diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-11-07 06:59:56 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:25:03 -0500 |
commit | 3c1e780ec7e16dc6667402bbc65708bf9a5c062f (patch) | |
tree | 2102bb577ea9f00751b8c869b0a5c756fc2ae8e5 /source4/heimdal/lib/hdb | |
parent | 8b91594e0936bbaedf5430406fcf8df3ea406c10 (diff) | |
download | samba-3c1e780ec7e16dc6667402bbc65708bf9a5c062f.tar.gz samba-3c1e780ec7e16dc6667402bbc65708bf9a5c062f.tar.bz2 samba-3c1e780ec7e16dc6667402bbc65708bf9a5c062f.zip |
r19604: This is a massive commit, and I appologise in advance for it's size.
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
Diffstat (limited to 'source4/heimdal/lib/hdb')
-rw-r--r-- | source4/heimdal/lib/hdb/db.c | 12 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/ext.c | 36 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb-protos.h | 10 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.asn1 | 17 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.c | 9 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.h | 10 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/keys.c | 5 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/keytab.c | 38 |
8 files changed, 93 insertions, 44 deletions
diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c index 4b4e6e673d..0bbf6f2210 100644 --- a/source4/heimdal/lib/hdb/db.c +++ b/source4/heimdal/lib/hdb/db.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: db.c,v 1.35 2005/12/13 11:52:55 lha Exp $"); +RCSID("$Id: db.c,v 1.36 2006/09/12 18:12:37 lha Exp $"); #if HAVE_DB1 @@ -47,7 +47,7 @@ static krb5_error_code DB_close(krb5_context context, HDB *db) { DB *d = (DB*)db->hdb_db; - d->close(d); + (*d->close)(d); return 0; } @@ -95,7 +95,7 @@ DB_seq(krb5_context context, HDB *db, code = db->hdb_lock(context, db, HDB_RLOCK); if(code == -1) return HDB_ERR_DB_INUSE; - code = d->seq(d, &key, &value, flag); + code = (*d->seq)(d, &key, &value, flag); db->hdb_unlock(context, db); /* XXX check value */ if(code == -1) return errno; @@ -172,7 +172,7 @@ DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply) code = db->hdb_lock(context, db, HDB_RLOCK); if(code) return code; - code = d->get(d, &k, &v, 0); + code = (*d->get)(d, &k, &v, 0); db->hdb_unlock(context, db); if(code < 0) return errno; @@ -198,7 +198,7 @@ DB__put(krb5_context context, HDB *db, int replace, code = db->hdb_lock(context, db, HDB_WLOCK); if(code) return code; - code = d->put(d, &k, &v, replace ? 0 : R_NOOVERWRITE); + code = (*d->put)(d, &k, &v, replace ? 0 : R_NOOVERWRITE); db->hdb_unlock(context, db); if(code < 0) return errno; @@ -218,7 +218,7 @@ DB__del(krb5_context context, HDB *db, krb5_data key) code = db->hdb_lock(context, db, HDB_WLOCK); if(code) return code; - code = d->del(d, &k, 0); + code = (*d->del)(d, &k, 0); db->hdb_unlock(context, db); if(code == 1) return HDB_ERR_NOENTRY; diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c index a8995e4138..141c63a8ac 100644 --- a/source4/heimdal/lib/hdb/ext.c +++ b/source4/heimdal/lib/hdb/ext.c @@ -34,7 +34,7 @@ #include "hdb_locl.h" #include <der.h> -RCSID("$Id: ext.c,v 1.2 2006/04/25 10:20:22 lha Exp $"); +RCSID("$Id: ext.c,v 1.6 2006/10/14 10:13:03 lha Exp $"); krb5_error_code hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) @@ -220,6 +220,20 @@ hdb_entry_get_pkinit_acl(const hdb_entry *entry, const HDB_Ext_PKINIT_acl **a) } krb5_error_code +hdb_entry_get_pkinit_hash(const hdb_entry *entry, const HDB_Ext_PKINIT_hash **a) +{ + const HDB_extension *ext; + + ext = hdb_find_extension(entry, choice_HDB_extension_data_pkinit_cert_hash); + if (ext) + *a = &ext->data.u.pkinit_cert_hash; + else + *a = NULL; + + return 0; +} + +krb5_error_code hdb_entry_get_pw_change_time(const hdb_entry *entry, time_t *t) { const HDB_extension *ext; @@ -278,7 +292,7 @@ hdb_entry_get_password(krb5_context context, HDB *db, ext->data.u.password.password.length, &pw); } else { - ret = copy_octet_string(&ext->data.u.password.password, &pw); + ret = der_copy_octet_string(&ext->data.u.password.password, &pw); } if (ret) { krb5_clear_error_string(context); @@ -293,7 +307,7 @@ hdb_entry_get_password(krb5_context context, HDB *db, *p = strdup(str); - free_octet_string(&pw); + der_free_octet_string(&pw); if (*p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -364,3 +378,19 @@ hdb_entry_clear_password(krb5_context context, hdb_entry *entry) return hdb_clear_extension(context, entry, choice_HDB_extension_data_password); } + +krb5_error_code +hdb_entry_get_ConstrainedDelegACL(const hdb_entry *entry, + const HDB_Ext_Constrained_delegation_acl **a) +{ + const HDB_extension *ext; + + ext = hdb_find_extension(entry, + choice_HDB_extension_data_allowed_to_delegate_to); + if (ext) + *a = &ext->data.u.allowed_to_delegate_to; + else + *a = NULL; + + return 0; +} diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h index 3cc7d2131a..de0545a037 100644 --- a/source4/heimdal/lib/hdb/hdb-protos.h +++ b/source4/heimdal/lib/hdb/hdb-protos.h @@ -71,6 +71,11 @@ hdb_entry_clear_password ( krb5_context /*context*/, hdb_entry */*entry*/); +krb5_error_code +hdb_entry_get_ConstrainedDelegACL ( + const hdb_entry */*entry*/, + const HDB_Ext_Constrained_delegation_acl **/*a*/); + int hdb_entry_get_password ( krb5_context /*context*/, @@ -84,6 +89,11 @@ hdb_entry_get_pkinit_acl ( const HDB_Ext_PKINIT_acl **/*a*/); krb5_error_code +hdb_entry_get_pkinit_hash ( + const hdb_entry */*entry*/, + const HDB_Ext_PKINIT_hash **/*a*/); + +krb5_error_code hdb_entry_get_pw_change_time ( const hdb_entry */*entry*/, time_t */*t*/); diff --git a/source4/heimdal/lib/hdb/hdb.asn1 b/source4/heimdal/lib/hdb/hdb.asn1 index c8a1a34b4f..c8c276ff6e 100644 --- a/source4/heimdal/lib/hdb/hdb.asn1 +++ b/source4/heimdal/lib/hdb/hdb.asn1 @@ -1,4 +1,4 @@ --- $Id: hdb.asn1,v 1.13 2005/08/11 13:15:44 lha Exp $ +-- $Id: hdb.asn1,v 1.17 2006/08/24 10:45:19 lha Exp $ HDB DEFINITIONS ::= BEGIN @@ -41,7 +41,10 @@ HDBFlags ::= BIT STRING { require-hwauth(10), -- must use hwauth ok-as-delegate(11), -- as in TicketFlags user-to-user(12), -- may use user-to-user auth - immutable(13) -- may not be deleted + immutable(13), -- may not be deleted + trusted-for-delegation(14), -- Trusted to print forwardabled tickets + allow-kerberos4(15), -- Allow Kerberos 4 requests + allow-digest(16) -- Allow digest requests } GENERATION ::= SEQUENCE { @@ -52,10 +55,14 @@ GENERATION ::= SEQUENCE { HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE { subject[0] UTF8String, - issuer[1] UTF8String + issuer[1] UTF8String OPTIONAL, + anchor[2] UTF8String OPTIONAL } -HDB-Ext-PKINIT-certificate ::= SEQUENCE OF OCTET STRING +HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE { + digest-type[0] OBJECT IDENTIFIER, + digest[1] OCTET STRING +} HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal @@ -80,7 +87,7 @@ HDB-extension ::= SEQUENCE { -- be rejected data[1] CHOICE { pkinit-acl[0] HDB-Ext-PKINIT-acl, - pkinit-cert[1] HDB-Ext-PKINIT-certificate, + pkinit-cert-hash[1] HDB-Ext-PKINIT-hash, allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl, -- referral-info[3] HDB-Ext-Referrals, lm-owf[4] HDB-Ext-Lan-Manager-OWF, diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c index 555a0d53f6..d1fa4ffd6a 100644 --- a/source4/heimdal/lib/hdb/hdb.c +++ b/source4/heimdal/lib/hdb/hdb.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: hdb.c,v 1.61 2006/04/24 20:57:58 lha Exp $"); +RCSID("$Id: hdb.c,v 1.62 2006/10/06 16:47:22 lha Exp $"); #ifdef HAVE_DLFCN_H #include <dlfcn.h> @@ -58,6 +58,9 @@ static struct hdb_method methods[] = { #ifdef _SAMBA_BUILD_ {"ldb:", hdb_ldb_create}, #endif +#ifdef HAVE_LDB /* Used for integrated samba build */ + {"ldb:", hdb_ldb_create}, +#endif {NULL, NULL} }; @@ -262,7 +265,7 @@ find_dynamic_method (krb5_context context, if (prefix == NULL) krb5_errx(context, 1, "out of memory"); - if (asprintf(&path, HDBDIR "/hdb_%s.so", prefix) == -1) + if (asprintf(&path, LIBDIR "/hdb_%s.so", prefix) == -1) krb5_errx(context, 1, "out of memory"); #ifndef RTLD_NOW @@ -398,6 +401,6 @@ hdb_create(krb5_context context, HDB **db, const char *filename) h = find_dynamic_method (context, filename, &residual); #endif if (h == NULL) - krb5_errx(context, 1, "No database support! (hdb_create(%s))", filename); + krb5_errx(context, 1, "No database support for %s", filename); return (*h->create)(context, db, residual); } diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index d14eea7ddc..69c91d12ad 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -66,17 +66,17 @@ typedef struct hdb_entry_ex { struct hdb_entry_ex *, METHOD_DATA* pa_data_seq, time_t authtime, - EncryptionKey *tgtkey, - EncryptionKey *sessionkey, + const EncryptionKey *tgtkey, + const EncryptionKey *sessionkey, AuthorizationData **out); krb5_error_code (*authz_data_tgs_req)(krb5_context, struct hdb_entry_ex *, krb5_principal client, AuthorizationData *in, time_t authtime, - EncryptionKey *tgtkey, - EncryptionKey *servicekey, - EncryptionKey *sessionkey, + const EncryptionKey *tgtkey, + const EncryptionKey *servicekey, + const EncryptionKey *sessionkey, AuthorizationData **out); } hdb_entry_ex; diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c index d7c2f2c89b..8d4810f5c9 100644 --- a/source4/heimdal/lib/hdb/keys.c +++ b/source4/heimdal/lib/hdb/keys.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: keys.c,v 1.5 2006/04/25 08:09:38 lha Exp $"); +RCSID("$Id: keys.c,v 1.6 2006/10/22 09:40:12 lha Exp $"); /* * free all the memory used by (len, keys) @@ -334,6 +334,9 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, *ret_key_set = key_set; out: + if (ktypes != default_keytypes) + krb5_config_free_strings(ktypes); + if (ret) { krb5_warn(context, ret, "failed to parse the [kadmin]default_keys values"); diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c index c87b8eca2c..8f473a68a4 100644 --- a/source4/heimdal/lib/hdb/keytab.c +++ b/source4/heimdal/lib/hdb/keytab.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,7 +35,7 @@ /* keytab backend for HDB databases */ -RCSID("$Id: keytab.c,v 1.11 2006/04/27 11:01:30 lha Exp $"); +RCSID("$Id: keytab.c,v 1.16 2006/10/09 12:36:40 lha Exp $"); struct hdb_data { char *dbname; @@ -59,7 +59,7 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id) return ENOMEM; } db = name; - mkey = strrchr(name, ':'); + mkey = strchr(name, ':'); if(mkey == NULL || mkey[1] == '\0') { if(*name == '\0') d->dbname = NULL; @@ -201,6 +201,8 @@ hdb_get_entry(krb5_context context, const char *dbname = d->dbname; const char *mkey = d->mkey; + memset(&ent, 0, sizeof(ent)); + if (dbname == NULL) find_db (context, &dbname, &mkey, principal); @@ -218,26 +220,21 @@ hdb_get_entry(krb5_context context, (*db->hdb_destroy)(context, db); return ret; } - ret = (*db->hdb_fetch)(context, db, principal, HDB_F_DECRYPT|HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &ent); - + ret = (*db->hdb_fetch)(context, db, principal, + HDB_F_DECRYPT| + HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, + &ent); - /* Shutdown the hdb on error */ if(ret == HDB_ERR_NOENTRY) { - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return KRB5_KT_NOTFOUND; - } else if (ret) { - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return ret; - } + ret = KRB5_KT_NOTFOUND; + goto out; + }else if(ret) + goto out; + if(kvno && ent.entry.kvno != kvno) { - /* The order here matters, we must free these in this order - * due to hdb-ldb and Samba4's talloc */ hdb_free_entry(context, &ent); - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return KRB5_KT_NOTFOUND; + ret = KRB5_KT_NOTFOUND; + goto out; } if(enctype == 0) if(ent.entry.keys.len > 0) @@ -254,9 +251,8 @@ hdb_get_entry(krb5_context context, break; } } - /* The order here matters, we must free these in this order - * due to hdb-ldb and Samba4's talloc */ hdb_free_entry(context, &ent); +out: (*db->hdb_close)(context, db); (*db->hdb_destroy)(context, db); return ret; |