From: mike Date: Mon, 17 Dec 2012 22:04:34 +0000 (+0000) Subject: Clean up Kerberos support to only need GSSAPI. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5795dc98bd39b777b3cc5cab6e7c60d231ba049a;p=thirdparty%2Fcups.git Clean up Kerberos support to only need GSSAPI. git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@10774 7a7537e8-13f0-0310-91df-b6672ffda945 --- diff --git a/config-scripts/cups-gssapi.m4 b/config-scripts/cups-gssapi.m4 index 36c878cf07..4beea7efef 100644 --- a/config-scripts/cups-gssapi.m4 +++ b/config-scripts/cups-gssapi.m4 @@ -86,13 +86,6 @@ if test x$enable_gssapi != xno; then else AC_MSG_RESULT(no) fi - AC_MSG_CHECKING(for GSS/gssapi_krb5.h presence) - if test -f $gssdir/Headers/gssapi_krb5.h; then - AC_DEFINE(HAVE_GSSAPI_KRB5_H) - AC_MSG_RESULT(yes) - else - AC_MSG_RESULT(no) - fi AC_MSG_CHECKING(for GSS/gssapi_spi.h presence) if test -f $gssdir/PrivateHeaders/gssapi_spi.h; then AC_MSG_RESULT(yes) @@ -113,8 +106,6 @@ if test x$enable_gssapi != xno; then else AC_CHECK_HEADER(gssapi.h, AC_DEFINE(HAVE_GSSAPI_H)) AC_CHECK_HEADER(gssapi/gssapi.h, AC_DEFINE(HAVE_GSSAPI_GSSAPI_H)) - AC_CHECK_HEADER(gssapi/gssapi_generic.h, AC_DEFINE(HAVE_GSSAPI_GENERIC_H)) - AC_CHECK_HEADER(gssapi/gssapi_krb5.h, AC_DEFINE(HAVE_GSSAPI_KRB5_H)) fi SAVELIBS="$LIBS" diff --git a/config.h.in b/config.h.in index d47f86a8fa..4ad31b2181 100644 --- a/config.h.in +++ b/config.h.in @@ -547,11 +547,8 @@ #undef HAVE_GSS_GSSAPI_H #undef HAVE_GSS_GSSAPI_SPI_H #undef HAVE_GSSAPI -#undef HAVE_GSSAPI_GENERIC_H #undef HAVE_GSSAPI_GSSAPI_H #undef HAVE_GSSAPI_H -#undef HAVE_GSSAPI_KRB5_H -#undef HAVE_KRB5_H /* diff --git a/cups/http-private.h b/cups/http-private.h index dadb9280fe..350eec104c 100644 --- a/cups/http-private.h +++ b/cups/http-private.h @@ -44,29 +44,14 @@ # ifdef HAVE_GSSAPI # ifdef HAVE_GSS_GSSAPI_H # include -# ifdef HAVE_GSSAPI_GENERIC_H -# include -# endif /* HAVE_GSSAPI_GENERIC_H */ -# ifdef HAVE_GSSAPI_KRB5_H -# include -# endif /* HAVE_GSSAPI_KRB5_H */ # elif defined(HAVE_GSSAPI_GSSAPI_H) # include -# ifdef HAVE_GSSAPI_GENERIC_H -# include -# endif /* HAVE_GSSAPI_GENERIC_H */ -# ifdef HAVE_GSSAPI_KRB5_H -# include -# endif /* HAVE_GSSAPI_KRB5_H */ # elif defined(HAVE_GSSAPI_H) # include # endif /* HAVE_GSS_GSSAPI_H */ # ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name # endif /* !HAVE_GSS_C_NT_HOSTBASED_SERVICE */ -# ifdef HAVE_KRB5_H -# include -# endif /* HAVE_KRB5_H */ # endif /* HAVE_GSSAPI */ # ifdef HAVE_AUTHORIZATION_H diff --git a/scheduler/auth.c b/scheduler/auth.c index a958f3ed7f..6633d38bbc 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -96,11 +96,6 @@ typedef struct sockpeercred cupsd_ucred_t; # endif # define CUPSD_UCRED_UID(c) (c).uid #endif /* HAVE_SYS_UCRED_H */ -#ifdef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID -/* Not in public headers... */ -extern void krb5_ipc_client_set_target_uid(uid_t); -extern void krb5_ipc_client_clear_target(void); -#endif /* HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */ /* @@ -597,15 +592,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ while (isspace(*authorization & 255)) authorization ++; - if ((localuser = cupsdFindCert(authorization)) != NULL) - { - strlcpy(username, localuser->username, sizeof(username)); - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "[Client %d] Authorized as %s using Local", con->http.fd, - username); - } - else + if ((localuser = cupsdFindCert(authorization)) == NULL) { cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Local authentication certificate not found.", @@ -613,12 +600,12 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ return; } -#ifdef HAVE_GSSAPI - if (localuser->ccache) - con->type = CUPSD_AUTH_NEGOTIATE; - else -#endif /* HAVE_GSSAPI */ - con->type = CUPSD_AUTH_BASIC; + strlcpy(username, localuser->username, sizeof(username)); + con->type = localuser->type; + + cupsdLogMessage(CUPSD_LOG_DEBUG, + "[Client %d] Authorized as %s using Local", con->http.fd, + username); } else if (!strncmp(authorization, "Basic", 5)) { diff --git a/scheduler/cert.c b/scheduler/cert.c index d15d1812ab..a2f8ff4f9a 100644 --- a/scheduler/cert.c +++ b/scheduler/cert.c @@ -3,7 +3,7 @@ * * Authentication certificate routines for the CUPS scheduler. * - * Copyright 2007-2011 by Apple Inc. + * Copyright 2007-2012 by Apple Inc. * Copyright 1997-2006 by Easy Software Products. * * These coded instructions, statements, and computer programs are the @@ -42,7 +42,7 @@ void cupsdAddCert(int pid, /* I - Process ID */ const char *username, /* I - Username */ - void *ccache) /* I - Kerberos credentials or NULL */ + int type) /* I - AuthType for username */ { int i; /* Looping var */ cupsd_cert_t *cert; /* Current certificate */ @@ -66,7 +66,8 @@ cupsdAddCert(int pid, /* I - Process ID */ * Fill in the certificate information... */ - cert->pid = pid; + cert->pid = pid; + cert->type = type; strlcpy(cert->username, username, sizeof(cert->username)); for (i = 0; i < 32; i ++) @@ -259,16 +260,6 @@ cupsdAddCert(int pid, /* I - Process ID */ write(fd, cert->certificate, strlen(cert->certificate)); close(fd); - /* - * Add Kerberos credentials as needed... - */ - -#ifdef HAVE_GSSAPI - cert->ccache = (krb5_ccache)ccache; -#else - (void)ccache; -#endif /* HAVE_GSSAPI */ - /* * Insert the certificate at the front of the list... */ @@ -308,15 +299,6 @@ cupsdDeleteCert(int pid) /* I - Process ID */ else prev->next = cert->next; -#ifdef HAVE_GSSAPI - /* - * Release Kerberos credentials as needed... - */ - - if (cert->ccache) - krb5_cc_destroy(KerberosContext, cert->ccache); -#endif /* HAVE_GSSAPI */ - free(cert); /* @@ -449,7 +431,7 @@ cupsdInitCerts(void) */ if (!RunUser) - cupsdAddCert(0, "root", NULL); + cupsdAddCert(0, "root", cupsdDefaultAuthType()); } diff --git a/scheduler/cert.h b/scheduler/cert.h index a8206b1427..f2dc637bf0 100644 --- a/scheduler/cert.h +++ b/scheduler/cert.h @@ -3,7 +3,7 @@ * * Authentication certificate definitions for the CUPS scheduler. * - * Copyright 2007-2010 by Apple Inc. + * Copyright 2007-2012 by Apple Inc. * Copyright 1997-2005 by Easy Software Products. * * These coded instructions, statements, and computer programs are the @@ -23,9 +23,7 @@ typedef struct cupsd_cert_s int pid; /* Process ID (0 for root certificate) */ char certificate[33]; /* 32 hex characters, or 128 bits */ char username[33]; /* Authenticated username */ -#ifdef HAVE_GSSAPI - krb5_ccache ccache; /* Kerberos credential cache */ -#endif /* HAVE_GSSAPI */ + int type; /* AuthType for username */ } cupsd_cert_t; @@ -43,8 +41,7 @@ VAR time_t RootCertTime /* Root certificate update time */ * Prototypes... */ -extern void cupsdAddCert(int pid, const char *username, - void *ccache); +extern void cupsdAddCert(int pid, const char *username, int type); extern void cupsdDeleteCert(int pid); extern void cupsdDeleteAllCerts(void); extern cupsd_cert_t *cupsdFindCert(const char *certificate); diff --git a/scheduler/client.c b/scheduler/client.c index bb03d1cef3..663c64bd8f 100644 --- a/scheduler/client.c +++ b/scheduler/client.c @@ -3618,7 +3618,6 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ server_name[1024], /* SERVER_NAME environment variable */ server_port[1024]; /* SERVER_PORT environment variable */ ipp_attribute_t *attr; /* attributes-natural-language attribute */ - void *ccache = NULL; /* Kerberos credentials */ /* @@ -3970,7 +3969,7 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ */ if (con->username[0]) - cupsdAddCert(pid, con->username, ccache); + cupsdAddCert(pid, con->username, con->type); cupsdLogMessage(CUPSD_LOG_DEBUG, "[CGI] Started %s (PID %d)", command, pid); diff --git a/scheduler/cupsd.h b/scheduler/cupsd.h index 1c58f3c6e0..c59d1272d7 100644 --- a/scheduler/cupsd.h +++ b/scheduler/cupsd.h @@ -160,13 +160,6 @@ VAR int NeedReload VALUE(RELOAD_ALL), VAR void *DefaultProfile VALUE(0); /* Default security profile */ -#ifdef HAVE_GSSAPI -VAR int KerberosInitialized VALUE(0); - /* Has Kerberos been initialized? */ -VAR krb5_context KerberosContext VALUE(NULL); - /* Kerberos context for credentials */ -#endif /* HAVE_GSSAPI */ - #ifdef HAVE_LAUNCH_H VAR int Launchd VALUE(0); /* Running from launchd */ diff --git a/scheduler/main.c b/scheduler/main.c index 625bbc0233..528fb9b1ad 100644 --- a/scheduler/main.c +++ b/scheduler/main.c @@ -946,7 +946,7 @@ main(int argc, /* I - Number of command-line args */ */ cupsdDeleteCert(0); - cupsdAddCert(0, "root", NULL); + cupsdAddCert(0, "root", DefaultAuthType); } #endif /* !HAVE_AUTHORIZATION_H */ @@ -1138,23 +1138,6 @@ main(int argc, /* I - Number of command-line args */ cupsdStopSystemMonitor(); #endif /* __APPLE__ */ -#ifdef HAVE_GSSAPI - /* - * Free the scheduler's Kerberos context... - */ - -# ifdef __APPLE__ - /* - * If the weak-linked GSSAPI/Kerberos library is not present, don't try - * to use it... - */ - - if (krb5_init_context != NULL) -# endif /* __APPLE__ */ - if (KerberosContext) - krb5_free_context(KerberosContext); -#endif /* HAVE_GSSAPI */ - cupsdStopSelect(); return (!stop_scheduler);