[CalendarServer-changes] [7845] PyKerberos/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Mon Aug 1 15:38:56 PDT 2011
Revision: 7845
http://trac.macosforge.org/projects/calendarserver/changeset/7845
Author: wsanchez at apple.com
Date: 2011-08-01 15:38:54 -0700 (Mon, 01 Aug 2011)
Log Message:
-----------
This adds support to authGSSClientInit (gss_init_sec_context) for using the non-default principal. It adds a "principal" kwarg to authGSSClientInit() which gets stashed in the client state struct and used when gss_init_sec_context is called. The default behavior is unchanged.
See Ticket #435.
Modified Paths:
--------------
PyKerberos/trunk/pysrc/kerberos.py
PyKerberos/trunk/src/kerberos.c
PyKerberos/trunk/src/kerberosgss.c
PyKerberos/trunk/src/kerberosgss.h
Modified: PyKerberos/trunk/pysrc/kerberos.py
===================================================================
--- PyKerberos/trunk/pysrc/kerberos.py 2011-08-01 22:09:46 UTC (rev 7844)
+++ PyKerberos/trunk/pysrc/kerberos.py 2011-08-01 22:38:54 UTC (rev 7845)
@@ -99,7 +99,7 @@
GSS_C_PROT_READY_FLAG = 128
GSS_C_TRANS_FLAG = 256
-def authGSSClientInit(service, gssflags=GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG):
+def authGSSClientInit(service, principal=None, gssflags=GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG):
"""
Initializes a context for GSSAPI client-side authentication with the given service principal.
authGSSClientClean must be called after this function returns an OK result to dispose of
@@ -107,6 +107,8 @@
@param service: a string containing the service principal in the form 'type at fqdn'
(e.g. 'imap at mail.apple.com').
+ @param principal: optional string containing the client principal in the form 'user at realm'
+ (e.g. 'jdoe at example.com').
@param gssflags: optional integer used to set GSS flags.
(e.g. GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow
for forwarding credentials to the remote host)
Modified: PyKerberos/trunk/src/kerberos.c
===================================================================
--- PyKerberos/trunk/src/kerberos.c 2011-08-01 22:09:46 UTC (rev 7844)
+++ PyKerberos/trunk/src/kerberos.c 2011-08-01 22:38:54 UTC (rev 7845)
@@ -85,19 +85,20 @@
static PyObject* authGSSClientInit(PyObject* self, PyObject* args, PyObject* keywds)
{
const char *service;
+ const char *principal;
gss_client_state *state;
PyObject *pystate;
- static char *kwlist[] = {"service", "gssflags", NULL};
+ static char *kwlist[] = {"service", "principal", "gssflags", NULL};
long int gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
int result = 0;
- if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|l", kwlist, &service, &gss_flags))
+ if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|sl", kwlist, &service, &principal, &gss_flags))
return NULL;
state = (gss_client_state *) malloc(sizeof(gss_client_state));
pystate = PyCObject_FromVoidPtr(state, NULL);
- result = authenticate_gss_client_init(service, gss_flags, state);
+ result = authenticate_gss_client_init(service, principal, gss_flags, state);
if (result == AUTH_GSS_ERROR)
return NULL;
Modified: PyKerberos/trunk/src/kerberosgss.c
===================================================================
--- PyKerberos/trunk/src/kerberosgss.c 2011-08-01 22:09:46 UTC (rev 7844)
+++ PyKerberos/trunk/src/kerberosgss.c 2011-08-01 22:38:54 UTC (rev 7845)
@@ -106,16 +106,18 @@
return result;
}
-int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state)
+int authenticate_gss_client_init(const char* service, const char* principal, long int gss_flags, gss_client_state* state)
{
OM_uint32 maj_stat;
OM_uint32 min_stat;
gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc principal_token = GSS_C_EMPTY_BUFFER;
int ret = AUTH_GSS_COMPLETE;
state->server_name = GSS_C_NO_NAME;
state->context = GSS_C_NO_CONTEXT;
state->gss_flags = gss_flags;
+ state->client_creds = GSS_C_NO_CREDENTIAL;
state->username = NULL;
state->response = NULL;
@@ -132,6 +134,40 @@
goto end;
}
+ // Get credential for principal
+ if (principal && *principal)
+ {
+ gss_name_t name;
+ principal_token.length = strlen(principal);
+ principal_token.value = (char *)principal;
+
+ maj_stat = gss_import_name(&min_stat, &principal_token, GSS_C_NT_USER_NAME, &name);
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
+
+ maj_stat = gss_acquire_cred(&min_stat, name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_INITIATE,
+ &state->client_creds, NULL, NULL);
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
+
+ maj_stat = gss_release_name(&min_stat, &name);
+ if (GSS_ERROR(maj_stat))
+ {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
+
+ }
+
end:
return ret;
}
@@ -146,6 +182,8 @@
maj_stat = gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
if (state->server_name != GSS_C_NO_NAME)
maj_stat = gss_release_name(&min_stat, &state->server_name);
+ if (state->client_creds != GSS_C_NO_CREDENTIAL)
+ maj_stat = gss_release_cred(&min_stat, &state->client_creds);
if (state->username != NULL)
{
free(state->username);
@@ -185,7 +223,7 @@
// Do GSSAPI step
maj_stat = gss_init_sec_context(&min_stat,
- GSS_C_NO_CREDENTIAL,
+ state->client_creds,
&state->context,
state->server_name,
GSS_C_NO_OID,
Modified: PyKerberos/trunk/src/kerberosgss.h
===================================================================
--- PyKerberos/trunk/src/kerberosgss.h 2011-08-01 22:09:46 UTC (rev 7844)
+++ PyKerberos/trunk/src/kerberosgss.h 2011-08-01 22:38:54 UTC (rev 7845)
@@ -32,6 +32,7 @@
gss_ctx_id_t context;
gss_name_t server_name;
long int gss_flags;
+ gss_cred_id_t client_creds;
char* username;
char* response;
} gss_client_state;
@@ -49,7 +50,7 @@
char* server_principal_details(const char* service, const char* hostname);
-int authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state);
+int authenticate_gss_client_init(const char* service, const char* principal, long int gss_flags, gss_client_state* state);
int authenticate_gss_client_clean(gss_client_state *state);
int authenticate_gss_client_step(gss_client_state *state, const char *challenge);
int authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20110801/aff059f5/attachment.html>
More information about the calendarserver-changes
mailing list