[CalendarServer-changes] [10616] PyKerberos/trunk

source_changes at macosforge.org source_changes at macosforge.org
Fri Feb 1 08:30:18 PST 2013


Revision: 10616
          http://trac.calendarserver.org//changeset/10616
Author:   wsanchez at apple.com
Date:     2013-02-01 08:30:18 -0800 (Fri, 01 Feb 2013)
Log Message:
-----------
Add encryption support to authGSSClientWrap/authGSSClientUnwrap.
Submitted by: ikatrina at yahoo.com
Fixes #796

Modified Paths:
--------------
    PyKerberos/trunk/pysrc/kerberos.py
    PyKerberos/trunk/src/kerberos.c
    PyKerberos/trunk/src/kerberosgss.c
    PyKerberos/trunk/src/kerberosgss.h

Modified: PyKerberos/trunk/pysrc/kerberos.py
===================================================================
--- PyKerberos/trunk/pysrc/kerberos.py	2013-02-01 00:24:04 UTC (rev 10615)
+++ PyKerberos/trunk/pysrc/kerberos.py	2013-02-01 16:30:18 UTC (rev 10616)
@@ -143,6 +143,14 @@
     @return: a string containing the base64-encoded client data to be sent to the server.
     """
 
+def authGSSClientResponseConf(context):
+    """
+    Returns 1 if confidentiality was enabled in the previously unwrapped buffer.  0 otherwise.
+
+    @param context: the context object returned from authGSSClientInit.
+    @return: an integer representing the confidentiality of the previously unwrapped buffer.
+    """
+
 def authGSSClientUserName(context):
     """
     Get the user name of the principal authenticated via the now complete GSSAPI client-side operations.
@@ -160,12 +168,13 @@
     @return: a result code (see above) 
     """ 
 
-def authGSSClientWrap(context, data, user=None): 
+def authGSSClientWrap(context, data, user=None, protect=0): 
     """ 
     Perform the client side GSSAPI wrap step.  
     
     @param data:the result of the authGSSClientResponse after the authGSSClientUnwrap 
     @param user: the user to authorize 
+    @param protect: if 0 then just provide integrity protection, if 1, then provide confidentiality as well.
     @return: a result code (see above) 
     """ 
 

Modified: PyKerberos/trunk/src/kerberos.c
===================================================================
--- PyKerberos/trunk/src/kerberos.c	2013-02-01 00:24:04 UTC (rev 10615)
+++ PyKerberos/trunk/src/kerberos.c	2013-02-01 16:30:18 UTC (rev 10616)
@@ -158,6 +158,26 @@
     return Py_BuildValue("i", result);
 }
 
+static PyObject *authGSSClientResponseConf(PyObject *self, PyObject *args)
+{
+    gss_client_state *state;
+    PyObject *pystate;
+
+    if (!PyArg_ParseTuple(args, "O", &pystate))
+        return NULL;
+
+    if (!PyCObject_Check(pystate)) {
+        PyErr_SetString(PyExc_TypeError, "Expected a context object");
+        return NULL;
+    }
+
+    state = (gss_client_state *)PyCObject_AsVoidPtr(pystate);
+    if (state == NULL)
+        return NULL;
+
+    return Py_BuildValue("i", state->responseConf);
+}
+
 static PyObject *authGSSClientResponse(PyObject *self, PyObject *args)
 {
     gss_client_state *state;
@@ -230,9 +250,10 @@
 	PyObject *pystate;
 	char *challenge = NULL;
 	char *user = NULL;
+	int protect = 0;
 	int result = 0;
 
-	if (!PyArg_ParseTuple(args, "Os|z", &pystate, &challenge, &user))
+	if (!PyArg_ParseTuple(args, "Os|zi", &pystate, &challenge, &user, &protect))
 		return NULL;
 
 	if (!PyCObject_Check(pystate)) {
@@ -244,7 +265,7 @@
 	if (state == NULL)
 		return NULL;
 
-	result = authenticate_gss_client_wrap(state, challenge, user);
+	result = authenticate_gss_client_wrap(state, challenge, user, protect);
 	if (result == AUTH_GSS_ERROR)
 		return NULL;
 
@@ -398,6 +419,8 @@
      "Do a client-side GSSAPI step."},
     {"authGSSClientResponse",  authGSSClientResponse, METH_VARARGS,
      "Get the response from the last client-side GSSAPI step."},
+    {"authGSSClientResponseConf",  authGSSClientResponseConf, METH_VARARGS,
+     "return 1 if confidentiality was set in the last unwrapped buffer, 0 otherwise."},
     {"authGSSClientUserName",  authGSSClientUserName, METH_VARARGS,
      "Get the user name from the last client-side GSSAPI step."},
     {"authGSSServerInit",  authGSSServerInit, METH_VARARGS,

Modified: PyKerberos/trunk/src/kerberosgss.c
===================================================================
--- PyKerberos/trunk/src/kerberosgss.c	2013-02-01 00:24:04 UTC (rev 10615)
+++ PyKerberos/trunk/src/kerberosgss.c	2013-02-01 16:30:18 UTC (rev 10616)
@@ -302,12 +302,14 @@
 	gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
 	gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
 	int ret = AUTH_GSS_CONTINUE;
+	int conf = 0;
     
 	// Always clear out the old response
 	if (state->response != NULL)
 	{
 		free(state->response);
 		state->response = NULL;
+		state->responseConf = 0;
 	}
     
 	// If there is a challenge (data from the server) we need to give it to GSS
@@ -323,7 +325,7 @@
                           state->context,
                           &input_token,
                           &output_token,
-                          NULL,
+                          &conf,
                           NULL);
     
 	if (maj_stat != GSS_S_COMPLETE)
@@ -339,6 +341,7 @@
 	if (output_token.length)
 	{
 		state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);
+		state->responseConf = conf;
 		maj_stat = gss_release_buffer(&min_stat, &output_token);
 	}
 end:
@@ -349,7 +352,7 @@
 	return ret;
 }
 
-int authenticate_gss_client_wrap(gss_client_state* state, const char* challenge, const char* user)
+int authenticate_gss_client_wrap(gss_client_state* state, const char* challenge, const char* user, int protect)
 {
 	OM_uint32 maj_stat;
 	OM_uint32 min_stat;
@@ -400,7 +403,7 @@
 	// Do GSSAPI wrap
 	maj_stat = gss_wrap(&min_stat,
 						state->context,
-						0,
+						protect,
 						GSS_C_QOP_DEFAULT,
 						&input_token,
 						NULL,

Modified: PyKerberos/trunk/src/kerberosgss.h
===================================================================
--- PyKerberos/trunk/src/kerberosgss.h	2013-02-01 00:24:04 UTC (rev 10615)
+++ PyKerberos/trunk/src/kerberosgss.h	2013-02-01 16:30:18 UTC (rev 10616)
@@ -35,6 +35,7 @@
     gss_cred_id_t    client_creds;
     char*            username;
     char*            response;
+    int              responseConf;
 } gss_client_state;
 
 typedef struct {
@@ -54,7 +55,7 @@
 int authenticate_gss_client_clean(gss_client_state *state);
 int authenticate_gss_client_step(gss_client_state *state, const char *challenge);
 int authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge);
-int authenticate_gss_client_wrap(gss_client_state* state, const char* challenge, const char* user);
+int authenticate_gss_client_wrap(gss_client_state* state, const char* challenge, const char* user, int protect);
 
 int authenticate_gss_server_init(const char* service, gss_server_state* state);
 int authenticate_gss_server_clean(gss_server_state *state);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20130201/0cfd89ba/attachment-0001.html>


More information about the calendarserver-changes mailing list