summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi/krb5
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2008-08-26 19:35:52 +0200
committerStefan Metzmacher <metze@samba.org>2008-08-26 19:46:38 +0200
commit243321b4bbe273cf3a9105ca132caa2b53e2f263 (patch)
treec8588a032720412a9a510d4045d6ca6e5c961ee7 /source4/heimdal/lib/gssapi/krb5
parent455f5c043d1416136a16a0bb6e463d855a913409 (diff)
downloadsamba-243321b4bbe273cf3a9105ca132caa2b53e2f263.tar.gz
samba-243321b4bbe273cf3a9105ca132caa2b53e2f263.tar.bz2
samba-243321b4bbe273cf3a9105ca132caa2b53e2f263.zip
heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patches
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo. metze (This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
Diffstat (limited to 'source4/heimdal/lib/gssapi/krb5')
-rw-r--r--source4/heimdal/lib/gssapi/krb5/8003.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/accept_sec_context.c46
-rw-r--r--source4/heimdal/lib/gssapi/krb5/acquire_cred.c20
-rw-r--r--source4/heimdal/lib/gssapi/krb5/add_cred.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/arcfour.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/canonicalize_name.c18
-rwxr-xr-xsource4/heimdal/lib/gssapi/krb5/cfx.c2
-rw-r--r--[-rwxr-xr-x]source4/heimdal/lib/gssapi/krb5/cfx.h2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/compare_name.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/compat.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/context_time.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/copy_ccache.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/decapsulate.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/delete_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/display_name.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/display_status.c21
-rw-r--r--source4/heimdal/lib/gssapi/krb5/duplicate_name.c9
-rw-r--r--source4/heimdal/lib/gssapi/krb5/encapsulate.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/export_name.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/export_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/external.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/get_mic.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/gkrb5_err.et2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h5
-rw-r--r--source4/heimdal/lib/gssapi/krb5/import_name.c75
-rw-r--r--source4/heimdal/lib/gssapi/krb5/import_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/indicate_mechs.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/init.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/init_sec_context.c79
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_cred.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c18
-rw-r--r--source4/heimdal/lib/gssapi/krb5/prf.c14
-rw-r--r--source4/heimdal/lib/gssapi/krb5/process_context_token.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/release_buffer.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/release_cred.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/release_name.c2
-rw-r--r--[-rwxr-xr-x]source4/heimdal/lib/gssapi/krb5/sequence.c10
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_cred_option.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/unwrap.c54
-rw-r--r--source4/heimdal/lib/gssapi/krb5/verify_mic.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/wrap.c36
47 files changed, 303 insertions, 170 deletions
diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c
index 619cbf97fc..a9b93d32a6 100644
--- a/source4/heimdal/lib/gssapi/krb5/8003.c
+++ b/source4/heimdal/lib/gssapi/krb5/8003.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: 8003.c 18334 2006-10-07 22:16:04Z lha $");
+RCSID("$Id$");
krb5_error_code
_gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p)
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index 8dbd087da6..84110b7a82 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: accept_sec_context.c 23433 2008-07-26 18:44:26Z lha $");
+RCSID("$Id$");
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
@@ -371,9 +371,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if (kret) {
if (in)
krb5_rd_req_in_ctx_free(context, in);
- ret = GSS_S_FAILURE;
*minor_status = kret;
- return ret;
+ return GSS_S_FAILURE;
}
kret = krb5_rd_req_ctx(context,
@@ -382,13 +381,18 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
server,
in, &out);
krb5_rd_req_in_ctx_free(context, in);
- if (kret) {
+ if (kret == KRB5KRB_AP_ERR_SKEW) {
/*
* No reply in non-MUTUAL mode, but we don't know that its
- * non-MUTUAL mode yet, thats inside the 8003 checksum.
+ * non-MUTUAL mode yet, thats inside the 8003 checksum, so
+ * lets only send the error token on clock skew, that
+ * limit when send error token for non-MUTUAL.
*/
return send_error_token(minor_status, context, kret,
server, &indata, output_token);
+ } else if (kret) {
+ *minor_status = kret;
+ return GSS_S_FAILURE;
}
/*
@@ -520,16 +524,36 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
krb5_data outbuf;
+ int use_subkey = 0;
_gsskrb5i_is_cfx(ctx, &is_cfx);
- if (is_cfx != 0
- || (ap_options & AP_OPTS_USE_SUBKEY)) {
- kret = krb5_auth_con_addflags(context,
- ctx->auth_context,
- KRB5_AUTH_CONTEXT_USE_SUBKEY,
- NULL);
+ if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {
+ use_subkey = 1;
+ } else {
+ krb5_keyblock *rkey;
+
+ /*
+ * If there is a initiator subkey, copy that to acceptor
+ * subkey to match Windows behavior
+ */
+ kret = krb5_auth_con_getremotesubkey(context,
+ ctx->auth_context,
+ &rkey);
+ if (kret == 0) {
+ kret = krb5_auth_con_setlocalsubkey(context,
+ ctx->auth_context,
+ rkey);
+ if (kret == 0)
+ use_subkey = 1;
+ krb5_free_keyblock(context, rkey);
+ }
+ }
+ if (use_subkey) {
ctx->more_flags |= ACCEPTOR_SUBKEY;
+ krb5_auth_con_addflags(context, ctx->auth_context,
+ KRB5_AUTH_CONTEXT_USE_SUBKEY,
+ NULL);
}
kret = krb5_mk_rep(context,
diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
index 051446c19b..a7caf1a32e 100644
--- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: acquire_cred.c 22596 2008-02-18 18:05:55Z lha $");
+RCSID("$Id$");
OM_uint32
__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
@@ -134,11 +134,16 @@ static OM_uint32 acquire_initiator_cred
* errors while searching.
*/
- if (handle->principal)
+ if (handle->principal) {
kret = krb5_cc_cache_match (context,
handle->principal,
NULL,
&ccache);
+ if (kret == 0) {
+ ret = GSS_S_COMPLETE;
+ goto found;
+ }
+ }
if (ccache == NULL) {
kret = krb5_cc_default(context, &ccache);
@@ -211,7 +216,7 @@ static OM_uint32 acquire_initiator_cred
}
kret = 0;
}
-
+ found:
handle->ccache = ccache;
ret = GSS_S_COMPLETE;
@@ -242,7 +247,6 @@ static OM_uint32 acquire_acceptor_cred
OM_uint32 ret;
krb5_error_code kret;
- kret = 0;
ret = GSS_S_FAILURE;
kret = get_keytab(context, &handle->keytab);
if (kret)
@@ -336,13 +340,13 @@ OM_uint32 _gsskrb5_acquire_cred
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
if (desired_name != GSS_C_NO_NAME) {
- krb5_principal name = (krb5_principal)desired_name;
- ret = krb5_copy_principal(context, name, &handle->principal);
+
+ ret = _gsskrb5_canon_name(minor_status, context, 0, desired_name,
+ &handle->principal);
if (ret) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
- *minor_status = ret;
free(handle);
- return GSS_S_FAILURE;
+ return ret;
}
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c
index 9a1045a889..5cd17eb35d 100644
--- a/source4/heimdal/lib/gssapi/krb5/add_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: add_cred.c 20688 2007-05-17 18:44:31Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_add_cred (
OM_uint32 *minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c
index 032da36ebc..2f39a4e400 100644
--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c
+++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: arcfour.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
/*
* Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
diff --git a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c
index c1744abd3b..f2143560d0 100644
--- a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: canonicalize_name.c 18334 2006-10-07 22:16:04Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_canonicalize_name (
OM_uint32 * minor_status,
@@ -42,5 +42,19 @@ OM_uint32 _gsskrb5_canonicalize_name (
gss_name_t * output_name
)
{
- return _gsskrb5_duplicate_name (minor_status, input_name, output_name);
+ krb5_context context;
+ krb5_principal name;
+ OM_uint32 ret;
+
+ *output_name = NULL;
+
+ GSSAPI_KRB5_INIT (&context);
+
+ ret = _gsskrb5_canon_name(minor_status, context, 1, input_name, &name);
+ if (ret)
+ return ret;
+
+ *output_name = (gss_name_t)name;
+
+ return GSS_S_COMPLETE;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c
index bc0d736e81..188344fb26 100755
--- a/source4/heimdal/lib/gssapi/krb5/cfx.c
+++ b/source4/heimdal/lib/gssapi/krb5/cfx.c
@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: cfx.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
/*
* Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.h b/source4/heimdal/lib/gssapi/krb5/cfx.h
index 672704a841..c30ed07840 100755..100644
--- a/source4/heimdal/lib/gssapi/krb5/cfx.h
+++ b/source4/heimdal/lib/gssapi/krb5/cfx.h
@@ -30,7 +30,7 @@
* SUCH DAMAGE.
*/
-/* $Id: cfx.h 19031 2006-11-13 18:02:57Z lha $ */
+/* $Id$ */
#ifndef GSSAPI_CFX_H_
#define GSSAPI_CFX_H_ 1
diff --git a/source4/heimdal/lib/gssapi/krb5/compare_name.c b/source4/heimdal/lib/gssapi/krb5/compare_name.c
index 3f3b59d116..a5406a7f2a 100644
--- a/source4/heimdal/lib/gssapi/krb5/compare_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/compare_name.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: compare_name.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_compare_name
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c
index a0f075621a..0caada04f6 100644
--- a/source4/heimdal/lib/gssapi/krb5/compat.c
+++ b/source4/heimdal/lib/gssapi/krb5/compat.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: compat.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
static krb5_error_code
diff --git a/source4/heimdal/lib/gssapi/krb5/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c
index b57ac7854e..7f70be733e 100644
--- a/source4/heimdal/lib/gssapi/krb5/context_time.c
+++ b/source4/heimdal/lib/gssapi/krb5/context_time.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: context_time.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
OM_uint32
_gsskrb5_lifetime_left(OM_uint32 *minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
index 66d797c199..fd348e841b 100644
--- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
+++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: copy_ccache.c 20688 2007-05-17 18:44:31Z lha $");
+RCSID("$Id$");
#if 0
OM_uint32
diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
index 39176faff4..419e61a436 100644
--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: decapsulate.c 18334 2006-10-07 22:16:04Z lha $");
+RCSID("$Id$");
/*
* return the length of the mechanism in token or -1
diff --git a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
index 9c618ac6a6..ec680d7378 100644
--- a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: delete_sec_context.c 23420 2008-07-26 18:37:48Z lha $");
+RCSID("$Id$");
OM_uint32
_gsskrb5_delete_sec_context(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/display_name.c b/source4/heimdal/lib/gssapi/krb5/display_name.c
index 727c447d2a..a902ff7ea5 100644
--- a/source4/heimdal/lib/gssapi/krb5/display_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/display_name.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: display_name.c 21077 2007-06-12 22:42:56Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_display_name
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/display_status.c b/source4/heimdal/lib/gssapi/krb5/display_status.c
index f932261ffa..52a651c506 100644
--- a/source4/heimdal/lib/gssapi/krb5/display_status.c
+++ b/source4/heimdal/lib/gssapi/krb5/display_status.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: display_status.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
static const char *
calling_error(OM_uint32 v)
@@ -122,7 +122,7 @@ _gsskrb5_clear_status (void)
}
void
-_gsskrb5_set_status (const char *fmt, ...)
+_gsskrb5_set_status (int ret, const char *fmt, ...)
{
krb5_context context;
va_list args;
@@ -135,7 +135,7 @@ _gsskrb5_set_status (const char *fmt, ...)
vasprintf(&str, fmt, args);
va_end(args);
if (str) {
- krb5_set_error_message(context, 0, str);
+ krb5_set_error_message(context, ret, str);
free(str);
}
}
@@ -171,14 +171,13 @@ OM_uint32 _gsskrb5_display_status
calling_error(GSS_CALLING_ERROR(status_value)),
routine_error(GSS_ROUTINE_ERROR(status_value)));
} else if (status_type == GSS_C_MECH_CODE) {
- buf = krb5_get_error_string(context);
- if (buf == NULL) {
- const char *tmp = krb5_get_err_text (context, status_value);
- if (tmp == NULL)
- asprintf(&buf, "unknown mech error-code %u",
- (unsigned)status_value);
- else
- buf = strdup(tmp);
+ const char *buf2 = krb5_get_error_message(context, status_value);
+ if (buf2) {
+ buf = strdup(buf2);
+ krb5_free_error_message(context, buf2);
+ } else {
+ asprintf(&buf, "unknown mech error-code %u",
+ (unsigned)status_value);
}
} else {
*minor_status = EINVAL;
diff --git a/source4/heimdal/lib/gssapi/krb5/duplicate_name.c b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c
index 7337f1ab72..eeb777ed5f 100644
--- a/source4/heimdal/lib/gssapi/krb5/duplicate_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: duplicate_name.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_duplicate_name (
OM_uint32 * minor_status,
@@ -41,18 +41,19 @@ OM_uint32 _gsskrb5_duplicate_name (
gss_name_t * dest_name
)
{
- krb5_context context;
krb5_const_principal src = (krb5_const_principal)src_name;
- krb5_principal *dest = (krb5_principal *)dest_name;
+ krb5_context context;
+ krb5_principal dest;
krb5_error_code kret;
GSSAPI_KRB5_INIT (&context);
- kret = krb5_copy_principal (context, src, dest);
+ kret = krb5_copy_principal (context, src, &dest);
if (kret) {
*minor_status = kret;
return GSS_S_FAILURE;
} else {
+ *dest_name = (gss_name_t)dest;
*minor_status = 0;
return GSS_S_COMPLETE;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c
index 58dcb5c9c4..3f42899a40 100644
--- a/source4/heimdal/lib/gssapi/krb5/encapsulate.c
+++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: encapsulate.c 18459 2006-10-14 10:12:16Z lha $");
+RCSID("$Id$");
void
_gssapi_encap_length (size_t data_len,
diff --git a/source4/heimdal/lib/gssapi/krb5/export_name.c b/source4/heimdal/lib/gssapi/krb5/export_name.c
index efa45a2638..92ee101b0d 100644
--- a/source4/heimdal/lib/gssapi/krb5/export_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/export_name.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: export_name.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_export_name
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c
index 00218617a0..2bc50a04ee 100644
--- a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: export_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
OM_uint32
_gsskrb5_export_sec_context (
diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c
index 2ee018708a..87e4aa01df 100644
--- a/source4/heimdal/lib/gssapi/krb5/external.c
+++ b/source4/heimdal/lib/gssapi/krb5/external.c
@@ -34,7 +34,7 @@
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
-RCSID("$Id: external.c 23420 2008-07-26 18:37:48Z lha $");
+RCSID("$Id$");
/*
* The implementation must reserve static storage for a
diff --git a/source4/heimdal/lib/gssapi/krb5/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c
index f689e624a8..98a3f7e225 100644
--- a/source4/heimdal/lib/gssapi/krb5/get_mic.c
+++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: get_mic.c 23112 2008-04-27 18:51:26Z lha $");
+RCSID("$Id$");
static OM_uint32
mic_des
diff --git a/source4/heimdal/lib/gssapi/krb5/gkrb5_err.et b/source4/heimdal/lib/gssapi/krb5/gkrb5_err.et
index dbfdbdf2f1..3c23412a6a 100644
--- a/source4/heimdal/lib/gssapi/krb5/gkrb5_err.et
+++ b/source4/heimdal/lib/gssapi/krb5/gkrb5_err.et
@@ -2,7 +2,7 @@
# extended gss krb5 error messages
#
-id "$Id: gkrb5_err.et 20049 2007-01-24 00:14:24Z lha $"
+id "$Id$"
error_table gk5
diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
index d9af44f960..dc7adec68f 100644
--- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gsskrb5_locl.h 23435 2008-07-26 20:49:35Z lha $ */
+/* $Id$ */
#ifndef GSSKRB5_LOCL_H
#define GSSKRB5_LOCL_H
@@ -137,4 +137,7 @@ struct gssapi_thr_context {
#define SC_LOCAL_SUBKEY 0x08
#define SC_REMOTE_SUBKEY 0x10
+/* type to signal that that dns canon maybe should be done */
+#define MAGIC_HOSTBASED_NAME_TYPE 4711
+
#endif
diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c
index bf31db9232..9589979ee8 100644
--- a/source4/heimdal/lib/gssapi/krb5/import_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/import_name.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: import_name.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
static OM_uint32
parse_krb5_name (OM_uint32 *minor_status,
@@ -83,18 +83,56 @@ import_krb5_name (OM_uint32 *minor_status,
return ret;
}
+OM_uint32
+_gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
+ int use_dns, gss_name_t name, krb5_principal *out)
+{
+ krb5_principal p = (krb5_principal)name;
+ krb5_error_code ret;
+ char *hostname = NULL, *service;
+
+ *minor_status = 0;
+
+ /* If its not a hostname */
+ if (krb5_principal_get_type(context, p) != MAGIC_HOSTBASED_NAME_TYPE) {
+ ret = krb5_copy_principal(context, p, out);
+ } else if (!use_dns) {
+ ret = krb5_copy_principal(context, p, out);
+ if (ret == 0)
+ krb5_principal_set_type(context, *out, KRB5_NT_SRV_HST);
+ } else {
+ if (p->name.name_string.len == 0)
+ return GSS_S_BAD_NAME;
+ else if (p->name.name_string.len > 1)
+ hostname = p->name.name_string.val[1];
+
+ service = p->name.name_string.val[0];
+
+ ret = krb5_sname_to_principal(context,
+ hostname,
+ service,
+ KRB5_NT_SRV_HST,
+ out);
+ }
+
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ return 0;
+}
+
+
static OM_uint32
import_hostbased_name (OM_uint32 *minor_status,
krb5_context context,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
- krb5_error_code kerr;
- char *tmp;
- char *p;
- char *host;
- char local_hostname[MAXHOSTNAMELEN];
krb5_principal princ = NULL;
+ krb5_error_code kerr;
+ char *tmp, *p, *host = NULL;
tmp = malloc (input_name_buffer->length + 1);
if (tmp == NULL) {
@@ -110,31 +148,20 @@ import_hostbased_name (OM_uint32 *minor_status,
if (p != NULL) {
*p = '\0';
host = p + 1;
- } else {
- if (gethostname(local_hostname, sizeof(local_hostname)) < 0) {
- *minor_status = errno;
- free (tmp);
- return GSS_S_FAILURE;
- }
- host = local_hostname;
}
- kerr = krb5_sname_to_principal (context,
- host,
- tmp,
- KRB5_NT_SRV_HST,
- &princ);
+ kerr = krb5_make_principal(context, &princ, NULL, tmp, host, NULL);
free (tmp);
*minor_status = kerr;
- if (kerr == 0) {
- *output_name = (gss_name_t)princ;
- return GSS_S_COMPLETE;
- }
-
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
return GSS_S_BAD_NAME;
+ else if (kerr)
+ return GSS_S_FAILURE;
- return GSS_S_FAILURE;
+ krb5_principal_set_type(context, princ, MAGIC_HOSTBASED_NAME_TYPE);
+ *output_name = (gss_name_t)princ;
+
+ return 0;
}
static OM_uint32
diff --git a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c
index 5fd8c94104..1b709657f4 100644
--- a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: import_sec_context.c 22997 2008-04-15 19:36:25Z lha $");
+RCSID("$Id$");
OM_uint32
_gsskrb5_import_sec_context (
diff --git a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c
index eb886c24d3..b0219fc7ce 100644
--- a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c
+++ b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: indicate_mechs.c 20688 2007-05-17 18:44:31Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_indicate_mechs
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/init.c b/source4/heimdal/lib/gssapi/krb5/init.c
index 3bbdcc8ff1..ea32fce061 100644
--- a/source4/heimdal/lib/gssapi/krb5/init.c
+++ b/source4/heimdal/lib/gssapi/krb5/init.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: init.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
static HEIMDAL_MUTEX context_mutex = HEIMDAL_MUTEX_INITIALIZER;
static int created_key;
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index c9b9e15588..3d5e3b71c5 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: init_sec_context.c 23422 2008-07-26 18:38:29Z lha $");
+RCSID("$Id$");
/*
* copy the addresses from `input_chan_bindings' (if any) to
@@ -271,6 +271,7 @@ do_delegation (krb5_context context,
krb5_creds *cred,
krb5_const_principal name,
krb5_data *fwd_data,
+ uint32_t flagmask,
uint32_t *flags)
{
krb5_creds creds;
@@ -314,9 +315,9 @@ do_delegation (krb5_context context,
out:
if (kret)
- *flags &= ~GSS_C_DELEG_FLAG;
+ *flags &= ~flagmask;
else
- *flags |= GSS_C_DELEG_FLAG;
+ *flags |= flagmask;
if (creds.client)
krb5_free_principal(context, creds.client);
@@ -334,7 +335,7 @@ init_auth
gsskrb5_cred cred,
gsskrb5_ctx ctx,
krb5_context context,
- krb5_const_principal name,
+ gss_name_t name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
@@ -350,6 +351,7 @@ init_auth
krb5_data outbuf;
krb5_data fwd_data;
OM_uint32 lifetime_rec;
+ int use_dns = 1;
krb5_data_zero(&outbuf);
krb5_data_zero(&fwd_data);
@@ -377,13 +379,21 @@ init_auth
goto failure;
}
- kret = krb5_copy_principal (context, name, &ctx->target);
- if (kret) {
- *minor_status = kret;
- ret = GSS_S_FAILURE;
- goto failure;
+ /* canon name if needed for client + target realm */
+ kret = krb5_cc_get_config(context, ctx->ccache, NULL,
+ "realm-config", &outbuf);
+ if (kret == 0) {
+ /* XXX 2 is no server canon */
+ if (outbuf.length < 1 || ((((unsigned char *)outbuf.data)[0]) & 2))
+ use_dns = 0;
+ krb5_data_free(&outbuf);
}
+ ret = _gsskrb5_canon_name(minor_status, context, use_dns,
+ name, &ctx->target);
+ if (ret)
+ goto failure;
+
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
goto failure;
@@ -479,6 +489,7 @@ init_auth_restart
krb5_enctype enctype;
krb5_data fwd_data, timedata;
int32_t offset = 0, oldoffset;
+ uint32_t flagmask;
krb5_data_zero(&outbuf);
krb5_data_zero(&fwd_data);
@@ -486,41 +497,41 @@ init_auth_restart
*minor_status = 0;
/*
- * If the credential doesn't have ok-as-delegate, check what local
- * policy say about ok-as-delegate, default is FALSE that makes
- * code ignore the KDC setting and follow what the application
- * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
- * KDC doesn't set ok-as-delegate.
+ * If the credential doesn't have ok-as-delegate, check if there
+ * is a realm setting and use that.
*/
if (!ctx->kcred->flags.b.ok_as_delegate) {
- krb5_boolean delegate, realm_setting;
krb5_data data;
-
- realm_setting = FALSE;
-
+
ret = krb5_cc_get_config(context, ctx->ccache, NULL,
"realm-config", &data);
if (ret == 0) {
/* XXX 1 is use ok-as-delegate */
- if (data.length > 0 && (((unsigned char *)data.data)[0]) & 1)
- realm_setting = TRUE;
+ if (data.length < 1 || ((((unsigned char *)data.data)[0]) & 1) == 0)
+ req_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
krb5_data_free(&data);
}
-
- krb5_appdefault_boolean(context, "gssapi", ctx->target->realm,
- "ok-as-delegate", realm_setting,
- &delegate);
- if (delegate)
- req_flags &= ~GSS_C_DELEG_FLAG;
}
+ flagmask = 0;
+
+ /* if we used GSS_C_DELEG_POLICY_FLAG, trust KDC */
+ if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
+ && ctx->kcred->flags.b.ok_as_delegate)
+ flagmask |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
+ /* if there still is a GSS_C_DELEG_FLAG, use that */
+ if (req_flags & GSS_C_DELEG_FLAG)
+ flagmask |= GSS_C_DELEG_FLAG;
+
+
flags = 0;
ap_options = 0;
- if (req_flags & GSS_C_DELEG_FLAG)
+ if (flagmask & GSS_C_DELEG_FLAG) {
do_delegation (context,
ctx->auth_context,
ctx->ccache, ctx->kcred, ctx->target,
- &fwd_data, &flags);
+ &fwd_data, flagmask, &flags);
+ }
if (req_flags & GSS_C_MUTUAL_FLAG) {
flags |= GSS_C_MUTUAL_FLAG;
@@ -817,7 +828,6 @@ OM_uint32 _gsskrb5_init_sec_context
{
krb5_context context;
gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
- krb5_const_principal name = (krb5_const_principal)target_name;
gsskrb5_ctx ctx;
OM_uint32 ret;
@@ -880,7 +890,7 @@ OM_uint32 _gsskrb5_init_sec_context
cred,
ctx,
context,
- name,
+ target_name,
mech_type,
req_flags,
time_req,
@@ -926,11 +936,16 @@ OM_uint32 _gsskrb5_init_sec_context
* If we get there, the caller have called
* gss_init_sec_context() one time too many.
*/
- *minor_status = 0;
+ _gsskrb5_set_status(EINVAL, "init_sec_context "
+ "called one time too many");
+ *minor_status = EINVAL;
ret = GSS_S_BAD_STATUS;
break;
default:
- *minor_status = 0;
+ _gsskrb5_set_status(EINVAL, "init_sec_context "
+ "invalid state %d for client",
+ (int)ctx->state);
+ *minor_status = EINVAL;
ret = GSS_S_BAD_STATUS;
break;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_context.c b/source4/heimdal/lib/gssapi/krb5/inquire_context.c
index 41430568b0..f2e01b464a 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_context.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_inquire_context (
OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c
index 47bf71e686..42488c718c 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_cred.c 20688 2007-05-17 18:44:31Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_inquire_cred
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c
index a8af2145be..de7ec6cd75 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_cred_by_mech.c 20634 2007-05-09 15:33:01Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_inquire_cred_by_mech (
OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c
index da50b11d93..2bcc17683b 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c
@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_cred_by_oid.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_inquire_cred_by_oid
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c
index 0ce051f19c..2384c29656 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_mechs_for_name.c 20688 2007-05-17 18:44:31Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_inquire_mechs_for_name (
OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
index 64abd3c34a..c07eb60108 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_names_for_mech.c 20688 2007-05-17 18:44:31Z lha $");
+RCSID("$Id$");
static gss_OID *name_list[] = {
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
index 5ca7536e6a..24b640f4b5 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_sec_context_by_oid.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
static int
oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
@@ -84,7 +84,7 @@ static OM_uint32 inquire_sec_context_tkt_flags
if (context_handle->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
- _gsskrb5_set_status("No ticket from which to obtain flags");
+ _gsskrb5_set_status(EINVAL, "No ticket from which to obtain flags");
*minor_status = EINVAL;
return GSS_S_BAD_MECH;
}
@@ -137,7 +137,7 @@ static OM_uint32 inquire_sec_context_get_subkey
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
break;
default:
- _gsskrb5_set_status("%d is not a valid subkey type", keytype);
+ _gsskrb5_set_status(EINVAL, "%d is not a valid subkey type", keytype);
ret = EINVAL;
break;
}
@@ -145,7 +145,7 @@ static OM_uint32 inquire_sec_context_get_subkey
if (ret)
goto out;
if (key == NULL) {
- _gsskrb5_set_status("have no subkey of type %d", keytype);
+ _gsskrb5_set_status(EINVAL, "have no subkey of type %d", keytype);
ret = EINVAL;
goto out;
}
@@ -199,7 +199,7 @@ static OM_uint32 inquire_sec_context_authz_data
if (context_handle->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = EINVAL;
- _gsskrb5_set_status("No ticket to obtain authz data from");
+ _gsskrb5_set_status(EINVAL, "No ticket to obtain authz data from");
return GSS_S_NO_CONTEXT;
}
@@ -301,12 +301,16 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
context_handle->auth_context,
&number);
ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
+ if (ret) goto out;
ret = krb5_store_uint32(sp, (uint32_t)number);
+ if (ret) goto out;
krb5_auth_getremoteseqnumber (context,
context_handle->auth_context,
&number);
ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
+ if (ret) goto out;
ret = krb5_store_uint32(sp, (uint32_t)number);
+ if (ret) goto out;
ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0);
if (ret) goto out;
@@ -401,7 +405,7 @@ get_authtime(OM_uint32 *minor_status,
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (ctx->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
- _gsskrb5_set_status("No ticket to obtain auth time from");
+ _gsskrb5_set_status(EINVAL, "No ticket to obtain auth time from");
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
@@ -441,7 +445,7 @@ get_service_keyblock
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (ctx->service_keyblock == NULL) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
- _gsskrb5_set_status("No service keyblock on gssapi context");
+ _gsskrb5_set_status(EINVAL, "No service keyblock on gssapi context");
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c
index f79c9374a9..a7372d87cc 100644
--- a/source4/heimdal/lib/gssapi/krb5/prf.c
+++ b/source4/heimdal/lib/gssapi/krb5/prf.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: prf.c 21129 2007-06-18 20:28:44Z lha $");
+RCSID("$Id$");
OM_uint32
_gsskrb5_pseudo_random(OM_uint32 *minor_status,
@@ -72,14 +72,14 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
_gsskrb5i_get_initiator_subkey(ctx, context, &key);
break;
default:
- _gsskrb5_set_status("unknown kerberos prf_key");
- *minor_status = 0;
+ _gsskrb5_set_status(EINVAL, "unknown kerberos prf_key");
+ *minor_status = EINVAL;
return GSS_S_FAILURE;
}
if (key == NULL) {
- _gsskrb5_set_status("no prf_key found");
- *minor_status = 0;
+ _gsskrb5_set_status(EINVAL, "no prf_key found");
+ *minor_status = EINVAL;
return GSS_S_FAILURE;
}
@@ -92,7 +92,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
prf_out->value = malloc(desired_output_len);
if (prf_out->value == NULL) {
- _gsskrb5_set_status("Out of memory");
+ _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
@@ -105,7 +105,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
input.data = malloc(prf_in->length + 4);
if (input.data == NULL) {
OM_uint32 junk;
- _gsskrb5_set_status("Out of memory");
+ _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
gss_release_buffer(&junk, prf_out);
krb5_crypto_destroy(context, crypto);
diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c
index 15638f57fc..80d96f5ce4 100644
--- a/source4/heimdal/lib/gssapi/krb5/process_context_token.c
+++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: process_context_token.c 19031 2006-11-13 18:02:57Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_process_context_token (
OM_uint32 *minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/release_buffer.c b/source4/heimdal/lib/gssapi/krb5/release_buffer.c
index 5dff62631a..e2f1f4ec14 100644
--- a/source4/heimdal/lib/gssapi/krb5/release_buffer.c
+++ b/source4/heimdal/lib/gssapi/krb5/release_buffer.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: release_buffer.c 18334 2006-10-07 22:16:04Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_release_buffer
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/release_cred.c b/source4/heimdal/lib/gssapi/krb5/release_cred.c
index ab5695b097..1becd1c6b1 100644
--- a/source4/heimdal/lib/gssapi/krb5/release_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/release_cred.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: release_cred.c 20753 2007-05-31 22:50:06Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_release_cred
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/release_name.c b/source4/heimdal/lib/gssapi/krb5/release_name.c
index 80b91930fd..e2ff9dde31 100644
--- a/source4/heimdal/lib/gssapi/krb5/release_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/release_name.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: release_name.c 21128 2007-06-18 20:26:50Z lha $");
+RCSID("$Id$");
OM_uint32 _gsskrb5_release_name
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c
index 677a3c8d07..b40fe52578 100755..100644
--- a/source4/heimdal/lib/gssapi/krb5/sequence.c
+++ b/source4/heimdal/lib/gssapi/krb5/sequence.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: sequence.c 18334 2006-10-07 22:16:04Z lha $");
+RCSID("$Id$");
#define DEFAULT_JITTER_WINDOW 20
@@ -255,16 +255,16 @@ _gssapi_msg_order_import(OM_uint32 *minor_status,
kret = krb5_ret_int32(sp, &flags);
if (kret)
goto failed;
- ret = krb5_ret_int32(sp, &start);
+ kret = krb5_ret_int32(sp, &start);
if (kret)
goto failed;
- ret = krb5_ret_int32(sp, &length);
+ kret = krb5_ret_int32(sp, &length);
if (kret)
goto failed;
- ret = krb5_ret_int32(sp, &jitter_window);
+ kret = krb5_ret_int32(sp, &jitter_window);
if (kret)
goto failed;
- ret = krb5_ret_int32(sp, &first_seq);
+ kret = krb5_ret_int32(sp, &first_seq);
if (kret)
goto failed;
diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
index 8c554fb8e0..e47e6fdb6c 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: set_cred_option.c 23331 2008-06-27 12:01:48Z lha $");
+RCSID("$Id$");
/* 1.2.752.43.13.17 */
static gss_OID_desc gss_krb5_cred_no_ci_flags_x_oid_desc =
diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
index fd76838af5..f28d2397be 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
@@ -36,7 +36,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: set_sec_context_option.c 23420 2008-07-26 18:37:48Z lha $");
+RCSID("$Id$");
static OM_uint32
get_bool(OM_uint32 *minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
index eec4078a70..727bbf7403 100644
--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: unwrap.c 23112 2008-04-27 18:51:26Z lha $");
+RCSID("$Id$");
static OM_uint32
unwrap_des
@@ -59,10 +59,17 @@ unwrap_des
OM_uint32 ret;
int cstate;
int cmp;
+ int token_len;
+
+ if (IS_DCE_STYLE(context_handle)) {
+ token_len = 22 + 8 + 15; /* 45 */
+ } else {
+ token_len = input_message_buffer->length;
+ }
p = input_message_buffer->value;
ret = _gsskrb5_verify_header (&p,
- input_message_buffer->length,
+ token_len,
"\x02\x01",
GSS_KRB5_MECHANISM);
if (ret)
@@ -105,12 +112,17 @@ unwrap_des
memset (deskey, 0, sizeof(deskey));
memset (&schedule, 0, sizeof(schedule));
}
- /* check pad */
- ret = _gssapi_verify_pad(input_message_buffer,
- input_message_buffer->length - len,
- &padlength);
- if (ret)
- return ret;
+
+ if (IS_DCE_STYLE(context_handle)) {
+ padlength = 0;
+ } else {
+ /* check pad */
+ ret = _gssapi_verify_pad(input_message_buffer,
+ input_message_buffer->length - len,
+ &padlength);
+ if (ret)
+ return ret;
+ }
MD5_Init (&md5);
MD5_Update (&md5, p - 24, 8);
@@ -195,10 +207,17 @@ unwrap_des3
krb5_crypto crypto;
Checksum csum;
int cmp;
+ int token_len;
+
+ if (IS_DCE_STYLE(context_handle)) {
+ token_len = 34 + 8 + 15; /* 57 */
+ } else {
+ token_len = input_message_buffer->length;
+ }
p = input_message_buffer->value;
ret = _gsskrb5_verify_header (&p,
- input_message_buffer->length,
+ token_len,
"\x02\x01",
GSS_KRB5_MECHANISM);
if (ret)
@@ -245,12 +264,17 @@ unwrap_des3
memcpy (p, tmp.data, tmp.length);
krb5_data_free(&tmp);
}
- /* check pad */
- ret = _gssapi_verify_pad(input_message_buffer,
- input_message_buffer->length - len,
- &padlength);
- if (ret)
- return ret;
+
+ if (IS_DCE_STYLE(context_handle)) {
+ padlength = 0;
+ } else {
+ /* check pad */
+ ret = _gssapi_verify_pad(input_message_buffer,
+ input_message_buffer->length - len,
+ &padlength);
+ if (ret)
+ return ret;
+ }
/* verify sequence number */
diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c
index 560c14bc89..df71f8f7d1 100644
--- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c
+++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: verify_mic.c 23112 2008-04-27 18:51:26Z lha $");
+RCSID("$Id$");
static OM_uint32
verify_mic_des
diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c
index 6d00f2adcf..ecd4f7cd54 100644
--- a/source4/heimdal/lib/gssapi/krb5/wrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/wrap.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: wrap.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
/*
* Return initiator subkey, or if that doesn't exists, the subkey.
@@ -210,10 +210,19 @@ wrap_des
int32_t seq_number;
size_t len, total_len, padlength, datalen;
- padlength = 8 - (input_message_buffer->length % 8);
- datalen = input_message_buffer->length + padlength + 8;
- len = datalen + 22;
- _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ if (IS_DCE_STYLE(ctx)) {
+ padlength = 0;
+ datalen = input_message_buffer->length;
+ len = 22 + 8;
+ _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ total_len += datalen;
+ datalen += 8;
+ } else {
+ padlength = 8 - (input_message_buffer->length % 8);
+ datalen = input_message_buffer->length + padlength + 8;
+ len = datalen + 22;
+ _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ }
output_message_buffer->length = total_len;
output_message_buffer->value = malloc (total_len);
@@ -336,10 +345,19 @@ wrap_des3
Checksum cksum;
krb5_data encdata;
- padlength = 8 - (input_message_buffer->length % 8);
- datalen = input_message_buffer->length + padlength + 8;
- len = datalen + 34;
- _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ if (IS_DCE_STYLE(ctx)) {
+ padlength = 0;
+ datalen = input_message_buffer->length;
+ len = 34 + 8;
+ _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ total_len += datalen;
+ datalen += 8;
+ } else {
+ padlength = 8 - (input_message_buffer->length % 8);
+ datalen = input_message_buffer->length + padlength + 8;
+ len = datalen + 34;
+ _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ }
output_message_buffer->length = total_len;
output_message_buffer->value = malloc (total_len);