summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-11-08 01:48:35 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:25:21 -0500
commitf722b0743811a4a5caf5288fa901cc8f683b9ffd (patch)
tree3aaa2473a79fc58ad937723b67510f4bf0d0cc6a
parente10791a36451da82906cd7cec66c7a54802353b5 (diff)
downloadsamba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.tar.gz
samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.tar.bz2
samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.zip
r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
-rw-r--r--source4/auth/gensec/gensec_gssapi.c6
-rw-r--r--source4/auth/gensec/gensec_krb5.c69
-rw-r--r--source4/auth/kerberos/config.mk2
-rw-r--r--source4/auth/kerberos/kerberos_heimdal.c101
-rw-r--r--source4/auth/kerberos/kerberos_verify.c102
-rw-r--r--source4/heimdal/kdc/kerberos5.c13
-rwxr-xr-xsource4/heimdal/kdc/pkinit.c38
-rw-r--r--source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/accept_sec_context.c83
-rw-r--r--source4/heimdal/lib/gssapi/krb5/arcfour.c30
-rw-r--r--source4/heimdal/lib/gssapi/krb5/external.c10
-rw-r--r--source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h3
-rw-r--r--source4/heimdal/lib/gssapi/krb5/init_sec_context.c32
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c19
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/wrap.c1
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_krb5.c108
-rw-r--r--source4/heimdal/lib/gssapi/spnego/spnego_locl.h4
-rw-r--r--source4/heimdal/lib/krb5/context.c18
-rw-r--r--source4/heimdal/lib/krb5/expand_hostname.c2
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h5
-rw-r--r--source4/heimdal/lib/krb5/krb5-protos.h63
-rw-r--r--source4/heimdal/lib/krb5/krb5.h5
-rw-r--r--source4/heimdal/lib/krb5/rd_req.c294
-rwxr-xr-xsource4/script/mkproto.pl2
25 files changed, 655 insertions, 359 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 9f796dc9d1..7094692fb2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1123,9 +1123,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
return NT_STATUS_OK;
}
- maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
- gensec_gssapi_state->gssapi_context,
- &subkey);
+ maj_stat = gsskrb5_get_subkey(&min_stat,
+ gensec_gssapi_state->gssapi_context,
+ &subkey);
if (maj_stat != 0) {
DEBUG(1, ("NO session key for this mech\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 66d2801520..044c7df1de 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -427,48 +427,61 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
{
DATA_BLOB unwrapped_in;
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
+ krb5_data inbuf, outbuf;
uint8_t tok_id[2];
+ struct keytab_container *keytab;
+ krb5_principal server_in_keytab;
if (!in.data) {
return NT_STATUS_INVALID_PARAMETER;
}
+ /* Grab the keytab, however generated */
+ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), &keytab);
+ if (ret) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ /* This ensures we lookup the correct entry in that keytab */
+ ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security),
+ gensec_krb5_state->smb_krb5_context,
+ &server_in_keytab);
+
+ if (ret) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
if (gensec_krb5_state->gssapi
&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
- nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->smb_krb5_context,
- &gensec_krb5_state->auth_context,
- gensec_get_credentials(gensec_security),
- gensec_get_target_service(gensec_security), &unwrapped_in,
- &gensec_krb5_state->ticket, &unwrapped_out,
- &gensec_krb5_state->keyblock);
+ inbuf.data = unwrapped_in.data;
+ inbuf.length = unwrapped_in.length;
} else {
- /* TODO: check the tok_id */
- nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->smb_krb5_context,
- &gensec_krb5_state->auth_context,
- gensec_get_credentials(gensec_security),
- gensec_get_target_service(gensec_security),
- &in,
- &gensec_krb5_state->ticket, &unwrapped_out,
- &gensec_krb5_state->keyblock);
+ inbuf.data = in.data;
+ inbuf.length = in.length;
}
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &gensec_krb5_state->auth_context,
+ &inbuf, keytab->keytab, server_in_keytab,
+ &outbuf,
+ &gensec_krb5_state->ticket,
+ &gensec_krb5_state->keyblock);
- if (NT_STATUS_IS_OK(nt_status)) {
- gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
- /* wrap that up in a nice GSS-API wrapping */
- if (gensec_krb5_state->gssapi) {
- *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
- } else {
- *out = unwrapped_out;
- }
+ if (ret) {
+ return NT_STATUS_LOGON_FAILURE;
}
- return nt_status;
+ unwrapped_out.data = outbuf.data;
+ unwrapped_out.length = outbuf.length;
+ gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
+ /* wrap that up in a nice GSS-API wrapping */
+ if (gensec_krb5_state->gssapi) {
+ *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
+ } else {
+ *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
+ }
+ krb5_data_free(&outbuf);
+ return NT_STATUS_OK;
}
case GENSEC_KRB5_DONE:
diff --git a/source4/auth/kerberos/config.mk b/source4/auth/kerberos/config.mk
index 689130d567..f75fd99323 100644
--- a/source4/auth/kerberos/config.mk
+++ b/source4/auth/kerberos/config.mk
@@ -4,7 +4,7 @@
PRIVATE_PROTO_HEADER = proto.h
OBJ_FILES = kerberos.o \
clikrb5.o \
- kerberos_verify.o \
+ kerberos_heimdal.o \
kerberos_util.o \
kerberos_pac.o \
gssapi_parse.o \
diff --git a/source4/auth/kerberos/kerberos_heimdal.c b/source4/auth/kerberos/kerberos_heimdal.c
new file mode 100644
index 0000000000..f669d0f2f4
--- /dev/null
+++ b/source4/auth/kerberos/kerberos_heimdal.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* This file for code taken from the Heimdal code, to preserve licence */
+/* Modified by Andrew Bartlett <abartlet@samba.org> */
+
+#include "includes.h"
+#include "system/kerberos.h"
+
+/* Taken from accept_sec_context.c,v 1.65 */
+krb5_error_code smb_rd_req_return_stuff(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_data *inbuf,
+ krb5_keytab keytab,
+ krb5_principal acceptor_principal,
+ krb5_data *outbuf,
+ krb5_ticket **ticket,
+ krb5_keyblock **keyblock)
+{
+ krb5_rd_req_in_ctx in = NULL;
+ krb5_rd_req_out_ctx out = NULL;
+ krb5_error_code kret;
+
+ *keyblock = NULL;
+ *ticket = NULL;
+ outbuf->length = 0;
+ outbuf->data = NULL;
+
+ kret = krb5_rd_req_in_ctx_alloc(context, &in);
+ if (kret == 0)
+ kret = krb5_rd_req_in_set_keytab(context, in, keytab);
+ if (kret) {
+ if (in)
+ krb5_rd_req_in_ctx_free(context, in);
+ return kret;
+ }
+
+ kret = krb5_rd_req_ctx(context,
+ auth_context,
+ inbuf,
+ acceptor_principal,
+ in, &out);
+ krb5_rd_req_in_ctx_free(context, in);
+ if (kret) {
+ return kret;
+ }
+
+ /*
+ * We need to remember some data on the context_handle.
+ */
+ kret = krb5_rd_req_out_get_ticket(context, out,
+ ticket);
+ if (kret == 0) {
+ kret = krb5_rd_req_out_get_keyblock(context, out,
+ keyblock);
+ }
+ krb5_rd_req_out_ctx_free(context, out);
+
+ if (kret == 0) {
+ kret = krb5_mk_rep(context, *auth_context, outbuf);
+ }
+
+ if (kret) {
+ krb5_free_ticket(context, *ticket);
+ krb5_free_keyblock(context, *keyblock);
+ krb5_data_free(outbuf);
+ }
+
+ return kret;
+}
+
diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c
deleted file mode 100644
index 2111e22aa3..0000000000
--- a/source4/auth/kerberos/kerberos_verify.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- kerberos utility library
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Remus Koos 2001
- Copyright (C) Luke Howard 2003
- Copyright (C) Guenther Deschner 2003
- Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
-#include "auth/credentials/credentials.h"
-#include "auth/credentials/credentials_krb5.h"
-
-/**********************************************************************************
- Verify an incoming ticket and parse out the principal name and
- authorization_data if available.
-***********************************************************************************/
-
- NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
- struct smb_krb5_context *smb_krb5_context,
- krb5_auth_context *auth_context,
- struct cli_credentials *machine_account,
- const char *service,
- const DATA_BLOB *enc_ticket,
- krb5_ticket **tkt,
- DATA_BLOB *ap_rep,
- krb5_keyblock **keyblock)
-{
- krb5_keyblock *local_keyblock;
- krb5_data packet;
- int ret;
- krb5_flags ap_req_options = 0;
- krb5_principal server;
- krb5_data packet_out;
-
- struct keytab_container *keytab_container;
-
- /*
- * TODO: Actually hook in the replay cache in Heimdal, then
- * re-add calls to setup a replay cache here, in our private
- * directory. This will eventually prevent replay attacks
- */
-
- packet.length = enc_ticket->length;
- packet.data = (krb5_pointer)enc_ticket->data;
-
- /* Grab the keytab, however generated */
- ret = cli_credentials_get_keytab(machine_account, &keytab_container);
- if (ret) {
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
- /* This ensures we lookup the correct entry in that keytab */
- ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context,
- &server);
- if (ret == 0) {
- ret = krb5_rd_req_return_keyblock(smb_krb5_context->krb5_context, auth_context, &packet,
- server,
- keytab_container->keytab, &ap_req_options, tkt,
- &local_keyblock);
- }
-
- if (ret) {
- DEBUG(3,("ads_secrets_verify_ticket: failed to decrypt with error %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
- return NT_STATUS_LOGON_FAILURE;
- }
- *keyblock = local_keyblock;
-
-
- ret = krb5_mk_rep(smb_krb5_context->krb5_context, *auth_context, &packet_out);
- if (ret) {
- krb5_free_ticket(smb_krb5_context->krb5_context, *tkt);
-
- DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
- return NT_STATUS_LOGON_FAILURE;
- }
-
- *ap_rep = data_blob_talloc(mem_ctx, packet_out.data, packet_out.length);
- krb5_free_data_contents(smb_krb5_context->krb5_context, &packet_out);
-
- return NT_STATUS_OK;
-}
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 19287b31cc..84c16190f9 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: kerberos5.c,v 1.223 2006/10/17 02:16:29 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.224 2006/11/04 17:05:28 lha Exp $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@@ -1063,13 +1063,14 @@ _kdc_as_rep(krb5_context context,
free_PA_ENC_TS_ENC(&p);
if (abs(kdc_time - p.patimestamp) > context->max_skew) {
char client_time[100];
-
+
krb5_format_time(context, p.patimestamp,
client_time, sizeof(client_time), TRUE);
- ret = KRB5KRB_AP_ERR_SKEW;
- kdc_log(context, config, 0,
- "Too large time skew, client time %s is out by %u > %u seconds -- %s",
+ ret = KRB5KRB_AP_ERR_SKEW;
+ kdc_log(context, config, 0,
+ "Too large time skew, "
+ "client time %s is out by %u > %u seconds -- %s",
client_time,
(unsigned)abs(kdc_time - p.patimestamp),
context->max_skew,
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index e3d77c0621..1a300cce3e 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: pkinit.c,v 1.72 2006/10/24 17:51:33 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.73 2006/11/07 17:24:57 lha Exp $");
#ifdef PKINIT
@@ -528,8 +528,10 @@ _kdc_pk_rd_padata(krb5_context context,
&eContent,
&signer_certs);
if (ret) {
- kdc_log(context, config, 0,
- "PK-INIT failed to verify signature %d", ret);
+ char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret);
+ krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
+ s, ret);
+ free(s);
goto out;
}
@@ -1376,6 +1378,36 @@ _kdc_pk_initialize(krb5_context context,
return ret;
}
+ {
+ hx509_query *q;
+ hx509_cert cert;
+
+ ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+ if (ret) {
+ krb5_warnx(context, "PKINIT: out of memory");
+ return ENOMEM;
+ }
+
+ hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+ hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+
+ ret = hx509_certs_find(kdc_identity->hx509ctx,
+ kdc_identity->certs,
+ q,
+ &cert);
+ hx509_query_free(kdc_identity->hx509ctx, q);
+ if (ret == 0) {
+ if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert,
+ oid_id_pkkdcekuoid(), 0))
+ krb5_warnx(context, "WARNING Found KDC certificate "
+ "is missing the PK-INIT KDC EKU, this is bad for "
+ "interoperability.");
+ hx509_cert_free(cert);
+ } else
+ krb5_warnx(context, "PKINIT: failed to find a signing "
+ "certifiate with a public key");
+ }
+
ret = krb5_config_get_bool_default(context,
NULL,
FALSE,
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
index 8c025c8366..67a9a12bfe 100644
--- a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
+++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi_krb5.h,v 1.10 2006/10/20 22:04:03 lha Exp $ */
+/* $Id: gssapi_krb5.h,v 1.12 2006/11/05 00:06:09 lha Exp $ */
#ifndef GSSAPI_KRB5_H_
#define GSSAPI_KRB5_H_
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index e42bb11b85..6ac80461c3 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: accept_sec_context.c,v 1.64 2006/10/25 04:19:45 lha Exp $");
+RCSID("$Id: accept_sec_context.c,v 1.65 2006/11/07 14:52:05 lha Exp $");
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
@@ -264,9 +264,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
OM_uint32 ret = GSS_S_COMPLETE;
krb5_data indata;
krb5_flags ap_options;
- krb5_ticket *ticket = NULL;
krb5_keytab keytab = NULL;
- krb5_keyblock *keyblock = NULL;
int is_cfx = 0;
const gsskrb5_cred acceptor_cred = (gsskrb5_cred)acceptor_cred_handle;
@@ -298,34 +296,65 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
/*
* We need to check the ticket and create the AP-REP packet
*/
- kret = krb5_rd_req_return_keyblock(_gsskrb5_context,
- &ctx->auth_context,
- &indata,
- (acceptor_cred == NULL) ? NULL : acceptor_cred->principal,
- keytab,
- &ap_options,
- &ticket,
- &keyblock);
- if (kret) {
- ret = GSS_S_FAILURE;
- *minor_status = kret;
- _gsskrb5_set_error_string ();
- return ret;
+
+ {
+ krb5_rd_req_in_ctx in = NULL;
+ krb5_rd_req_out_ctx out = NULL;
+
+ kret = krb5_rd_req_in_ctx_alloc(_gsskrb5_context, &in);
+ if (kret == 0)
+ kret = krb5_rd_req_in_set_keytab(_gsskrb5_context, in, keytab);
+ if (kret) {
+ if (in)
+ krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ _gsskrb5_set_error_string ();
+ return ret;
+ }
+
+ kret = krb5_rd_req_ctx(_gsskrb5_context,
+ &ctx->auth_context,
+ &indata,
+ (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
+ in, &out);
+ krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
+ if (kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ _gsskrb5_set_error_string ();
+ return ret;
+ }
+
+ /*
+ * We need to remember some data on the context_handle.
+ */
+ kret = krb5_rd_req_out_get_ap_req_options(_gsskrb5_context, out,
+ &ap_options);
+ if (kret == 0)
+ kret = krb5_rd_req_out_get_ticket(_gsskrb5_context, out,
+ &ctx->ticket);
+ if (kret == 0)
+ kret = krb5_rd_req_out_get_keyblock(_gsskrb5_context, out,
+ &ctx->service_keyblock);
+ ctx->lifetime = ctx->ticket->ticket.endtime;
+
+ krb5_rd_req_out_ctx_free(_gsskrb5_context, out);
+ if (kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ _gsskrb5_set_error_string ();
+ return ret;
+ }
}
- /*
- * We need to remember some data on the context_handle.
- */
- ctx->ticket = ticket;
- ctx->service_keyblock = keyblock;
- ctx->lifetime = ticket->ticket.endtime;
/*
* We need to copy the principal names to the context and the
* calling layer.
*/
kret = krb5_copy_principal(_gsskrb5_context,
- ticket->client,
+ ctx->ticket->client,
&ctx->source);
if (kret) {
ret = GSS_S_FAILURE;
@@ -333,7 +362,9 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
_gsskrb5_set_error_string ();
}
- kret = krb5_copy_principal(_gsskrb5_context, ticket->server, &ctx->target);
+ kret = krb5_copy_principal(_gsskrb5_context,
+ ctx->ticket->server,
+ &ctx->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
@@ -351,7 +382,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if (src_name != NULL) {
kret = krb5_copy_principal (_gsskrb5_context,
- ticket->client,
+ ctx->ticket->client,
(gsskrb5_name*)src_name);
if (kret) {
ret = GSS_S_FAILURE;
@@ -471,7 +502,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
/* Remember the flags */
- ctx->lifetime = ticket->ticket.endtime;
+ ctx->lifetime = ctx->ticket->ticket.endtime;
ctx->more_flags |= OPEN;
if (mech_type)
diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c
index 82851f5a78..2c43ed8b32 100644
--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c
+++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: arcfour.c,v 1.29 2006/10/07 22:14:05 lha Exp $");
+RCSID("$Id: arcfour.c,v 1.30 2006/11/07 19:05:16 lha Exp $");
/*
* Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@@ -355,17 +355,16 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if (conf_state)
*conf_state = 0;
- if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
- datalen = input_message_buffer->length + 1 /* padding */;
-
- len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
- _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
- } else {
- datalen = input_message_buffer->length;
+ datalen = input_message_buffer->length;
+ if (IS_DCE_STYLE(context_handle)) {
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
total_len += datalen;
+ } else {
+ datalen += 1; /* padding */
+ len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+ _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
}
output_message_buffer->length = total_len;
@@ -418,9 +417,8 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
memcpy(p, input_message_buffer->value, input_message_buffer->length);
- if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
- p[input_message_buffer->length] = 1; /* PADDING */
- }
+ if (!IS_DCE_STYLE(context_handle))
+ p[input_message_buffer->length] = 1; /* padding */
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
p0 + 16, 8, /* SGN_CKSUM */
@@ -518,13 +516,13 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
p0 = input_message_buffer->value;
- if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
- len = input_message_buffer->length;
- } else {
+ if (IS_DCE_STYLE(context_handle)) {
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE +
GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
+ } else {
+ len = input_message_buffer->length;
}
omret = _gssapi_verify_mech_header(&p0,
@@ -635,7 +633,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
}
memset(k6_data, 0, sizeof(k6_data));
- if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
+ if (!IS_DCE_STYLE(context_handle)) {
ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
if (ret) {
_gsskrb5_release_buffer(minor_status, output_message_buffer);
@@ -688,7 +686,7 @@ max_wrap_length_arcfour(const gsskrb5_ctx ctx,
* - we only need to encapsulate the WRAP token
* However, since this is a fixed since, we just
*/
- if (ctx->flags & GSS_C_DCE_STYLE) {
+ if (IS_DCE_STYLE(ctx)) {
size_t len, total_len;
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c
index 7419bc2fe8..ece03ddf57 100644
--- a/source4/heimdal/lib/gssapi/krb5/external.c
+++ b/source4/heimdal/lib/gssapi/krb5/external.c
@@ -34,7 +34,7 @@
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
-RCSID("$Id: external.c,v 1.18 2006/10/20 21:50:24 lha Exp $");
+RCSID("$Id: external.c,v 1.21 2006/11/07 21:05:03 lha Exp $");
/*
* The implementation must reserve static storage for a
@@ -340,12 +340,18 @@ static gss_OID_desc gss_krb5_get_authtime_x_desc =
gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc;
-/* 1.2.752.43.13.14 */
+/* 1.2.752.43.13.13 */
static gss_OID_desc gss_krb5_get_service_keyblock_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc;
+/* 1.2.752.43.13.14 */
+static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
+
+gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
+
/* 1.2.752.43.14.1 */
static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
index 4d814032c3..ea7a561b5b 100644
--- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gsskrb5_locl.h,v 1.6 2006/10/07 22:14:49 lha Exp $ */
+/* $Id: gsskrb5_locl.h,v 1.7 2006/11/07 17:57:43 lha Exp $ */
#ifndef GSSKRB5_LOCL_H
#define GSSKRB5_LOCL_H
@@ -56,6 +56,7 @@ struct gss_msg_order;
typedef struct {
struct krb5_auth_context_data *auth_context;
krb5_principal source, target;
+#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
OM_uint32 flags;
enum { LOCAL = 1, OPEN = 2,
COMPAT_OLD_DES3 = 4,
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index 00f2543833..7a97b6262c 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: init_sec_context.c,v 1.72 2006/10/24 23:03:19 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.73 2006/11/07 17:40:01 lha Exp $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
@@ -549,18 +549,18 @@ failure:
static OM_uint32
repl_mutual
- (OM_uint32 * minor_status,
- gsskrb5_ctx ctx,
- const gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- const gss_channel_bindings_t input_chan_bindings,
- const gss_buffer_t input_token,
- gss_OID * actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec
- )
+(OM_uint32 * minor_status,
+ gsskrb5_ctx ctx,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+ )
{
OM_uint32 ret;
krb5_error_code kret;
@@ -574,7 +574,7 @@ repl_mutual
if (actual_mech_type)
*actual_mech_type = GSS_KRB5_MECHANISM;
- if (req_flags & GSS_C_DCE_STYLE) {
+ if (ctx->flags & GSS_C_DCE_STYLE) {
/* There is no OID wrapping. */
indata.length = input_token->length;
indata.data = input_token->value;
@@ -619,8 +619,8 @@ repl_mutual
*minor_status = 0;
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
- ctx->lifetime,
- time_rec);
+ ctx->lifetime,
+ time_rec);
} else {
ret = GSS_S_COMPLETE;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
index 0b46cc5495..ee4210d74a 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_sec_context_by_oid.c,v 1.8 2006/10/24 15:55:28 lha Exp $");
+RCSID("$Id: inquire_sec_context_by_oid.c,v 1.11 2006/11/07 14:34:35 lha Exp $");
static int
oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
@@ -149,6 +149,11 @@ static OM_uint32 inquire_sec_context_get_subkey
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret)
goto out;
+ if (key == NULL) {
+ _gsskrb5_set_status("have no subkey of type %d", keytype);
+ ret = EINVAL;
+ goto out;
+ }
ret = krb5_store_keyblock(sp, *key);
krb5_free_keyblock (_gsskrb5_context, key);
@@ -400,6 +405,7 @@ get_authtime(OM_uint32 *minor_status,
{
gss_buffer_desc value;
+ unsigned char buf[4];
OM_uint32 authtime;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -414,14 +420,9 @@ get_authtime(OM_uint32 *minor_status,
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
- value.length = 4;
- value.value = malloc(value.length);
- if (!value.value) {
- _gsskrb5_clear_status();
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
- _gsskrb5_encode_om_uint32(authtime, value.value);
+ _gsskrb5_encode_om_uint32(authtime, buf);
+ value.length = sizeof(buf);
+ value.value = buf;
return gss_add_buffer_set_member(minor_status,
&value,
diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
index 67f5e8e722..fb098679b2 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
@@ -36,7 +36,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: set_sec_context_option.c,v 1.6 2006/10/20 18:58:22 lha Exp $");
+RCSID("$Id: set_sec_context_option.c,v 1.7 2006/11/04 03:01:14 lha Exp $");
static OM_uint32
get_bool(OM_uint32 *minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c
index 8514137999..ebbc975b8a 100644
--- a/source4/heimdal/lib/gssapi/krb5/wrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/wrap.c
@@ -103,7 +103,6 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx, krb5_keyblock **key)
_gsskrb5_set_status("No token key available");
return GSS_KRB5_S_KG_NO_SUBKEY;
}
- _gsskrb5_clear_status();
return 0;
}
diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
index c6ea3cecb7..fd66fb04f5 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
@@ -27,12 +27,11 @@
*/
#include "mech_locl.h"
-#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: gss_krb5.c,v 1.13 2006/10/20 22:05:02 lha Exp $");
+RCSID("$Id: gss_krb5.c,v 1.16 2006/11/07 14:41:35 lha Exp $");
#include <krb5.h>
#include <roken.h>
-
+#include "krb5/gsskrb5_locl.h"
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
@@ -264,7 +263,10 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
krb5_storage *sp = NULL;
uint32_t num;
- if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT || version != 1) {
+ if (context_handle == NULL
+ || *context_handle == GSS_C_NO_CONTEXT
+ || version != 1)
+ {
ret = EINVAL;
return GSS_S_FAILURE;
}
@@ -509,9 +511,8 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
{
gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
OM_uint32 maj_stat;
- gss_OID_desc authz_oid_flat;
- heim_oid authz_oid;
- heim_oid new_authz_oid;
+ gss_OID_desc oid_flat;
+ heim_oid baseoid, oid;
size_t size;
if (context_handle == GSS_C_NO_CONTEXT) {
@@ -523,57 +524,55 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements,
GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length,
- &authz_oid, NULL) != 0) {
+ &baseoid, NULL) != 0) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
- new_authz_oid.length = authz_oid.length + 1;
- new_authz_oid.components = malloc(new_authz_oid.length * sizeof(*new_authz_oid.components));
- if (!new_authz_oid.components) {
- free(authz_oid.components);
+ oid.length = baseoid.length + 1;
+ oid.components = calloc(oid.length, sizeof(*oid.components));
+ if (oid.components == NULL) {
+ der_free_oid(&baseoid);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
- memcpy(new_authz_oid.components, authz_oid.components,
- authz_oid.length * sizeof(*authz_oid.components));
+ memcpy(oid.components, baseoid.components,
+ baseoid.length * sizeof(*baseoid.components));
- free(authz_oid.components);
+ der_free_oid(&baseoid);
- new_authz_oid.components[new_authz_oid.length - 1] = ad_type;
-
- authz_oid_flat.length = der_length_oid(&new_authz_oid);
- authz_oid_flat.elements = malloc(authz_oid_flat.length);
-
- if (!authz_oid_flat.elements) {
- free(new_authz_oid.components);
+ oid.components[oid.length - 1] = ad_type;
+ oid_flat.length = der_length_oid(&oid);
+ oid_flat.elements = malloc(oid_flat.length);
+ if (oid_flat.elements == NULL) {
+ free(oid.components);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
- if (der_put_oid((unsigned char *)authz_oid_flat.elements + authz_oid_flat.length - 1,
- authz_oid_flat.length,
- &new_authz_oid, &size) != 0) {
- free(new_authz_oid.components);
+ if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1,
+ oid_flat.length, &oid, &size) != 0) {
+ free(oid.components);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
+ if (oid_flat.length != size)
+ abort();
- free(new_authz_oid.components);
+ free(oid.components);
/* FINALLY, we have the OID */
- maj_stat =
- gss_inquire_sec_context_by_oid (minor_status,
- context_handle,
- &authz_oid_flat,
- &data_set);
+ maj_stat = gss_inquire_sec_context_by_oid (minor_status,
+ context_handle,
+ &oid_flat,
+ &data_set);
- free(authz_oid_flat.elements);
+ free(oid_flat.elements);
if (maj_stat)
return maj_stat;
@@ -608,20 +607,20 @@ gsskrb5_extract_key(OM_uint32 *minor_status,
krb5_error_code ret;
gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
OM_uint32 major_status;
+ krb5_context context = NULL;
krb5_storage *sp = NULL;
- ret = _gsskrb5_init();
+ if (context_handle == GSS_C_NO_CONTEXT) {
+ ret = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_init_context(&context);
if(ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
- if (context_handle == GSS_C_NO_CONTEXT) {
- _gsskrb5_set_status("no context handle");
- *minor_status = EINVAL;
- return GSS_S_FAILURE;
- }
-
major_status =
gss_inquire_sec_context_by_oid (minor_status,
context_handle,
@@ -630,15 +629,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status,
if (major_status)
return major_status;
- if (data_set == GSS_C_NO_BUFFER_SET) {
- _gsskrb5_set_status("no buffers returned");
- gss_release_buffer_set(minor_status, &data_set);
- *minor_status = EINVAL;
- return GSS_S_FAILURE;
- }
-
- if (data_set->count != 1) {
- _gsskrb5_set_status("%d != 1 buffers returned", data_set->count);
+ if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
gss_release_buffer_set(minor_status, &data_set);
*minor_status = EINVAL;
return GSS_S_FAILURE;
@@ -663,16 +654,17 @@ out:
gss_release_buffer_set(minor_status, &data_set);
if (sp)
krb5_storage_free(sp);
- if (ret) {
- _gsskrb5_set_error_string();
- if (keyblock) {
- krb5_free_keyblock(_gsskrb5_context, *keyblock);
- }
+ if (ret && keyblock) {
+ krb5_free_keyblock(context, *keyblock);
+ *keyblock = NULL;
+ }
+ if (context)
+ krb5_free_context(context);
- *minor_status = ret;
+ *minor_status = ret;
+ if (ret)
return GSS_S_FAILURE;
- }
- *minor_status = 0;
+
return GSS_S_COMPLETE;
}
@@ -705,6 +697,6 @@ gsskrb5_get_subkey(OM_uint32 *minor_status,
{
return gsskrb5_extract_key(minor_status,
context_handle,
- GSS_KRB5_GET_ACCEPTOR_SUBKEY_X,
+ GSS_KRB5_GET_SUBKEY_X,
keyblock);
}
diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
index 571bce5569..255e07d056 100644
--- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
+++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
@@ -30,7 +30,7 @@
* SUCH DAMAGE.
*/
-/* $Id: spnego_locl.h,v 1.11 2006/10/12 06:28:06 lha Exp $ */
+/* $Id: spnego_locl.h,v 1.12 2006/11/07 19:53:40 lha Exp $ */
#ifndef SPNEGO_LOCL_H
#define SPNEGO_LOCL_H
@@ -69,6 +69,8 @@
#include "spnego_asn1.h"
#include <der.h>
+#include <roken.h>
+
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
typedef struct {
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index f7b3ffbf9e..a25bb80786 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include <com_err.h>
-RCSID("$Id: context.c,v 1.108 2006/10/20 22:26:10 lha Exp $");
+RCSID("$Id: context.c,v 1.110 2006/11/04 03:27:47 lha Exp $");
#define INIT_FIELD(C, T, E, D, F) \
(C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
@@ -181,7 +181,7 @@ init_context_from_config_file(krb5_context context)
INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
INIT_FIELD(context, int, large_msg_size, 6000, "large_message_size");
- INIT_FIELD(context, bool, dns_canonicalize_hostname, TRUE, "dns_canonize_hostname");
+ INIT_FIELD(context, bool, dns_canonicalize_hostname, TRUE, "dns_canonicalize_hostname");
context->default_cc_name = NULL;
return 0;
}
@@ -691,7 +691,7 @@ krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
}
krb5_boolean KRB5_LIB_FUNCTION
-krb5_get_dns_canonize_hostname (krb5_context context)
+krb5_get_dns_canonicalize_hostname (krb5_context context)
{
return context->dns_canonicalize_hostname;
}
@@ -705,3 +705,15 @@ krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
*usec = context->kdc_usec_offset;
return 0;
}
+
+time_t KRB5_LIB_FUNCTION
+krb5_get_time_wrap (krb5_context context)
+{
+ return context->max_skew;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_set_time_wrap (krb5_context context, time_t t)
+{
+ context->max_skew = t;
+}
diff --git a/source4/heimdal/lib/krb5/expand_hostname.c b/source4/heimdal/lib/krb5/expand_hostname.c
index 4d0692bcfa..46e784f561 100644
--- a/source4/heimdal/lib/krb5/expand_hostname.c
+++ b/source4/heimdal/lib/krb5/expand_hostname.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: expand_hostname.c,v 1.13 2006/10/17 09:16:32 lha Exp $");
+RCSID("$Id: expand_hostname.c,v 1.14 2006/11/04 03:34:57 lha Exp $");
static krb5_error_code
copy_hostname(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index 968b6079b7..0bf184a530 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -399,6 +399,11 @@ _krb5_put_int (
size_t /*size*/);
krb5_error_code KRB5_LIB_FUNCTION
+_krb5_rd_req_out_ctx_alloc (
+ krb5_context /*context*/,
+ krb5_rd_req_out_ctx */*ctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
_krb5_s4u2self_to_checksumdata (
krb5_context /*context*/,
const PA_S4U2Self */*self*/,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 2010e25f5a..104f10bdf2 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -1866,7 +1866,7 @@ krb5_get_default_realms (
krb5_realm **/*realms*/);
krb5_boolean KRB5_LIB_FUNCTION
-krb5_get_dns_canonize_hostname (krb5_context /*context*/);
+krb5_get_dns_canonicalize_hostname (krb5_context /*context*/);
const char* KRB5_LIB_FUNCTION
krb5_get_err_text (
@@ -2177,6 +2177,9 @@ krb5_get_server_rcache (
const krb5_data */*piece*/,
krb5_rcache */*id*/);
+time_t KRB5_LIB_FUNCTION
+krb5_get_time_wrap (krb5_context /*context*/);
+
krb5_boolean KRB5_LIB_FUNCTION
krb5_get_use_admin_kdc (krb5_context /*context*/);
@@ -2865,15 +2868,58 @@ krb5_rd_req (
krb5_ticket **/*ticket*/);
krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_return_keyblock (
+krb5_rd_req_ctx (
krb5_context /*context*/,
krb5_auth_context */*auth_context*/,
const krb5_data */*inbuf*/,
krb5_const_principal /*server*/,
- krb5_keytab /*keytab*/,
- krb5_flags */*ap_req_options*/,
- krb5_ticket **/*ticket*/,
- krb5_keyblock **/*return_keyblock*/);
+ krb5_rd_req_in_ctx /*inctx*/,
+ krb5_rd_req_out_ctx */*outctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_alloc (
+ krb5_context /*context*/,
+ krb5_rd_req_in_ctx */*ctx*/);
+
+void KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_free (
+ krb5_context /*context*/,
+ krb5_rd_req_in_ctx /*ctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keyblock (
+ krb5_context /*context*/,
+ krb5_rd_req_in_ctx /*in*/,
+ krb5_keyblock */*keyblock*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keytab (
+ krb5_context /*context*/,
+ krb5_rd_req_in_ctx /*in*/,
+ krb5_keytab /*keytab*/);
+
+void KRB5_LIB_FUNCTION
+krb5_rd_req_out_ctx_free (
+ krb5_context /*context*/,
+ krb5_rd_req_out_ctx /*ctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ap_req_options (
+ krb5_context /*context*/,
+ krb5_rd_req_out_ctx /*out*/,
+ krb5_flags */*ap_req_options*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_keyblock (
+ krb5_context /*context*/,
+ krb5_rd_req_out_ctx /*out*/,
+ krb5_keyblock **/*keyblock*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ticket (
+ krb5_context /*context*/,
+ krb5_rd_req_out_ctx /*out*/,
+ krb5_ticket **/*ticket*/);
krb5_error_code KRB5_LIB_FUNCTION
krb5_rd_req_with_keyblock (
@@ -3152,6 +3198,11 @@ krb5_set_send_to_kdc_func (
void */*data*/);
void KRB5_LIB_FUNCTION
+krb5_set_time_wrap (
+ krb5_context /*context*/,
+ time_t /*t*/);
+
+void KRB5_LIB_FUNCTION
krb5_set_use_admin_kdc (
krb5_context /*context*/,
krb5_boolean /*flag*/);
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 4b5058094b..f5c8b069de 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5.h,v 1.253 2006/10/20 18:12:06 lha Exp $ */
+/* $Id: krb5.h,v 1.254 2006/11/07 00:17:42 lha Exp $ */
#ifndef __KRB5_H__
#define __KRB5_H__
@@ -78,6 +78,9 @@ typedef struct krb5_get_creds_opt_data *krb5_get_creds_opt;
struct krb5_digest;
typedef struct krb5_digest *krb5_digest;
+typedef struct krb5_rd_req_in_ctx *krb5_rd_req_in_ctx;
+typedef struct krb5_rd_req_out_ctx *krb5_rd_req_out_ctx;
+
typedef CKSUMTYPE krb5_cksumtype;
typedef Checksum krb5_checksum;
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index c424a73a34..3352334f65 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: rd_req.c,v 1.66 2006/10/06 17:04:29 lha Exp $");
+RCSID("$Id: rd_req.c,v 1.68 2006/11/07 17:11:31 lha Exp $");
static krb5_error_code
decrypt_tkt_enc_part (krb5_context context,
@@ -506,6 +506,151 @@ krb5_verify_ap_req2(krb5_context context,
return ret;
}
+/*
+ *
+ */
+
+struct krb5_rd_req_in_ctx {
+ krb5_keytab keytab;
+ krb5_keyblock *keyblock;
+};
+
+struct krb5_rd_req_out_ctx {
+ krb5_keyblock *keyblock;
+ krb5_flags ap_req_options;
+ krb5_ticket *ticket;
+};
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx)
+{
+ *ctx = calloc(1, sizeof(**ctx));
+ if (*ctx == NULL) {
+ krb5_set_error_string(context, "out of memory");
+ return ENOMEM;
+ }
+ return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keytab(krb5_context context,
+ krb5_rd_req_in_ctx in,
+ krb5_keytab keytab)
+{
+ in->keytab = keytab; /* XXX should make copy */
+ return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keyblock(krb5_context context,
+ krb5_rd_req_in_ctx in,
+ krb5_keyblock *keyblock)
+{
+ in->keyblock = keyblock; /* XXX should make copy */
+ return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ap_req_options(krb5_context context,
+ krb5_rd_req_out_ctx out,
+ krb5_flags *ap_req_options)
+{
+ *ap_req_options = out->ap_req_options;
+ return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ticket(krb5_context context,
+ krb5_rd_req_out_ctx out,
+ krb5_ticket **ticket)
+{
+ return krb5_copy_ticket(context, out->ticket, ticket);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_keyblock(krb5_context context,
+ krb5_rd_req_out_ctx out,
+ krb5_keyblock **keyblock)
+{
+ return krb5_copy_keyblock(context, out->keyblock, keyblock);
+}
+
+void KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx)
+{
+ free(ctx);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_rd_req_out_ctx_alloc(krb5_context context, krb5_rd_req_out_ctx *ctx)
+{
+ *ctx = calloc(1, sizeof(**ctx));
+ if (*ctx == NULL) {
+ krb5_set_error_string(context, "out of memory");
+ return ENOMEM;
+ }
+ return 0;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx)
+{
+ krb5_free_keyblock(context, ctx->keyblock);
+ free(ctx);
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_data *inbuf,
+ krb5_const_principal server,
+ krb5_keytab keytab,
+ krb5_flags *ap_req_options,
+ krb5_ticket **ticket)
+{
+ krb5_error_code ret;
+ krb5_rd_req_in_ctx in;
+ krb5_rd_req_out_ctx out;
+
+ ret = krb5_rd_req_in_ctx_alloc(context, &in);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_req_in_set_keytab(context, in, keytab);
+ if (ret) {
+ krb5_rd_req_in_ctx_free(context, in);
+ return ret;
+ }
+
+ ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out);
+ krb5_rd_req_in_ctx_free(context, in);
+ if (ret)
+ return ret;
+
+ if (ap_req_options)
+ *ap_req_options = out->ap_req_options;
+ if (ticket) {
+ ret = krb5_copy_ticket(context, out->ticket, ticket);
+ if (ret)
+ goto out;
+ }
+
+out:
+ krb5_rd_req_out_ctx_free(context, out);
+ return ret;
+}
+
+/*
+ *
+ */
krb5_error_code KRB5_LIB_FUNCTION
krb5_rd_req_with_keyblock(krb5_context context,
@@ -517,31 +662,41 @@ krb5_rd_req_with_keyblock(krb5_context context,
krb5_ticket **ticket)
{
krb5_error_code ret;
- krb5_ap_req ap_req;
+ krb5_rd_req_in_ctx in;
+ krb5_rd_req_out_ctx out;
- if (*auth_context == NULL) {
- ret = krb5_auth_con_init(context, auth_context);
- if (ret)
- return ret;
+ ret = krb5_rd_req_in_ctx_alloc(context, &in);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_req_in_set_keyblock(context, in, keyblock);
+ if (ret) {
+ krb5_rd_req_in_ctx_free(context, in);
+ return ret;
}
- ret = krb5_decode_ap_req(context, inbuf, &ap_req);
- if(ret)
+ ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out);
+ krb5_rd_req_in_ctx_free(context, in);
+ if (ret)
return ret;
- ret = krb5_verify_ap_req(context,
- auth_context,
- &ap_req,
- server,
- keyblock,
- 0,
- ap_req_options,
- ticket);
+ if (ap_req_options)
+ *ap_req_options = out->ap_req_options;
+ if (ticket) {
+ ret = krb5_copy_ticket(context, out->ticket, ticket);
+ if (ret)
+ goto out;
+ }
- free_AP_REQ(&ap_req);
+out:
+ krb5_rd_req_out_ctx_free(context, out);
return ret;
}
+/*
+ *
+ */
+
static krb5_error_code
get_key_from_keytab(krb5_context context,
krb5_auth_context *auth_context,
@@ -582,39 +737,44 @@ out:
return ret;
}
+/*
+ *
+ */
+
krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_return_keyblock(krb5_context context,
- krb5_auth_context *auth_context,
- const krb5_data *inbuf,
- krb5_const_principal server,
- krb5_keytab keytab,
- krb5_flags *ap_req_options,
- krb5_ticket **ticket,
- krb5_keyblock **return_keyblock)
+krb5_rd_req_ctx(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_data *inbuf,
+ krb5_const_principal server,
+ krb5_rd_req_in_ctx inctx,
+ krb5_rd_req_out_ctx *outctx)
{
krb5_error_code ret;
krb5_ap_req ap_req;
- krb5_keyblock *keyblock = NULL;
krb5_principal service = NULL;
+ krb5_rd_req_out_ctx o = NULL;
- if (return_keyblock)
- *return_keyblock = NULL;
+ ret = _krb5_rd_req_out_ctx_alloc(context, &o);
+ if (ret)
+ goto out;
if (*auth_context == NULL) {
ret = krb5_auth_con_init(context, auth_context);
if (ret)
- return ret;
+ goto out;
}
ret = krb5_decode_ap_req(context, inbuf, &ap_req);
if(ret)
- return ret;
+ goto out;
if(server == NULL){
- _krb5_principalname2krb5_principal(context,
- &service,
- ap_req.ticket.sname,
- ap_req.ticket.realm);
+ ret = _krb5_principalname2krb5_principal(context,
+ &service,
+ ap_req.ticket.sname,
+ ap_req.ticket.realm);
+ if (ret)
+ goto out;
server = service;
}
if (ap_req.ap_options.use_session_key &&
@@ -625,61 +785,51 @@ krb5_rd_req_return_keyblock(krb5_context context,
goto out;
}
- if((*auth_context)->keyblock == NULL){
+ if((*auth_context)->keyblock){
+ ret = krb5_copy_keyblock(context,
+ (*auth_context)->keyblock,
+ &o->keyblock);
+ if (ret)
+ goto out;
+ } else if(inctx->keyblock){
+ ret = krb5_copy_keyblock(context,
+ inctx->keyblock,
+ &o->keyblock);
+ if (ret)
+ goto out;
+ } else {
+ krb5_keytab keytab = NULL;
+
+ if (inctx && inctx->keytab)
+ keytab = inctx->keytab;
+
ret = get_key_from_keytab(context,
auth_context,
&ap_req,
server,
keytab,
- &keyblock);
+ &o->keyblock);
if(ret)
goto out;
- } else {
- ret = krb5_copy_keyblock(context,
- (*auth_context)->keyblock,
- &keyblock);
- if (ret)
- goto out;
}
ret = krb5_verify_ap_req(context,
auth_context,
&ap_req,
server,
- keyblock,
+ o->keyblock,
0,
- ap_req_options,
- ticket);
-
- if (ret == 0 && return_keyblock)
- *return_keyblock = keyblock;
- else
- krb5_free_keyblock(context, keyblock);
+ &o->ap_req_options,
+ &o->ticket);
out:
+ if (ret || outctx == NULL) {
+ krb5_rd_req_out_ctx_free(context, o);
+ } else
+ *outctx = o;
+
free_AP_REQ(&ap_req);
if(service)
krb5_free_principal(context, service);
return ret;
}
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req(krb5_context context,
- krb5_auth_context *auth_context,
- const krb5_data *inbuf,
- krb5_const_principal server,
- krb5_keytab keytab,
- krb5_flags *ap_req_options,
- krb5_ticket **ticket)
-{
- return krb5_rd_req_return_keyblock(context,
- auth_context,
- inbuf,
- server,
- keytab,
- ap_req_options,
- ticket,
- NULL);
-
-}
-
diff --git a/source4/script/mkproto.pl b/source4/script/mkproto.pl
index 88e3e2a121..ea2e5acd45 100755
--- a/source4/script/mkproto.pl
+++ b/source4/script/mkproto.pl
@@ -183,7 +183,7 @@ sub process_file($$$)
^void|^BOOL|^bool|^int|^struct|^char|^const|^\w+_[tT]\s|^uint|^unsigned|^long|
^NTSTATUS|^ADS_STATUS|^enum\s.*\(|^DATA_BLOB|^WERROR|^XFILE|^FILE|^DIR|
^double|^TDB_CONTEXT|^TDB_DATA|^TALLOC_CTX|^NTTIME|^FN_|^init_module|
- ^GtkWidget|^GType|^smb_ucs2_t
+ ^GtkWidget|^GType|^smb_ucs2_t|^krb5_error_code
/xo);
next if ($line =~ /^int\s*main/);