summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-03-19 10:17:42 +1100
committerAndrew Bartlett <abartlet@samba.org>2008-03-19 10:17:42 +1100
commit9e6b0c28712ee77ce878809c8576826a3ba08d95 (patch)
tree1a325e474fbc22b1a1cadaf53a3af2c36e8d5ad2 /source4/heimdal/lib/gssapi
parent3530099cf226d591b687715b63b144d243e52083 (diff)
downloadsamba-9e6b0c28712ee77ce878809c8576826a3ba08d95.tar.gz
samba-9e6b0c28712ee77ce878809c8576826a3ba08d95.tar.bz2
samba-9e6b0c28712ee77ce878809c8576826a3ba08d95.zip
Merge lorikeet-heimdal -r 787 into Samba4 tree.
Andrew Bartlett (This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2)
Diffstat (limited to 'source4/heimdal/lib/gssapi')
-rw-r--r--source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h3
-rw-r--r--source4/heimdal/lib/gssapi/gssapi_mech.h2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/acquire_cred.c74
-rw-r--r--source4/heimdal/lib/gssapi/krb5/external.c4
-rw-r--r--source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h3
-rw-r--r--source4/heimdal/lib/gssapi/krb5/init_sec_context.c54
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_cred_option.c39
-rw-r--r--source4/heimdal/lib/gssapi/mech/context.c18
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c6
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_krb5.c43
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_mech_switch.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c4
-rw-r--r--source4/heimdal/lib/gssapi/spnego/accept_sec_context.c27
-rw-r--r--source4/heimdal/lib/gssapi/spnego/compat.c3
-rw-r--r--source4/heimdal/lib/gssapi/spnego/context_stubs.c70
-rw-r--r--source4/heimdal/lib/gssapi/spnego/external.c4
-rw-r--r--source4/heimdal/lib/gssapi/spnego/init_sec_context.c11
-rw-r--r--source4/heimdal/lib/gssapi/spnego/spnego-private.h9
19 files changed, 254 insertions, 124 deletions
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
index cca529fe26..2223f4f22f 100644
--- a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
+++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi_krb5.h 20385 2007-04-18 08:51:32Z lha $ */
+/* $Id: gssapi_krb5.h 22655 2008-02-26 12:40:35Z lha $ */
#ifndef GSSAPI_KRB5_H_
#define GSSAPI_KRB5_H_
@@ -80,6 +80,7 @@ extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
/* Extensions creds */
extern gss_OID GSS_KRB5_IMPORT_CRED_X;
extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
+extern gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;
/*
* kerberos mechanism specific functions
diff --git a/source4/heimdal/lib/gssapi/gssapi_mech.h b/source4/heimdal/lib/gssapi/gssapi_mech.h
index 403990ad47..b360de13fc 100644
--- a/source4/heimdal/lib/gssapi/gssapi_mech.h
+++ b/source4/heimdal/lib/gssapi/gssapi_mech.h
@@ -356,4 +356,6 @@ gssapi_mech_interface __gss_spnego_initialize(void);
gssapi_mech_interface __gss_krb5_initialize(void);
gssapi_mech_interface __gss_ntlm_initialize(void);
+void gss_mg_collect_error(gss_OID, OM_uint32, OM_uint32);
+
#endif /* GSSAPI_MECH_H */
diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
index d5c70636bc..051446c19b 100644
--- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: acquire_cred.c 21221 2007-06-20 08:42:10Z lha $");
+RCSID("$Id: acquire_cred.c 22596 2008-02-18 18:05:55Z lha $");
OM_uint32
__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
@@ -128,9 +128,12 @@ static OM_uint32 acquire_initiator_cred
ret = GSS_S_FAILURE;
memset(&cred, 0, sizeof(cred));
- /* If we have a preferred principal, lets try to find it in all
- * caches, otherwise, fall back to default cache. Ignore
- * errors. */
+ /*
+ * If we have a preferred principal, lets try to find it in all
+ * caches, otherwise, fall back to default cache, ignore all
+ * errors while searching.
+ */
+
if (handle->principal)
kret = krb5_cc_cache_match (context,
handle->principal,
@@ -142,32 +145,30 @@ static OM_uint32 acquire_initiator_cred
if (kret)
goto end;
}
- kret = krb5_cc_get_principal(context, ccache,
- &def_princ);
+ kret = krb5_cc_get_principal(context, ccache, &def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
- krb5_cc_destroy(context, ccache);
- ccache = NULL;
+ krb5_cc_close(context, ccache);
+ def_princ = NULL;
kret = 0;
} else if (handle->principal == NULL) {
- kret = krb5_copy_principal(context, def_princ,
- &handle->principal);
+ kret = krb5_copy_principal(context, def_princ, &handle->principal);
if (kret)
goto end;
} else if (handle->principal != NULL &&
- krb5_principal_compare(context, handle->principal,
- def_princ) == FALSE) {
- /* Before failing, lets check the keytab */
+ krb5_principal_compare(context, handle->principal,
+ def_princ) == FALSE) {
krb5_free_principal(context, def_princ);
def_princ = NULL;
+ krb5_cc_close(context, ccache);
+ ccache = NULL;
}
if (def_princ == NULL) {
/* We have no existing credentials cache,
* so attempt to get a TGT using a keytab.
*/
if (handle->principal == NULL) {
- kret = krb5_get_default_principal(context,
- &handle->principal);
+ kret = krb5_get_default_principal(context, &handle->principal);
if (kret)
goto end;
}
@@ -182,16 +183,19 @@ static OM_uint32 acquire_initiator_cred
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
- kret = krb5_cc_gen_new(context, &krb5_mcc_ops,
- &ccache);
+ kret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(context, ccache, cred.client);
- if (kret)
+ if (kret) {
+ krb5_cc_destroy(context, ccache);
goto end;
+ }
kret = krb5_cc_store_cred(context, ccache, &cred);
- if (kret)
+ if (kret) {
+ krb5_cc_destroy(context, ccache);
goto end;
+ }
handle->lifetime = cred.times.endtime;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
} else {
@@ -201,8 +205,10 @@ static OM_uint32 acquire_initiator_cred
ccache,
handle->principal,
&handle->lifetime);
- if (ret != GSS_S_COMPLETE)
+ if (ret != GSS_S_COMPLETE) {
+ krb5_cc_close(context, ccache);
goto end;
+ }
kret = 0;
}
@@ -216,13 +222,8 @@ end:
krb5_free_principal(context, def_princ);
if (keytab != NULL)
krb5_kt_close(context, keytab);
- if (ret != GSS_S_COMPLETE) {
- if (ccache != NULL)
- krb5_cc_close(context, ccache);
- if (kret != 0) {
- *minor_status = kret;
- }
- }
+ if (ret != GSS_S_COMPLETE && kret != 0)
+ *minor_status = kret;
return (ret);
}
@@ -257,8 +258,23 @@ static OM_uint32 acquire_acceptor_cred
goto end;
krb5_kt_free_entry(context, &entry);
ret = GSS_S_COMPLETE;
- }
-
+ } else {
+ /*
+ * Check if there is at least one entry in the keytab before
+ * declaring it as an useful keytab.
+ */
+ krb5_keytab_entry tmp;
+ krb5_kt_cursor c;
+
+ kret = krb5_kt_start_seq_get (context, handle->keytab, &c);
+ if (kret)
+ goto end;
+ if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) {
+ krb5_kt_free_entry(context, &tmp);
+ ret = GSS_S_COMPLETE; /* ok found one entry */
+ }
+ krb5_kt_end_seq_get (context, handle->keytab, &c);
+ }
end:
if (ret != GSS_S_COMPLETE) {
if (handle->keytab != NULL)
diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c
index d4c1bc4db2..03fe61dc57 100644
--- a/source4/heimdal/lib/gssapi/krb5/external.c
+++ b/source4/heimdal/lib/gssapi/krb5/external.c
@@ -34,7 +34,7 @@
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
-RCSID("$Id: external.c 20386 2007-04-18 08:52:08Z lha $");
+RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $");
/*
* The implementation must reserve static storage for a
@@ -374,8 +374,6 @@ gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
* Context for krb5 calls.
*/
-krb5_context context;
-
/*
*
*/
diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h
index c2239f1346..64a0dd36b1 100644
--- a/source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h
+++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h
@@ -413,7 +413,7 @@ _gsskrb5_init (krb5_context */*context*/);
OM_uint32
_gsskrb5_init_sec_context (
OM_uint32 * /*minor_status*/,
- const gss_cred_id_t /*initiator_cred_handle*/,
+ const gss_cred_id_t /*cred_handle*/,
gss_ctx_id_t * /*context_handle*/,
const gss_name_t /*target_name*/,
const gss_OID /*mech_type*/,
diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
index 6ffb607035..3e8c1b8fa6 100644
--- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gsskrb5_locl.h 20324 2007-04-12 16:46:01Z lha $ */
+/* $Id: gsskrb5_locl.h 22655 2008-02-26 12:40:35Z lha $ */
#ifndef GSSKRB5_LOCL_H
#define GSSKRB5_LOCL_H
@@ -86,6 +86,7 @@ typedef struct {
krb5_principal principal;
int cred_flags;
#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
+#define GSS_CF_NO_CI_FLAGS 2
struct krb5_keytab_data *keytab;
OM_uint32 lifetime;
gss_cred_usage_t usage;
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index 4d1ae0daa9..d4482a54b2 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: init_sec_context.c 20326 2007-04-12 16:49:57Z lha $");
+RCSID("$Id: init_sec_context.c 22671 2008-03-09 23:57:54Z lha $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
@@ -326,7 +326,7 @@ do_delegation (krb5_context context,
static OM_uint32
init_auth
(OM_uint32 * minor_status,
- gsskrb5_cred initiator_cred_handle,
+ gsskrb5_cred cred,
gsskrb5_ctx ctx,
krb5_context context,
krb5_const_principal name,
@@ -344,7 +344,7 @@ init_auth
OM_uint32 ret = GSS_S_FAILURE;
krb5_error_code kret;
krb5_flags ap_options;
- krb5_creds *cred = NULL;
+ krb5_creds *kcred = NULL;
krb5_data outbuf;
krb5_ccache ccache = NULL;
uint32_t flags;
@@ -362,7 +362,7 @@ init_auth
if (actual_mech_type)
*actual_mech_type = GSS_KRB5_MECHANISM;
- if (initiator_cred_handle == NULL) {
+ if (cred == NULL) {
kret = krb5_cc_default (context, &ccache);
if (kret) {
*minor_status = kret;
@@ -370,7 +370,7 @@ init_auth
goto failure;
}
} else
- ccache = initiator_cred_handle->ccache;
+ ccache = cred->ccache;
kret = krb5_cc_get_principal (context, ccache, &ctx->source);
if (kret) {
@@ -400,8 +400,8 @@ init_auth
{
krb5_enctype *enctypes = NULL;
- if (initiator_cred_handle && initiator_cred_handle->enctypes)
- enctypes = initiator_cred_handle->enctypes;
+ if (cred && cred->enctypes)
+ enctypes = cred->enctypes;
krb5_set_default_in_tkt_etypes(context, enctypes);
}
@@ -412,11 +412,11 @@ init_auth
ctx->target,
time_req,
time_rec,
- &cred);
+ &kcred);
if (ret)
goto failure;
- ctx->lifetime = cred->times.endtime;
+ ctx->lifetime = kcred->times.endtime;
ret = _gsskrb5_lifetime_left(minor_status,
context,
@@ -434,11 +434,11 @@ init_auth
krb5_auth_con_setkey(context,
ctx->auth_context,
- &cred->session);
+ &kcred->session);
kret = krb5_auth_con_generatelocalsubkey(context,
ctx->auth_context,
- &cred->session);
+ &kcred->session);
if(kret) {
*minor_status = kret;
ret = GSS_S_FAILURE;
@@ -449,10 +449,10 @@ init_auth
* If the credential doesn't have ok-as-delegate, check what local
* policy say about ok-as-delegate, default is FALSE that makes
* code ignore the KDC setting and follow what the application
- * requested. If its TRUE, strip of the GSS_C_DELEG_FLAG if the
+ * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
* KDC doesn't set ok-as-delegate.
*/
- if (!cred->flags.b.ok_as_delegate) {
+ if (!kcred->flags.b.ok_as_delegate) {
krb5_boolean delegate;
krb5_appdefault_boolean(context,
@@ -467,7 +467,7 @@ init_auth
if (req_flags & GSS_C_DELEG_FLAG)
do_delegation (context,
ctx->auth_context,
- ccache, cred, name, &fwd_data, &flags);
+ ccache, kcred, name, &fwd_data, &flags);
if (req_flags & GSS_C_MUTUAL_FLAG) {
flags |= GSS_C_MUTUAL_FLAG;
@@ -490,8 +490,10 @@ init_auth
if (req_flags & GSS_C_EXTENDED_ERROR_FLAG)
flags |= GSS_C_EXTENDED_ERROR_FLAG;
- flags |= GSS_C_CONF_FLAG;
- flags |= GSS_C_INTEG_FLAG;
+ if (cred == NULL || !(cred->cred_flags & GSS_CF_NO_CI_FLAGS)) {
+ flags |= GSS_C_CONF_FLAG;
+ flags |= GSS_C_INTEG_FLAG;
+ }
flags |= GSS_C_TRANS_FLAG;
if (ret_flags)
@@ -513,7 +515,7 @@ init_auth
kret = krb5_build_authenticator (context,
ctx->auth_context,
enctype,
- cred,
+ kcred,
&cksum,
NULL,
&authenticator,
@@ -527,7 +529,7 @@ init_auth
kret = krb5_build_ap_req (context,
enctype,
- cred,
+ kcred,
ap_options,
authenticator,
&outbuf);
@@ -544,9 +546,9 @@ init_auth
goto failure;
krb5_data_free (&outbuf);
- krb5_free_creds(context, cred);
+ krb5_free_creds(context, kcred);
free_Checksum(&cksum);
- if (initiator_cred_handle == NULL)
+ if (cred == NULL)
krb5_cc_close(context, ccache);
if (flags & GSS_C_MUTUAL_FLAG) {
@@ -556,9 +558,9 @@ init_auth
return gsskrb5_initiator_ready(minor_status, ctx, context);
failure:
- if(cred)
- krb5_free_creds(context, cred);
- if (ccache && initiator_cred_handle == NULL)
+ if(kcred)
+ krb5_free_creds(context, kcred);
+ if (ccache && cred == NULL)
krb5_cc_close(context, ccache);
return ret;
@@ -682,7 +684,7 @@ repl_mutual
OM_uint32 _gsskrb5_init_sec_context
(OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ const gss_cred_id_t cred_handle,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
@@ -697,7 +699,7 @@ OM_uint32 _gsskrb5_init_sec_context
)
{
krb5_context context;
- gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle;
+ gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
krb5_const_principal name = (krb5_const_principal)target_name;
gsskrb5_ctx ctx;
OM_uint32 ret;
diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
index d0ca1c4d95..242dfa87b4 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
@@ -32,13 +32,22 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: set_cred_option.c 20325 2007-04-12 16:49:17Z lha $");
+RCSID("$Id: set_cred_option.c 22655 2008-02-26 12:40:35Z lha $");
+/* 1.2.752.43.13.17 */
+static gss_OID_desc gss_krb5_ccache_name_x_oid_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")};
+
+gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X = &gss_krb5_ccache_name_x_oid_desc;
+
+/* 1.2.752.43.13.18 */
static gss_OID_desc gss_krb5_import_cred_x_oid_desc =
-{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")};
gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc;
+
+
static OM_uint32
import_cred(OM_uint32 *minor_status,
krb5_context context,
@@ -201,6 +210,27 @@ out:
return major_stat;
}
+static OM_uint32
+no_ci_flags(OM_uint32 *minor_status,
+ krb5_context context,
+ gss_cred_id_t *cred_handle,
+ const gss_buffer_t value)
+{
+ gsskrb5_cred cred;
+
+ if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
+ *minor_status = 0;
+ return GSS_S_FAILURE;
+ }
+
+ cred = (gsskrb5_cred)*cred_handle;
+ cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
+
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+
+}
+
OM_uint32
_gsskrb5_set_cred_option
@@ -224,6 +254,11 @@ _gsskrb5_set_cred_option
if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X))
return allowed_enctypes(minor_status, context, cred_handle, value);
+ if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
+ return no_ci_flags(minor_status, context, cred_handle, value);
+ }
+
+
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
diff --git a/source4/heimdal/lib/gssapi/mech/context.c b/source4/heimdal/lib/gssapi/mech/context.c
index e4517bee44..926630c42d 100644
--- a/source4/heimdal/lib/gssapi/mech/context.c
+++ b/source4/heimdal/lib/gssapi/mech/context.c
@@ -1,7 +1,7 @@
#include "mech/mech_locl.h"
#include "heim_threads.h"
-RCSID("$Id: context.c 21248 2007-06-21 00:45:13Z lha $");
+RCSID("$Id: context.c 22600 2008-02-21 12:46:24Z lha $");
struct mg_thread_ctx {
gss_OID mech;
@@ -107,6 +107,13 @@ _gss_mg_error(gssapi_mech_interface m, OM_uint32 maj, OM_uint32 min)
OM_uint32 message_content;
struct mg_thread_ctx *mg;
+ /*
+ * Mechs without gss_display_status() does
+ * gss_mg_collect_error() by themself.
+ */
+ if (m->gm_display_status == NULL)
+ return ;
+
mg = _gss_mechglue_thread();
if (mg == NULL)
return;
@@ -139,3 +146,12 @@ _gss_mg_error(gssapi_mech_interface m, OM_uint32 maj, OM_uint32 min)
mg->min_error.length = 0;
}
}
+
+void
+gss_mg_collect_error(gss_OID mech, OM_uint32 maj, OM_uint32 min)
+{
+ gssapi_mech_interface m = __gss_get_mechanism(mech);
+ if (m == NULL)
+ return;
+ _gss_mg_error(m, maj, min);
+}
diff --git a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
index d1e243d8b8..a6b1ded5ca 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
@@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
-RCSID("$Id: gss_accept_sec_context.c 21237 2007-06-20 11:21:09Z lha $");
+RCSID("$Id: gss_accept_sec_context.c 22071 2007-11-14 20:04:50Z lha $");
static OM_uint32
parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
@@ -38,7 +38,7 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
/*
* Token must start with [APPLICATION 0] SEQUENCE.
- * But if it doesn't assume its DCE-STYLE Kerberos!
+ * But if it doesn't assume it is DCE-STYLE Kerberos!
*/
if (len == 0)
return (GSS_S_DEFECTIVE_TOKEN);
@@ -102,7 +102,7 @@ choose_mech(const gss_buffer_t input, gss_OID mech_oid)
OM_uint32 status;
/*
- * First try to parse the gssapi token header and see if its a
+ * First try to parse the gssapi token header and see if it's a
* correct header, use that in the first hand.
*/
diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
index 9e77f42982..03081cb70f 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
@@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
-RCSID("$Id: gss_krb5.c 21123 2007-06-18 20:05:26Z lha $");
+RCSID("$Id: gss_krb5.c 21889 2007-08-09 07:43:24Z lha $");
#include <krb5.h>
#include <roken.h>
@@ -253,7 +253,6 @@ free_key(gss_krb5_lucid_key_t *key)
memset(key, 0, sizeof(*key));
}
-
OM_uint32
gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
@@ -824,3 +823,43 @@ gsskrb5_set_default_realm(const char *realm)
return (GSS_S_COMPLETE);
}
+
+OM_uint32
+gss_krb5_get_tkt_flags(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ OM_uint32 *tkt_flags)
+{
+
+ OM_uint32 major_status;
+ gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+
+ if (context_handle == GSS_C_NO_CONTEXT) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ major_status =
+ gss_inquire_sec_context_by_oid (minor_status,
+ context_handle,
+ GSS_KRB5_GET_TKT_FLAGS_X,
+ &data_set);
+ if (major_status)
+ return major_status;
+
+ if (data_set == GSS_C_NO_BUFFER_SET ||
+ data_set->count != 1 ||
+ data_set->elements[0].length < 4) {
+ gss_release_buffer_set(minor_status, &data_set);
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ {
+ const u_char *p = data_set->elements[0].value;
+ *tkt_flags = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+ }
+
+ gss_release_buffer_set(minor_status, &data_set);
+ return GSS_S_COMPLETE;
+}
+
diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
index f1a18afb13..fe65ad1ae1 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
@@ -28,7 +28,7 @@
#include "mech_locl.h"
#include <heim_threads.h>
-RCSID("$Id: gss_mech_switch.c 21700 2007-07-26 19:08:34Z lha $");
+RCSID("$Id: gss_mech_switch.c 21698 2007-07-26 19:07:11Z lha $");
#ifndef _PATH_GSS_MECH
#define _PATH_GSS_MECH "/etc/gss/mech"
diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c b/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c
index 4372e62294..388cfdbf4c 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c
@@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
-RCSID("$Id: gss_release_oid_set.c 19963 2007-01-17 16:01:22Z lha $");
+RCSID("$Id: gss_release_oid_set.c 22144 2007-12-04 17:31:55Z lha $");
OM_uint32
gss_release_oid_set(OM_uint32 *minor_status,
@@ -35,7 +35,7 @@ gss_release_oid_set(OM_uint32 *minor_status,
{
*minor_status = 0;
- if (*set) {
+ if (set && *set) {
if ((*set)->elements)
free((*set)->elements);
free(*set);
diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
index 1afe26f1e3..df25b0f4bf 100644
--- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -33,7 +33,7 @@
#include "spnego/spnego_locl.h"
-RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $");
+RCSID("$Id: accept_sec_context.c 22600 2008-02-21 12:46:24Z lha $");
static OM_uint32
send_reject (OM_uint32 *minor_status,
@@ -540,7 +540,7 @@ acceptor_start
gss_cred_id_t *delegated_cred_handle
)
{
- OM_uint32 ret, junk, minor;
+ OM_uint32 ret, junk;
NegotiationToken nt;
size_t nt_len;
NegTokenInit *ni;
@@ -609,7 +609,7 @@ acceptor_start
/*
* First we try the opportunistic token if we have support for it,
* don't try to verify we have credential for the token,
- * gss_accept_sec_context will (hopefully) tell us that.
+ * gss_accept_sec_context() will (hopefully) tell us that.
* If that failes,
*/
@@ -633,12 +633,12 @@ acceptor_start
mech_cred = GSS_C_NO_CREDENTIAL;
if (ctx->mech_src_name != GSS_C_NO_NAME)
- gss_release_name(&minor, &ctx->mech_src_name);
+ gss_release_name(&junk, &ctx->mech_src_name);
if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
- _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
+ _gss_spnego_release_cred(&junk, &ctx->delegated_cred_id);
- ret = gss_accept_sec_context(&minor,
+ ret = gss_accept_sec_context(minor_status,
&ctx->negotiated_ctx_id,
mech_cred,
mech_input_token,
@@ -656,7 +656,7 @@ acceptor_start
ctx->open = 1;
if (mech_delegated_cred && delegated_cred_handle)
- ret = _gss_spnego_alloc_cred(minor_status,
+ ret = _gss_spnego_alloc_cred(&junk,
mech_delegated_cred,
delegated_cred_handle);
else
@@ -674,6 +674,8 @@ acceptor_start
goto out;
first_ok = 1;
+ } else {
+ gss_mg_collect_error(preferred_mech_type, ret, *minor_status);
}
}
@@ -681,7 +683,9 @@ acceptor_start
* If opportunistic token failed, lets try the other mechs.
*/
- if (!first_ok) {
+ if (!first_ok && ni->mechToken != NULL) {
+
+ preferred_mech_type = GSS_C_NO_OID;
/* Call glue layer to find first mech we support */
for (i = 1; i < ni->mechTypes.len; ++i) {
@@ -695,7 +699,7 @@ acceptor_start
if (preferred_mech_type == GSS_C_NO_OID) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_NegotiationToken(&nt);
- return GSS_S_BAD_MECH;
+ return ret;
}
ctx->preferred_mech_type = preferred_mech_type;
@@ -717,7 +721,7 @@ acceptor_start
out:
if (mech_output_token.value != NULL)
- gss_release_buffer(&minor, &mech_output_token);
+ gss_release_buffer(&junk, &mech_output_token);
if (mech_buf.value != NULL) {
free(mech_buf.value);
mech_buf.value = NULL;
@@ -754,7 +758,7 @@ out:
return ret;
}
- _gss_spnego_internal_delete_sec_context(&minor, context_handle,
+ _gss_spnego_internal_delete_sec_context(&junk, context_handle,
GSS_C_NO_BUFFER);
return ret;
@@ -877,6 +881,7 @@ acceptor_continue
}
if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
free_NegotiationToken(&nt);
+ gss_mg_collect_error(ctx->negotiated_mech_type, ret, minor);
send_reject (minor_status, output_token);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret;
diff --git a/source4/heimdal/lib/gssapi/spnego/compat.c b/source4/heimdal/lib/gssapi/spnego/compat.c
index bc7da9410e..287f4f760e 100644
--- a/source4/heimdal/lib/gssapi/spnego/compat.c
+++ b/source4/heimdal/lib/gssapi/spnego/compat.c
@@ -32,7 +32,7 @@
#include "spnego/spnego_locl.h"
-RCSID("$Id: compat.c 19415 2006-12-18 17:52:26Z lha $");
+RCSID("$Id: compat.c 21866 2007-08-08 11:31:29Z lha $");
/*
* Apparently Microsoft got the OID wrong, and used
@@ -129,6 +129,7 @@ OM_uint32 _gss_spnego_internal_delete_sec_context
gss_release_oid(&minor, &ctx->preferred_mech_type);
ctx->negotiated_mech_type = GSS_C_NO_OID;
+ gss_release_name(&minor, &ctx->target_name);
gss_release_name(&minor, &ctx->mech_src_name);
if (ctx->negotiated_ctx_id != GSS_C_NO_CONTEXT) {
diff --git a/source4/heimdal/lib/gssapi/spnego/context_stubs.c b/source4/heimdal/lib/gssapi/spnego/context_stubs.c
index 3535c7bb35..0169017ee5 100644
--- a/source4/heimdal/lib/gssapi/spnego/context_stubs.c
+++ b/source4/heimdal/lib/gssapi/spnego/context_stubs.c
@@ -32,7 +32,7 @@
#include "spnego/spnego_locl.h"
-RCSID("$Id: context_stubs.c 21035 2007-06-09 15:32:47Z lha $");
+RCSID("$Id: context_stubs.c 22604 2008-02-21 21:12:48Z lha $");
static OM_uint32
spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs)
@@ -263,18 +263,6 @@ OM_uint32 _gss_spnego_unwrap
qop_state);
}
-OM_uint32 _gss_spnego_display_status
- (OM_uint32 * minor_status,
- OM_uint32 status_value,
- int status_type,
- const gss_OID mech_type,
- OM_uint32 * message_context,
- gss_buffer_t status_string
- )
-{
- return GSS_S_FAILURE;
-}
-
OM_uint32 _gss_spnego_compare_name
(OM_uint32 *minor_status,
const gss_name_t name1,
@@ -406,28 +394,58 @@ OM_uint32 _gss_spnego_inquire_context (
)
{
gssspnego_ctx ctx;
+ OM_uint32 maj_stat, junk;
+ gss_name_t src_mn, targ_mn;
*minor_status = 0;
- if (context_handle == GSS_C_NO_CONTEXT) {
+ if (context_handle == GSS_C_NO_CONTEXT)
return GSS_S_NO_CONTEXT;
- }
ctx = (gssspnego_ctx)context_handle;
- if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+ if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT)
return GSS_S_NO_CONTEXT;
- }
- return gss_inquire_context(minor_status,
- ctx->negotiated_ctx_id,
- src_name,
- targ_name,
- lifetime_rec,
- mech_type,
- ctx_flags,
- locally_initiated,
- open_context);
+ maj_stat = gss_inquire_context(minor_status,
+ ctx->negotiated_ctx_id,
+ &src_mn,
+ &targ_mn,
+ lifetime_rec,
+ mech_type,
+ ctx_flags,
+ locally_initiated,
+ open_context);
+ if (maj_stat != GSS_S_COMPLETE)
+ return maj_stat;
+
+ if (src_name) {
+ spnego_name name = calloc(1, sizeof(*name));
+ if (name == NULL)
+ goto enomem;
+ name->mech = src_mn;
+ *src_name = (gss_name_t)name;
+ } else
+ gss_release_name(&junk, &src_mn);
+
+ if (targ_name) {
+ spnego_name name = calloc(1, sizeof(*name));
+ if (name == NULL) {
+ gss_release_name(minor_status, src_name);
+ goto enomem;
+ }
+ name->mech = targ_mn;
+ *targ_name = (gss_name_t)name;
+ } else
+ gss_release_name(&junk, &targ_mn);
+
+ return GSS_S_COMPLETE;
+
+enomem:
+ gss_release_name(&junk, &targ_mn);
+ gss_release_name(&junk, &src_mn);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
}
OM_uint32 _gss_spnego_wrap_size_limit (
diff --git a/source4/heimdal/lib/gssapi/spnego/external.c b/source4/heimdal/lib/gssapi/spnego/external.c
index fbc231f3ae..6c9a03a3b0 100644
--- a/source4/heimdal/lib/gssapi/spnego/external.c
+++ b/source4/heimdal/lib/gssapi/spnego/external.c
@@ -33,7 +33,7 @@
#include "spnego/spnego_locl.h"
#include <gssapi_mech.h>
-RCSID("$Id: external.c 18336 2006-10-07 22:27:13Z lha $");
+RCSID("$Id: external.c 22600 2008-02-21 12:46:24Z lha $");
/*
* RFC2478, SPNEGO:
@@ -57,7 +57,7 @@ static gssapi_mech_interface_desc spnego_mech = {
_gss_spnego_verify_mic,
_gss_spnego_wrap,
_gss_spnego_unwrap,
- _gss_spnego_display_status,
+ NULL,
NULL,
_gss_spnego_compare_name,
_gss_spnego_display_name,
diff --git a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c
index 7c74981e66..bee4895898 100644
--- a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c
@@ -33,7 +33,7 @@
#include "spnego/spnego_locl.h"
-RCSID("$Id: init_sec_context.c 19411 2006-12-18 15:42:03Z lha $");
+RCSID("$Id: init_sec_context.c 22600 2008-02-21 12:46:24Z lha $");
/*
* Is target_name an sane target for `mech´.
@@ -59,8 +59,10 @@ initiator_approved(gss_name_t target_name, gss_OID mech)
&out,
NULL,
NULL);
- if (GSS_ERROR(maj_stat))
+ if (GSS_ERROR(maj_stat)) {
+ gss_mg_collect_error(mech, maj_stat, min_stat);
return GSS_S_BAD_MECH;
+ }
gss_release_buffer(&min_stat, &out);
gss_delete_sec_context(&min_stat, &ctx, NULL);
@@ -268,6 +270,7 @@ spnego_initial
if (GSS_ERROR(sub)) {
free_NegTokenInit(&ni);
*minor_status = minor;
+ gss_mg_collect_error(ctx->preferred_mech_type, sub, minor);
_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
return sub;
}
@@ -480,7 +483,8 @@ spnego_reply
return GSS_S_BAD_MECH;
}
- if (resp.responseToken != NULL ||
+ /* if a token (of non zero length), or no context, pass to underlaying mech */
+ if ((resp.responseToken != NULL && resp.responseToken->length) ||
ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
gss_buffer_desc mech_input_token;
@@ -515,6 +519,7 @@ spnego_reply
if (GSS_ERROR(ret)) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_NegTokenResp(&resp);
+ gss_mg_collect_error(&mech, ret, minor);
*minor_status = minor;
return ret;
}
diff --git a/source4/heimdal/lib/gssapi/spnego/spnego-private.h b/source4/heimdal/lib/gssapi/spnego/spnego-private.h
index d80db0018a..69f4d8423d 100644
--- a/source4/heimdal/lib/gssapi/spnego/spnego-private.h
+++ b/source4/heimdal/lib/gssapi/spnego/spnego-private.h
@@ -91,15 +91,6 @@ _gss_spnego_display_name (
gss_OID * output_name_type );
OM_uint32
-_gss_spnego_display_status (
- OM_uint32 * /*minor_status*/,
- OM_uint32 /*status_value*/,
- int /*status_type*/,
- const gss_OID /*mech_type*/,
- OM_uint32 * /*message_context*/,
- gss_buffer_t status_string );
-
-OM_uint32
_gss_spnego_duplicate_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*src_name*/,