[CalendarServer-changes] [7845] PyKerberos/trunk

source_changes at macosforge.org source_changes at macosforge.org
Mon Aug 1 15:38:56 PDT 2011 

Revision: 7845
          http://trac.macosforge.org/projects/calendarserver/changeset/7845
Author:   wsanchez at apple.com
Date:     2011-08-01 15:38:54 -0700 (Mon, 01 Aug 2011)
Log Message:
-----------
This adds support to authGSSClientInit (gss_init_sec_context) for using the non-default principal. It adds a "principal" kwarg to authGSSClientInit() which gets stashed in the client state struct and used when gss_init_sec_context is called. The default behavior is unchanged.

See Ticket #435.

Modified Paths:
--------------
    PyKerberos/trunk/pysrc/kerberos.py
    PyKerberos/trunk/src/kerberos.c
    PyKerberos/trunk/src/kerberosgss.c
    PyKerberos/trunk/src/kerberosgss.h

Modified: PyKerberos/trunk/pysrc/kerberos.py
===================================================================
--- PyKerberos/trunk/pysrc/kerberos.py	2011-08-01 22:09:46 UTC (rev 7844)
+++ PyKerberos/trunk/pysrc/kerberos.py	2011-08-01 22:38:54 UTC (rev 7845)
@@ -99,7 +99,7 @@
 GSS_C_PROT_READY_FLAG = 128 
 GSS_C_TRANS_FLAG      = 256 
      
-def authGSSClientInit(service, gssflags=GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG):
+def authGSSClientInit(service, principal=None, gssflags=GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG):
     """
     Initializes a context for GSSAPI client-side authentication with the given service principal.
     authGSSClientClean must be called after this function returns an OK result to dispose of
@@ -107,6 +107,8 @@
 
     @param service: a string containing the service principal in the form 'type at fqdn'
         (e.g. 'imap at mail.apple.com').
+    @param principal: optional string containing the client principal in the form 'user at realm'
+        (e.g. 'jdoe at example.com').
     @param gssflags: optional integer used to set GSS flags.
         (e.g.  GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow 
         for forwarding credentials to the remote host)

Modified: PyKerberos/trunk/src/kerberos.c
===================================================================
--- PyKerberos/trunk/src/kerberos.c	2011-08-01 22:09:46 UTC (rev 7844)
+++ PyKerberos/trunk/src/kerberos.c	2011-08-01 22:38:54 UTC (rev 7845)
@@ -85,19 +85,20 @@
 static PyObject* authGSSClientInit(PyObject* self, PyObject* args, PyObject* keywds)
 {
     const char *service;
+    const char *principal;
     gss_client_state *state;
     PyObject *pystate;
-    static char *kwlist[] = {"service", "gssflags", NULL};
+    static char *kwlist[] = {"service", "principal", "gssflags", NULL};
     long int gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
     int result = 0;
 
-    if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|l", kwlist, &service, &gss_flags))
+    if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|sl", kwlist, &service, &principal, &gss_flags))
         return NULL;
 
     state = (gss_client_state *) malloc(sizeof(gss_client_state));
     pystate = PyCObject_FromVoidPtr(state, NULL);
 
-    result = authenticate_gss_client_init(service, gss_flags, state);
+    result = authenticate_gss_client_init(service, principal, gss_flags, state);
     if (result == AUTH_GSS_ERROR)
         return NULL;
 

Modified: PyKerberos/trunk/src/kerberosgss.c
===================================================================
--- PyKerberos/trunk/src/kerberosgss.c	2011-08-01 22:09:46 UTC (rev 7844)
+++ PyKerberos/trunk/src/kerberosgss.c	2011-08-01 22:38:54 UTC (rev 7845)
@@ -106,16 +106,18 @@
     return result;
 }
 
-int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state)
+int authenticate_gss_client_init(const char* service, const char* principal, long int gss_flags, gss_client_state* state)
 {
     OM_uint32 maj_stat;
     OM_uint32 min_stat;
     gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
+    gss_buffer_desc principal_token = GSS_C_EMPTY_BUFFER;
     int ret = AUTH_GSS_COMPLETE;
     
     state->server_name = GSS_C_NO_NAME;
     state->context = GSS_C_NO_CONTEXT;
     state->gss_flags = gss_flags;
+    state->client_creds = GSS_C_NO_CREDENTIAL;
     state->username = NULL;
     state->response = NULL;
     
@@ -132,6 +134,40 @@
         goto end;
     }
     
+    // Get credential for principal
+    if (principal && *principal)
+    {
+        gss_name_t name;
+        principal_token.length = strlen(principal);
+        principal_token.value = (char *)principal;
+
+        maj_stat = gss_import_name(&min_stat, &principal_token, GSS_C_NT_USER_NAME, &name);
+        if (GSS_ERROR(maj_stat))
+        {
+            set_gss_error(maj_stat, min_stat);
+            ret = AUTH_GSS_ERROR;
+	    goto end;
+        }
+
+        maj_stat = gss_acquire_cred(&min_stat, name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_INITIATE, 
+                                    &state->client_creds, NULL, NULL);
+        if (GSS_ERROR(maj_stat))
+        {
+            set_gss_error(maj_stat, min_stat);
+            ret = AUTH_GSS_ERROR;
+	    goto end;
+        }
+
+        maj_stat = gss_release_name(&min_stat, &name);
+        if (GSS_ERROR(maj_stat))
+        {
+	    set_gss_error(maj_stat, min_stat);
+            ret = AUTH_GSS_ERROR;
+            goto end;
+        }
+
+      }
+
 end:
     return ret;
 }
@@ -146,6 +182,8 @@
         maj_stat = gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
     if (state->server_name != GSS_C_NO_NAME)
         maj_stat = gss_release_name(&min_stat, &state->server_name);
+    if (state->client_creds != GSS_C_NO_CREDENTIAL)
+        maj_stat = gss_release_cred(&min_stat, &state->client_creds);
     if (state->username != NULL)
     {
         free(state->username);
@@ -185,7 +223,7 @@
     
     // Do GSSAPI step
     maj_stat = gss_init_sec_context(&min_stat,
-                                    GSS_C_NO_CREDENTIAL,
+                                    state->client_creds,
                                     &state->context,
                                     state->server_name,
                                     GSS_C_NO_OID,

Modified: PyKerberos/trunk/src/kerberosgss.h
===================================================================
--- PyKerberos/trunk/src/kerberosgss.h	2011-08-01 22:09:46 UTC (rev 7844)
+++ PyKerberos/trunk/src/kerberosgss.h	2011-08-01 22:38:54 UTC (rev 7845)
@@ -32,6 +32,7 @@
     gss_ctx_id_t     context;
     gss_name_t       server_name;
     long int         gss_flags;
+    gss_cred_id_t    client_creds;
     char*            username;
     char*            response;
 } gss_client_state;
@@ -49,7 +50,7 @@
 
 char* server_principal_details(const char* service, const char* hostname);
 
-int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state);
+int authenticate_gss_client_init(const char* service, const char* principal, long int gss_flags, gss_client_state* state);
 int authenticate_gss_client_clean(gss_client_state *state);
 int authenticate_gss_client_step(gss_client_state *state, const char *challenge);
 int authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20110801/aff059f5/attachment.html>

More information about the calendarserver-changes mailing list