summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi/krb5
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-08-05 11:25:50 +1000
committerAndrew Bartlett <abartlet@samba.org>2009-08-05 12:18:17 +1000
commitcd1d7f4be7d31388ab79c797acaf6d7730113112 (patch)
tree3d25e28089d1cffa5d7dadca529e29b936681607 /source4/heimdal/lib/gssapi/krb5
parent8bba340e65e84ee09a7da4d97bc7838d3eefbb15 (diff)
downloadsamba-cd1d7f4be7d31388ab79c797acaf6d7730113112.tar.gz
samba-cd1d7f4be7d31388ab79c797acaf6d7730113112.tar.bz2
samba-cd1d7f4be7d31388ab79c797acaf6d7730113112.zip
s4:heimdal: import lorikeet-heimdal-200908050050 (commit 8714779fa7376fd9f7761587639e68b48afc8c9c)
This also adds a new hdb-glue.c file, to cope with Heimdal's uncondtional enabling of SQLITE. (Very reasonable, but not required for Samba4's use). Andrew Bartlett
Diffstat (limited to 'source4/heimdal/lib/gssapi/krb5')
-rw-r--r--source4/heimdal/lib/gssapi/krb5/accept_sec_context.c12
-rw-r--r--source4/heimdal/lib/gssapi/krb5/acquire_cred.c4
-rw-r--r--source4/heimdal/lib/gssapi/krb5/canonicalize_name.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/copy_ccache.c10
-rw-r--r--source4/heimdal/lib/gssapi/krb5/creds.c253
-rw-r--r--source4/heimdal/lib/gssapi/krb5/external.c5
-rw-r--r--source4/heimdal/lib/gssapi/krb5/import_name.c13
-rw-r--r--source4/heimdal/lib/gssapi/krb5/init_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_cred_option.c4
-rw-r--r--source4/heimdal/lib/gssapi/krb5/store_cred.c116
10 files changed, 399 insertions, 22 deletions
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index 8d998ed098..355d1c4332 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -170,12 +170,12 @@ gsskrb5_accept_delegated_token
if (delegated_cred_handle) {
gsskrb5_cred handle;
-
- ret = _gsskrb5_import_cred(minor_status,
- ccache,
- NULL,
- NULL,
- delegated_cred_handle);
+
+ ret = _gsskrb5_krb5_import_cred(minor_status,
+ ccache,
+ NULL,
+ NULL,
+ delegated_cred_handle);
if (ret != GSS_S_COMPLETE)
goto out;
diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
index 4f6f38e674..696171dcfa 100644
--- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
@@ -339,8 +339,8 @@ OM_uint32 _gsskrb5_acquire_cred
if (desired_name != GSS_C_NO_NAME) {
- ret = _gsskrb5_canon_name(minor_status, context, 0, desired_name,
- &handle->principal);
+ ret = _gsskrb5_canon_name(minor_status, context, 0, NULL,
+ desired_name, &handle->principal);
if (ret) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
diff --git a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c
index 7e0c3fe727..3de55d6e32 100644
--- a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c
@@ -48,7 +48,7 @@ OM_uint32 _gsskrb5_canonicalize_name (
GSSAPI_KRB5_INIT (&context);
- ret = _gsskrb5_canon_name(minor_status, context, 1, input_name, &name);
+ ret = _gsskrb5_canon_name(minor_status, context, 1, NULL, input_name, &name);
if (ret)
return ret;
diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
index a4b28f91ed..4e65fc1cf3 100644
--- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
+++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
@@ -63,11 +63,11 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
OM_uint32
-_gsskrb5_import_cred(OM_uint32 *minor_status,
- krb5_ccache id,
- krb5_principal keytab_principal,
- krb5_keytab keytab,
- gss_cred_id_t *cred)
+_gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
+ krb5_ccache id,
+ krb5_principal keytab_principal,
+ krb5_keytab keytab,
+ gss_cred_id_t *cred)
{
krb5_context context;
krb5_error_code kret;
diff --git a/source4/heimdal/lib/gssapi/krb5/creds.c b/source4/heimdal/lib/gssapi/krb5/creds.c
new file mode 100644
index 0000000000..c9befe9d77
--- /dev/null
+++ b/source4/heimdal/lib/gssapi/krb5/creds.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "gsskrb5_locl.h"
+
+OM_uint32
+_gsskrb5_export_cred(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ gss_buffer_t cred_token)
+{
+ gsskrb5_cred handle = (gsskrb5_cred)cred_handle;
+ krb5_context context;
+ krb5_error_code ret;
+ krb5_storage *sp;
+ krb5_data data, mech;
+ const char *type;
+ char *str;
+
+ GSSAPI_KRB5_INIT (&context);
+
+ if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) {
+ *minor_status = GSS_KRB5_S_G_BAD_USAGE;
+ return GSS_S_FAILURE;
+ }
+
+ sp = krb5_storage_emem();
+ if (sp == NULL) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ type = krb5_cc_get_type(context, handle->ccache);
+ if (strcmp(type, "MEMORY") == 0) {
+ krb5_creds *creds;
+ ret = krb5_store_uint32(sp, 0);
+ if (ret) {
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = _krb5_get_krbtgt(context, handle->ccache,
+ handle->principal->realm,
+ &creds);
+ if (ret) {
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_store_creds(sp, creds);
+ krb5_free_creds(context, creds);
+ if (ret) {
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ } else {
+ ret = krb5_store_uint32(sp, 1);
+ if (ret) {
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_cc_get_full_name(context, handle->ccache, &str);
+ if (ret) {
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_store_string(sp, str);
+ free(str);
+ if (ret) {
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+ }
+ ret = krb5_storage_to_data(sp, &data);
+ krb5_storage_free(sp);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+ sp = krb5_storage_emem();
+ if (sp == NULL) {
+ krb5_data_free(&data);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ mech.data = GSS_KRB5_MECHANISM->elements;
+ mech.length = GSS_KRB5_MECHANISM->length;
+
+ ret = krb5_store_data(sp, mech);
+ if (ret) {
+ krb5_data_free(&data);
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_store_data(sp, data);
+ krb5_data_free(&data);
+ if (ret) {
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_storage_to_data(sp, &data);
+ krb5_storage_free(sp);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ cred_token->value = data.data;
+ cred_token->length = data.length;
+
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gsskrb5_import_cred(OM_uint32 * minor_status,
+ gss_buffer_t cred_token,
+ gss_cred_id_t * cred_handle)
+{
+ krb5_context context;
+ krb5_error_code ret;
+ gsskrb5_cred handle;
+ krb5_ccache id;
+ krb5_storage *sp;
+ char *str;
+ uint32_t type;
+ int flags = 0;
+
+ *cred_handle = GSS_C_NO_CREDENTIAL;
+
+ GSSAPI_KRB5_INIT (&context);
+
+ sp = krb5_storage_from_mem(cred_token->value, cred_token->length);
+ if (sp == NULL) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_ret_uint32(sp, &type);
+ if (ret) {
+ krb5_storage_free(sp);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+ switch (type) {
+ case 0: {
+ krb5_creds creds;
+
+ ret = krb5_ret_creds(sp, &creds);
+ krb5_storage_free(sp);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_cc_initialize(context, id, creds.client);
+ if (ret) {
+ krb5_cc_destroy(context, id);
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_cc_store_cred(context, id, &creds);
+ krb5_free_cred_contents(context, &creds);
+
+ flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
+
+ break;
+ }
+ case 1:
+ ret = krb5_ret_string(sp, &str);
+ krb5_storage_free(sp);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = krb5_cc_resolve(context, str, &id);
+ krb5_xfree(str);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+ break;
+
+ default:
+ krb5_storage_free(sp);
+ *minor_status = 0;
+ return GSS_S_NO_CRED;
+ }
+
+ handle = calloc(1, sizeof(*handle));
+ if (handle == NULL) {
+ krb5_cc_close(context, id);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ handle->usage = GSS_C_INITIATE;
+ krb5_cc_get_principal(context, id, &handle->principal);
+ handle->ccache = id;
+ handle->cred_flags = flags;
+
+ return GSS_S_COMPLETE;
+}
diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c
index df23776a63..fc835bd845 100644
--- a/source4/heimdal/lib/gssapi/krb5/external.c
+++ b/source4/heimdal/lib/gssapi/krb5/external.c
@@ -470,7 +470,10 @@ static gssapi_mech_interface_desc krb5_mech = {
_gsskrb5_pseudo_random,
_gk_wrap_iov,
_gk_unwrap_iov,
- _gk_wrap_iov_length
+ _gk_wrap_iov_length,
+ _gsskrb5_store_cred,
+ _gsskrb5_export_cred,
+ _gsskrb5_import_cred
};
gssapi_mech_interface
diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c
index d488ce754b..f1aca93ffd 100644
--- a/source4/heimdal/lib/gssapi/krb5/import_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/import_name.c
@@ -83,9 +83,10 @@ import_krb5_name (OM_uint32 *minor_status,
OM_uint32
_gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
- int use_dns, gss_name_t name, krb5_principal *out)
+ int use_dns, krb5_const_principal sourcename, gss_name_t targetname,
+ krb5_principal *out)
{
- krb5_principal p = (krb5_principal)name;
+ krb5_principal p = (krb5_principal)targetname;
krb5_error_code ret;
char *hostname = NULL, *service;
@@ -96,8 +97,11 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
ret = krb5_copy_principal(context, p, out);
} else if (!use_dns) {
ret = krb5_copy_principal(context, p, out);
- if (ret == 0)
- krb5_principal_set_type(context, *out, KRB5_NT_SRV_HST);
+ if (ret)
+ goto out;
+ krb5_principal_set_type(context, *out, KRB5_NT_SRV_HST);
+ if (sourcename)
+ ret = krb5_principal_set_realm(context, *out, sourcename->realm);
} else {
if (p->name.name_string.len == 0)
return GSS_S_BAD_NAME;
@@ -113,6 +117,7 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
out);
}
+ out:
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index 35ab9dd88d..b269d06798 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -191,7 +191,7 @@ gsskrb5_get_creds(
}
ret = _gsskrb5_canon_name(minor_status, context, use_dns,
- target_name, &ctx->target);
+ ctx->source, target_name, &ctx->target);
if (ret)
return ret;
diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
index 15d7632e4c..ee29bf8c66 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
@@ -119,8 +119,8 @@ import_cred(OM_uint32 *minor_status,
free(str);
str = NULL;
- major_stat = _gsskrb5_import_cred(minor_status, id, keytab_principal,
- keytab, cred_handle);
+ major_stat = _gsskrb5_krb5_import_cred(minor_status, id, keytab_principal,
+ keytab, cred_handle);
out:
if (id)
krb5_cc_close(context, id);
diff --git a/source4/heimdal/lib/gssapi/krb5/store_cred.c b/source4/heimdal/lib/gssapi/krb5/store_cred.c
new file mode 100644
index 0000000000..675a1d8e95
--- /dev/null
+++ b/source4/heimdal/lib/gssapi/krb5/store_cred.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "gsskrb5_locl.h"
+
+OM_uint32
+_gsskrb5_store_cred(OM_uint32 *minor_status,
+ gss_cred_id_t input_cred_handle,
+ gss_cred_usage_t cred_usage,
+ const gss_OID desired_mech,
+ OM_uint32 overwrite_cred,
+ OM_uint32 default_cred,
+ gss_OID_set *elements_stored,
+ gss_cred_usage_t *cred_usage_stored)
+{
+ krb5_context context;
+ krb5_error_code ret;
+ gsskrb5_cred cred;
+ krb5_ccache id;
+ int destroy = 0;
+
+ *minor_status = 0;
+
+ if (cred_usage != GSS_C_INITIATE) {
+ *minor_status = GSS_KRB5_S_G_BAD_USAGE;
+ return GSS_S_FAILURE;
+ }
+
+ if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0)
+ return GSS_S_BAD_MECH;
+
+ cred = (gsskrb5_cred)input_cred_handle;
+ if (cred == NULL)
+ return GSS_S_NO_CRED;
+
+ GSSAPI_KRB5_INIT (&context);
+
+ HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
+ if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
+ HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+ *minor_status = GSS_KRB5_S_G_BAD_USAGE;
+ return(GSS_S_FAILURE);
+ }
+
+ if (cred->principal == NULL) {
+ HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+ *minor_status = GSS_KRB5_S_KG_TGT_MISSING;
+ return(GSS_S_FAILURE);
+ }
+
+ /* write out cred to credential cache */
+
+ ret = krb5_cc_cache_match(context, cred->principal, &id);
+ if (ret) {
+ ret = krb5_cc_new_unique(context, NULL, NULL, &id);
+ if (ret) {
+ HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+ *minor_status = ret;
+ return(GSS_S_FAILURE);
+ }
+ destroy = 1;
+ }
+
+ ret = krb5_cc_initialize(context, id, cred->principal);
+ if (ret == 0)
+ ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL);
+ if (ret) {
+ if (destroy)
+ krb5_cc_destroy(context, id);
+ else
+ krb5_cc_close(context, id);
+ HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+ *minor_status = ret;
+ return(GSS_S_FAILURE);
+ }
+
+ if (default_cred)
+ krb5_cc_switch(context, id);
+
+ krb5_cc_close(context, id);
+
+ HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+}