Add password= keyword to authGSSClientInit

apple · Oct 27, 2019 · 430a12b · 430a12b
1 parent 51a4c34
commit 430a12b
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 11 deletions.
diff --git a/pysrc/kerberos.py b/pysrc/kerberos.py
@@ -160,6 +160,8 @@ def authGSSClientInit(service, **kwargs):
 
     @param mech_oid: Optional GGS mech OID
 
+    @param password: Optional string containing the service principal's password
+
     @return: A tuple of (result, context) where result is the result code (see
         above) and context is an opaque value that will need to be passed to
         subsequent functions.

diff --git a/src/kerberos.c b/src/kerberos.c
@@ -151,21 +151,22 @@ static PyObject* authGSSClientInit(PyObject* self, PyObject* args, PyObject* key
 {
     const char *service = NULL;
     const char *principal = NULL;
+    const char *password = NULL;
     gss_client_state *state = NULL;
     PyObject *pystate = NULL;
     gss_server_state *delegatestate = NULL;
     PyObject *pydelegatestate = NULL;
     gss_OID mech_oid = GSS_C_NO_OID;
     PyObject *pymech_oid = NULL;
     static char *kwlist[] = {
-        "service", "principal", "gssflags", "delegated", "mech_oid", NULL
+        "service", "principal", "gssflags", "delegated", "mech_oid", "password", NULL
     };
     long int gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
     int result = 0;
 
     if (! PyArg_ParseTupleAndKeywords(
-        args, keywds, "s|zlOO", kwlist,
-        &service, &principal, &gss_flags, &pydelegatestate, &pymech_oid
+        args, keywds, "s|zlOOz", kwlist,
+        &service, &principal, &gss_flags, &pydelegatestate, &pymech_oid, &password
     )) {
         return NULL;
     }
@@ -191,7 +192,7 @@ static PyObject* authGSSClientInit(PyObject* self, PyObject* args, PyObject* key
     }
 
     result = authenticate_gss_client_init(
-        service, principal, gss_flags, delegatestate, mech_oid, state
+        service, principal, gss_flags, delegatestate, mech_oid, state, password
     );
 
     if (result == AUTH_GSS_ERROR) {

diff --git a/src/kerberosgss.c b/src/kerberosgss.c
@@ -128,15 +128,16 @@ char* server_principal_details(const char* service, const char* hostname)
 
 int authenticate_gss_client_init(
     const char* service, const char* principal, long int gss_flags,
-    gss_server_state* delegatestate, gss_OID mech_oid, gss_client_state* state
+    gss_server_state* delegatestate, gss_OID mech_oid, gss_client_state* state,
+    const char *password
 )
 {
     OM_uint32 maj_stat;
     OM_uint32 min_stat;
     gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc principal_token = GSS_C_EMPTY_BUFFER;
     int ret = AUTH_GSS_COMPLETE;
-    
+
     state->server_name = GSS_C_NO_NAME;
     state->mech_oid = mech_oid;
     state->context = GSS_C_NO_CONTEXT;
@@ -177,10 +178,24 @@ int authenticate_gss_client_init(
     	    goto end;
         }
 
-        maj_stat = gss_acquire_cred(
-            &min_stat, name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
-            GSS_C_INITIATE, &state->client_creds, NULL, NULL
-        );
+        if (password != NULL) {
+            gss_buffer_desc gss_password = {
+                .length = strlen(password),
+                .value = password
+            };
+            maj_stat = gss_acquire_cred_with_password(
+                &min_stat, name, &gss_password,
+                GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
+                GSS_C_INITIATE, &state->client_creds, NULL, NULL
+            );
+        } else {
+            printf("No password provided\n");
+            maj_stat = gss_acquire_cred(
+                &min_stat, name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
+                GSS_C_INITIATE, &state->client_creds, NULL, NULL
+            );
+        }
+
         if (GSS_ERROR(maj_stat)) {
             set_gss_error(maj_stat, min_stat);
             ret = AUTH_GSS_ERROR;

diff --git a/src/kerberosgss.h b/src/kerberosgss.h
@@ -17,6 +17,7 @@
 #include <gssapi/gssapi.h>
 #include <gssapi/gssapi_generic.h>
 #include <gssapi/gssapi_krb5.h>
+#include <gssapi/gssapi_ext.h>
 
 #define krb5_get_err_text(context,code) error_message(code)
 
@@ -55,7 +56,8 @@ char* server_principal_details(const char* service, const char* hostname);
 
 int authenticate_gss_client_init(
     const char* service, const char* principal, long int gss_flags,
-    gss_server_state* delegatestate, gss_OID mech_oid, gss_client_state* state
+    gss_server_state* delegatestate, gss_OID mech_oid, gss_client_state* state,
+    const char *password
 );
 int authenticate_gss_client_clean(
     gss_client_state *state