Skip to content

Commit 1b4144e

Browse files
mbroadstmbroadst
committed
refactor(gss): update implementation to latest from upstream
1 parent 987ad89 commit 1b4144e

File tree

1 file changed

+21
-18
lines changed

1 file changed

+21
-18
lines changed

src/kerberos_gss.cc

+21-18
Original file line numberDiff line numberDiff line change
@@ -126,15 +126,17 @@ gss_result* server_principal_details(const char* service, const char* hostname)
126126
return result;
127127
}
128128

129-
gss_result* authenticate_gss_client_init(const char* service, const char* principal, long int gss_flags, gss_OID mech_oid, gss_client_state* state)
129+
gss_result* authenticate_gss_client_init(
130+
const char* service, const char* principal, long int gss_flags,
131+
gss_server_state* delegatestate, gss_OID mech_oid, gss_client_state* state
132+
)
130133
{
131134
OM_uint32 maj_stat;
132135
OM_uint32 min_stat;
133136
gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
134137
gss_buffer_desc principal_token = GSS_C_EMPTY_BUFFER;
135138
gss_result* ret = NULL;
136139

137-
gss_OID mech;
138140
state->server_name = GSS_C_NO_NAME;
139141
state->mech_oid = mech_oid;
140142
state->context = GSS_C_NO_CONTEXT;
@@ -147,22 +149,22 @@ gss_result* authenticate_gss_client_init(const char* service, const char* princi
147149
name_token.length = strlen(service);
148150
name_token.value = (char *)service;
149151

150-
// could be in principal name format, i.e. service/fqdn@REALM
151-
if (strchr(service, '/'))
152-
mech = GSS_C_NO_OID;
153-
else
154-
mech = gss_krb5_nt_service_name;
155-
156-
maj_stat = gss_import_name(&min_stat, &name_token, mech, &state->server_name);
152+
maj_stat = gss_import_name(
153+
&min_stat, &name_token, gss_krb5_nt_service_name, &state->server_name
154+
);
157155

158156
if (GSS_ERROR(maj_stat))
159157
{
160158
ret = gss_error_result(maj_stat, min_stat);
161159
goto end;
162160
}
163161

164-
// Get credential for principal
165-
if (principal && *principal)
162+
// Use the delegate credentials if they exist
163+
if (delegatestate && delegatestate->client_creds != GSS_C_NO_CREDENTIAL) {
164+
state->client_creds = delegatestate->client_creds;
165+
}
166+
// If available use the principal to extract its associated credentials
167+
else if (principal && *principal)
166168
{
167169
gss_name_t name;
168170
principal_token.length = strlen(principal);
@@ -175,8 +177,10 @@ gss_result* authenticate_gss_client_init(const char* service, const char* princi
175177
goto end;
176178
}
177179

178-
maj_stat = gss_acquire_cred(&min_stat, name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_INITIATE,
179-
&state->client_creds, NULL, NULL);
180+
maj_stat = gss_acquire_cred(
181+
&min_stat, name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
182+
GSS_C_INITIATE, &state->client_creds, NULL, NULL
183+
);
180184
if (GSS_ERROR(maj_stat))
181185
{
182186
ret = gss_error_result(maj_stat, min_stat);
@@ -189,8 +193,7 @@ gss_result* authenticate_gss_client_init(const char* service, const char* princi
189193
ret = gss_error_result(maj_stat, min_stat);
190194
goto end;
191195
}
192-
193-
}
196+
}
194197

195198
ret = gss_success_result(AUTH_GSS_COMPLETE);
196199
end:
@@ -199,14 +202,15 @@ gss_result* authenticate_gss_client_init(const char* service, const char* princi
199202

200203
int authenticate_gss_client_clean(gss_client_state *state)
201204
{
205+
OM_uint32 maj_stat;
202206
OM_uint32 min_stat;
203207
int ret = AUTH_GSS_COMPLETE;
204208

205209
if (state->context != GSS_C_NO_CONTEXT)
206210
gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
207211
if (state->server_name != GSS_C_NO_NAME)
208212
gss_release_name(&min_stat, &state->server_name);
209-
if (state->client_creds != GSS_C_NO_CREDENTIAL)
213+
if (state->client_creds != GSS_C_NO_CREDENTIAL && !(state->gss_flags & GSS_C_DELEG_FLAG))
210214
gss_release_cred(&min_stat, &state->client_creds);
211215
if (state->username != NULL)
212216
{
@@ -226,7 +230,6 @@ gss_result* authenticate_gss_client_step(gss_client_state* state, const char* ch
226230
{
227231
OM_uint32 maj_stat;
228232
OM_uint32 min_stat;
229-
OM_uint32 ret_flags; // Not used, but may be necessary for gss call.
230233
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
231234
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
232235
gss_result* ret = NULL;
@@ -265,7 +268,7 @@ gss_result* authenticate_gss_client_step(gss_client_state* state, const char* ch
265268
&input_token,
266269
NULL,
267270
&output_token,
268-
&ret_flags,
271+
NULL
269272
NULL);
270273

271274
if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED))

0 commit comments

Comments
 (0)