {`
		5af5b2	`+ *minor_status = code;`
		5af5b2	`+ ret = GSS_S_CRED_UNAVAIL;`
		5af5b2	`+ goto out;`
		5af5b2	`+ }`
		5af5b2	`+ }`
		5af5b2	`+`
		5af5b2	`ret = kg_value_from_cred_store(cred_store, KRB5_CS_KEYTAB_URN, &value);`
		5af5b2	`if (GSS_ERROR(ret))`
		5af5b2	`goto out;`
		5af5b2	`@@ -1176,8 +1197,8 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,`
		5af5b2	`}`
		5af5b2
		5af5b2	`ret = acquire_cred_context(context, minor_status, desired_name, NULL,`
		5af5b2	`- time_req, cred_usage, ccache, keytab, 0,`
		5af5b2	`- output_cred_handle, time_rec);`
		5af5b2	`+ time_req, cred_usage, ccache, client_keytab,`
		5af5b2	`+ keytab, 0, output_cred_handle, time_rec);`
		5af5b2
		5af5b2	`out:`
		5af5b2	`if (ccache != NULL)`
		5af5b2	`diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h`
		5af5b2	`index 8215b10..310ff58 100644`
		5af5b2	`--- a/src/lib/gssapi/krb5/gssapiP_krb5.h`
		5af5b2	`+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h`
		5af5b2	`@@ -1227,6 +1227,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer)`
		5af5b2
		5af5b2	`/* Credential store extensions */`
		5af5b2
		5af5b2	`+#define KRB5_CS_CLI_KEYTAB_URN "client_keytab"`
		5af5b2	`#define KRB5_CS_KEYTAB_URN "keytab"`
		5af5b2	`#define KRB5_CS_CCACHE_URN "ccache"`
		5af5b2

rpms / krb5

Source Code

Blame SOURCES/krb5-1.11-gss-client-keytab.patch