From 2871fac45ba566730daf008a129cad5446755b0e Mon Sep 17 00:00:00 2001 From: "Robbie Harwood (frozencemetery)" Date: Mon, 19 Jan 2015 16:38:53 -0500 Subject: [PATCH] Untested code that hopefully works. Will eventually close #5. --- docs/source/gssapi.raw.rst | 8 ++ gssapi/raw/ext_password.pyx | 167 ++++++++++++++++++++++++++++++++++++ setup.py | 1 + 3 files changed, 176 insertions(+) create mode 100644 gssapi/raw/ext_password.pyx diff --git a/docs/source/gssapi.raw.rst b/docs/source/gssapi.raw.rst index 86b7b6a6..858981c9 100644 --- a/docs/source/gssapi.raw.rst +++ b/docs/source/gssapi.raw.rst @@ -57,6 +57,14 @@ raw Package :undoc-members: :show-inheritance: +:mod:`ext_password` Module +--------------------- + +.. automodule:: gssapi.raw.ext_password + :members: + :undoc-members: + :show-inheritance: + :mod:`mech_krb5` Module ----------------------- diff --git a/gssapi/raw/ext_password.pyx b/gssapi/raw/ext_password.pyx new file mode 100644 index 00000000..bd2eca5d --- /dev/null +++ b/gssapi/raw/ext_password.pyx @@ -0,0 +1,167 @@ +GSSAPI="BASE" # This ensures that a full module is generated by Cythin + +cdef extern from "gssapi/gssapi_ext.h": + OM_uint32 gss_acquire_cred_with_password(OM_uint32 *min_stat, + const gss_name_t desired_name, + const gss_buffer_t password, + OM_uint32 ttl, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t *output_creds, + gss_OID_set *actual_mechs, + OM_uint32 *actual_ttl) nogil + + OM_uint32 gss_add_cred_with_password(OM_uint32 *min_stat, + const gss_cred_id_t input_cred_handle, + const gss_name_t desired_name, + const gss_OID desired_mech, + const gss_buffer_t password, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_ttl, + OM_uint32 acceptor_ttl, + gss_cred_id_t *output_creds, + gss_OID_set *actual_mechs, + OM_uint32 *actual_init_ttl, + OM_uint32 *actual_accept_ttl) nogil + +def acquire_cred_with_password(Name name not None, password not None, + lifetime=None, mechs=None, usage="initiate"): + """ + Acquire credentials through provided password. + + This function is originally from Solaris and is not documented by either + MIT or Heimdal. + + Args: + name (Name): the name to acquire credentials for + password (str): the password used to acquire credentialss with + lifetime (int): the lifetime for the credentials (or None for + indefinite) + mechs ([MechType]): the desired mechanisms for which the credentials + should work (or None for the default set) + usage (str): the usage type for the credentials: may be + 'initiate', 'accept', or 'both' + + Returns: + AcquireCredResult: the resulting credentials, the actual mechanisms + with which they may be used, and their actual lifetime (or None for + indefinite or not supported) + + Raises: + GSSError + """ + + cdef gss_buffer_desc password_buffer = gss_buffer_desc(len(password), + password) + + cdef OM_uint32 input_ttl = c_py_ttl_to_c(lifetime) + + cdef gss_OID_set desired_mechs + if mechs is not None: + desired_mechs = c_get_mech_oid_set(mechs) + else: + desired_mechs = GSS_C_NO_OID_SET + + cdef gss_cred_usage_t c_usage + if usage == "initiate": + c_usage = GSS_C_INITIATE + elif usage == "accept": + c_usage = GSS_C_ACCEPT + else: + c_usage = GSS_C_BOTH + + cdef gss_cred_id_t creds + cdef gss_OID_set actual_mechs + cdef OM_uint32 actual_ttl + + cdef OM_uint32 maj_stat, min_stat + + with nogil: + maj_stat = gss_acquire_cred_with_password( + &min_stat, name.raw_name, &password_buffer, input_ttl, + desired_mechs, c_usage, &creds, &actual_mechs, &actual_ttl) + + cdef OM_uint32 tmp_min_stat + if mechs is not None: + gss_release_oid_set(&tmp_min_stat, &desired_mechs) + + cdef Creds rc = Creds() + if maj_stat == GSS_S_COMPLETE: + rc.raw_creds = creds + return AcquireCredResult(rc, c_create_oid_set(actual_mechs), + c_c_ttl_to_py(actual_ttl)) + else: + raise GSSError(maj_stat, min_stat) + +def add_cred_with_password(Creds input_cred not None, Name name not None, + OID mech not None, password not None, + usage="initiate", init_lifetime=None, + accept_lifetime=None): + + """ + Add a credential-element to a credential using provided password. + + This function is originally from Solaris and is not documented by either + MIT or Heimdal. + + Args: + input_cred (Creds): the credentials to add to + name (Name): the name to acquire credentials for + mech (MechType): the desired mechanism. Note that this is both + singular and required + password (str): the password used to acquire credentialss with + usage (str): the usage type for the credentials: may be + 'initiate', 'accept', or 'both' + init_lifetime (int): the lifetime for the credentials to remain valid + when using them to initiate security contexts (or None for + indefinite) + accept_lifetime (int): the lifetime for the credentials to remain + valid when using them to accept security contexts (or None for + indefinite) + + Returns: + AddCredResult: the actual mechanisms with which the credentials may be + used, the actual initiator TTL, and the actual acceptor TTL (the TTLs + may be None for indefinite or not supported) + + Raises: + GSSError + """ + + cdef gss_buffer_desc password_buffer = gss_buffer_desc(len(password), + password) + + cdef gss_cred_usage_t c_usage + if usage == "initiate": + c_usage = GSS_C_INITIATE + elif usage == "accept": + c_usage = GSS_C_ACCEPT + else: + c_usage = GSS_C_BOTH + + cdef OM_uint32 input_initiator_ttl = c_py_ttl_to_c(init_lifetime) + cdef OM_uint32 input_acceptor_ttl = c_py_ttl_to_c(accept_lifetime) + + cdef gss_cred_id_t creds + cdef gss_OID_set actual_mechs + cdef OM_uint32 actual_initiator_ttl + cdef OM_uint32 actual_acceptor_ttl + + cdef OM_uint32 maj_stat, min_stat + + with nogil: + maj_stat = gss_add_cred_with_password( + &min_stat, input_cred.raw_creds, name.raw_name, &mech.raw_oid, + &password_buffer, c_usage, input_initiator_ttl, + input_acceptor_ttl, &creds, &actual_mechs, &actual_initiator_ttl, + &actual_acceptor_ttl) + + cdef Creds rc + if maj_stat == GSS_S_COMPLETE: + rc = Creds() + rc.raw_creds = creds + return AddCredResult(rc, c_create_oid_set(actual_mechs), + c_c_ttl_to_py(actual_initiator_ttl), + c_c_ttl_to_py(actual_acceptor_ttl)) + else: + raise GSSError(maj_stat, min_stat) diff --git a/setup.py b/setup.py index 434f9354..aff36c23 100755 --- a/setup.py +++ b/setup.py @@ -191,6 +191,7 @@ def gssapi_modules(lst): extension_file('cred_store', 'gss_store_cred_into'), extension_file('rfc5588', 'gss_store_cred'), extension_file('cred_imp_exp', 'gss_import_cred'), + extension_file('password', 'gss_add_cred_with_password'), ]), keywords=['gssapi', 'security'], install_requires=[