diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-09-07 21:52:50 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:36:33 -0500 |
commit | 1f2f470889d63a2a81ee3f2d8bdff782ac8d0e28 (patch) | |
tree | 8766af7915448b3e015ca6a0796e3020f11d8456 /source4/heimdal/lib | |
parent | db400b4a58d834cca165f1fc6ad84e9f5ace280f (diff) | |
download | samba-1f2f470889d63a2a81ee3f2d8bdff782ac8d0e28.tar.gz samba-1f2f470889d63a2a81ee3f2d8bdff782ac8d0e28.tar.bz2 samba-1f2f470889d63a2a81ee3f2d8bdff782ac8d0e28.zip |
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
Diffstat (limited to 'source4/heimdal/lib')
-rw-r--r-- | source4/heimdal/lib/gssapi/accept_sec_context.c | 667 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/copy_ccache.c | 19 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/gssapi.h | 4 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/init_sec_context.c | 18 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5-protos.h | 13 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/rd_rep.c | 146 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/rd_req.c | 20 | ||||
-rw-r--r-- | source4/heimdal/lib/roken/roken-common.h | 31 |
8 files changed, 495 insertions, 423 deletions
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c index 2ba2415112..7412d84eb0 100644 --- a/source4/heimdal/lib/gssapi/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/accept_sec_context.c @@ -274,215 +274,224 @@ gsskrb5_acceptor_ready( return GSS_S_COMPLETE; } - static OM_uint32 -gsskrb5_acceptor_start( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) +gsskrb5_acceptor_start + (OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t * delegated_cred_handle + ) { - krb5_error_code kret; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data indata; - krb5_flags ap_options; - OM_uint32 flags; - krb5_ticket *ticket = NULL; - krb5_keytab keytab = NULL; - krb5_keyblock *keyblock = NULL; - int no_wrap = 0; - - /* - * TODO: check the channel_bindings - */ - - /* - * We need a sequence number - */ - krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - NULL); - - /* - * We need remove the decapsulate only when GSS_C_DCE_STYLE isn't in use - */ - ret = gssapi_krb5_decapsulate(minor_status, - input_token,&indata, - "\x01\x00", - GSS_KRB5_MECHANISM); - if (ret) { - /* No OID wrapping apparently available. */ - no_wrap = 1; - indata.length = input_token->length; - indata.data = input_token->value; - } + krb5_error_code kret; + OM_uint32 ret = GSS_S_COMPLETE; + krb5_data indata; + krb5_flags ap_options; + OM_uint32 flags; + krb5_ticket *ticket = NULL; + krb5_keytab keytab = NULL; + krb5_keyblock *keyblock = NULL; + krb5_data fwd_data; + int is_cfx = 0; + + krb5_data_zero (&fwd_data); + + /* + * We may, or may not, have an escapsulation. + */ + ret = gssapi_krb5_decapsulate (minor_status, + input_token_buffer, + &indata, + "\x01\x00", + GSS_KRB5_MECHANISM); - /* - * We need to get our keytab - */ - if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { - if (gssapi_krb5_keytab != NULL) { - keytab = gssapi_krb5_keytab; - } - } else { - keytab = acceptor_cred_handle->keytab; - } + if (ret) { + /* No OID wrapping apparently available. */ + indata.length = input_token_buffer->length; + indata.data = input_token_buffer->value; + } - /* - * We need to check the ticket and create the AP-REP packet - */ - kret = krb5_rd_req_return_keyblock(gssapi_krb5_context, - &(*context_handle)->auth_context, - &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred_handle->principal, - keytab, - &ap_options, - &ticket, - &keyblock); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; + /* + * We need to get our keytab + */ + if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { + if (gssapi_krb5_keytab != NULL) { + keytab = gssapi_krb5_keytab; } + } else if (acceptor_cred_handle->keytab != NULL) { + keytab = acceptor_cred_handle->keytab; + } + + /* + * We need to check the ticket and create the AP-REP packet + */ + kret = krb5_rd_req_return_keyblock(gssapi_krb5_context, + &(*context_handle)->auth_context, + &indata, + (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred_handle->principal, + keytab, + &ap_options, + &ticket, + &keyblock); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + return ret; + } + + /* + * We need to remember some data on the context_handle + */ + (*context_handle)->ticket = ticket; + (*context_handle)->service_keyblock = keyblock; + (*context_handle)->lifetime = ticket->ticket.endtime; + + /* + * We need to copy the principal names to the context and the calling layer + */ + kret = krb5_copy_principal(gssapi_krb5_context, + ticket->client, + &(*context_handle)->source); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + } - /* - * We need to remember some data on the context_handle - */ - (*context_handle)->ticket = ticket; - (*context_handle)->service_keyblock = keyblock; - (*context_handle)->lifetime = ticket->ticket.endtime; - - /* - * We need to copy the principal names to the context and the calling layer - */ - kret = krb5_copy_principal(gssapi_krb5_context, - ticket->client, - &(*context_handle)->source); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } + kret = krb5_copy_principal (gssapi_krb5_context, + ticket->server, + &(*context_handle)->target); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + return ret; + } + + /* + * We need to setup some compat stuff, this assumes that context_handle->target is already set + */ + ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); + if (ret) { + return ret; + } - kret = krb5_copy_principal(gssapi_krb5_context, - ticket->server, - &(*context_handle)->target); + if (src_name != NULL) { + kret = krb5_copy_principal (gssapi_krb5_context, + ticket->client, + src_name); if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + return ret; } + } - /* - * We need to setup some compat stuff, this assumes that context_handle->target is already set - */ - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) return ret; - - /* - * We need to get the flags out of the 8003 checksum - */ - { - krb5_authenticator authenticator; - - kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, + /* + * We need to get the flags out of the 8003 checksum + */ + { + krb5_authenticator authenticator; + + kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, (*context_handle)->auth_context, &authenticator); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &(*context_handle)->fwd_data); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) return ret; - } - - /* And remember them for later */ - (*context_handle)->flags = flags; - - if(flags & GSS_C_MUTUAL_FLAG) { - int is_cfx = 0; - krb5_data outbuf; - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) { - kret = krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_USE_SUBKEY, - NULL); - (*context_handle)->more_flags |= ACCEPTOR_SUBKEY; - } - - kret = krb5_mk_rep(gssapi_krb5_context, - (*context_handle)->auth_context, - &outbuf); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - - if (!(flags & GSS_C_DCE_STYLE)) { - ret = gssapi_krb5_encapsulate(minor_status, - &outbuf, - output_token, - "\x02\x00", - GSS_KRB5_MECHANISM); - krb5_data_free (&outbuf); - if (ret) return ret; - } else { - output_token->length = outbuf.length; - output_token->value = outbuf.data; - } + if(kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + return ret; } - /* - * We need to set the return value for the calling layer - */ - if (ret_flags) *ret_flags = flags; - - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - time_rec); - if (ret) return ret; - } + ret = gssapi_krb5_verify_8003_checksum(minor_status, + input_chan_bindings, + authenticator->cksum, + &flags, + &fwd_data); + krb5_free_authenticator(gssapi_krb5_context, &authenticator); + if (ret) + if (ret) return ret; + } + + if(flags & GSS_C_MUTUAL_FLAG) { + krb5_data outbuf; + + gsskrb5_is_cfx(*context_handle, &is_cfx); + + if (is_cfx != 0 + || (ap_options & AP_OPTS_USE_SUBKEY)) { + kret = krb5_auth_con_addflags(gssapi_krb5_context, + (*context_handle)->auth_context, + KRB5_AUTH_CONTEXT_USE_SUBKEY, + NULL); + (*context_handle)->more_flags |= ACCEPTOR_SUBKEY; + } + + kret = krb5_mk_rep(gssapi_krb5_context, + (*context_handle)->auth_context, + &outbuf); + if (kret) { + *minor_status = kret; + gssapi_krb5_set_error_string (); + return GSS_S_FAILURE; + } + + if (!(flags & GSS_C_DCE_STYLE)) { + ret = gssapi_krb5_encapsulate(minor_status, + &outbuf, + output_token, + "\x02\x00", + GSS_KRB5_MECHANISM); + krb5_data_free (&outbuf); + if (ret) return ret; + } else { + output_token->length = outbuf.length; + output_token->value = outbuf.data; + } + } + + /* + * We need to send the flags back to the caller + */ + flags |= GSS_C_TRANS_FLAG; - if (src_name) { - kret = krb5_copy_principal(gssapi_krb5_context, - (*context_handle)->source, - src_name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - } + if (ret_flags) + *ret_flags = flags; + + /* And remember them for later */ + + (*context_handle)->lifetime = ticket->ticket.endtime; + (*context_handle)->flags = flags; + (*context_handle)->more_flags |= OPEN; + + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; + + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + time_rec); + if (ret) + if (ret) return ret; + } - /* - * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from the client - */ - if (flags & GSS_C_DCE_STYLE) { - (*context_handle)->state = ACCEPTOR_WAIT_FOR_DCESTYLE; - return GSS_S_CONTINUE_NEEDED; - } + /* + * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from the client + */ + if (flags & GSS_C_DCE_STYLE) { + (*context_handle)->state = ACCEPTOR_WAIT_FOR_DCESTYLE; + return GSS_S_CONTINUE_NEEDED; + } - return gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle); + return gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle); } static OM_uint32 @@ -490,7 +499,7 @@ gsskrb5_acceptor_wait_for_dcestyle( OM_uint32 * minor_status, gss_ctx_id_t * context_handle, const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token, + const gss_buffer_t input_token_buffer, const gss_channel_bindings_t input_chan_bindings, gss_name_t * src_name, gss_OID * mech_type, @@ -506,8 +515,8 @@ gsskrb5_acceptor_wait_for_dcestyle( OM_uint32 l_seq_number; /* We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP */ - inbuf.length = input_token->length; - inbuf.data = input_token->value; + inbuf.length = input_token_buffer->length; + inbuf.data = input_token_buffer->value; /* * We need to remeber the old remote seq_number, then check if the client has replied with our local seq_number, @@ -547,18 +556,41 @@ gsskrb5_acceptor_wait_for_dcestyle( */ { krb5_ap_rep_enc_part *repl; + int32_t auth_flags; + + kret = krb5_auth_con_removeflags(gssapi_krb5_context, + (*context_handle)->auth_context, + KRB5_AUTH_CONTEXT_DO_TIME, &auth_flags); + if (kret) { /* Can't happen */ + gssapi_krb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } - kret = _krb5_rd_rep_type(gssapi_krb5_context, - (*context_handle)->auth_context, - &inbuf, - &repl, - TRUE); + kret = krb5_rd_rep(gssapi_krb5_context, + (*context_handle)->auth_context, + &inbuf, + &repl); if (kret) { gssapi_krb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } + + /* Because the inbuf above is a final leg from client + * to server, we don't have a use for a 'reply' + * here */ krb5_free_ap_rep_enc_part(gssapi_krb5_context, repl); + + /* Do no harm, put the flags back */ + kret = krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + auth_flags); + if (kret) { /* Can't happen */ + gssapi_krb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } } /* We need to check the liftime */ @@ -598,7 +630,7 @@ gsskrb5_acceptor_wait_for_dcestyle( */ { OM_uint32 tmp_r_seq_number; - OM_uint32 l_seq_number; + OM_uint32 tmp_l_seq_number; kret = krb5_auth_getremoteseqnumber(gssapi_krb5_context, (*context_handle)->auth_context, @@ -611,7 +643,7 @@ gsskrb5_acceptor_wait_for_dcestyle( kret = krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, (*context_handle)->auth_context, - &l_seq_number); + &tmp_l_seq_number); if (kret) { gssapi_krb5_set_error_string (); *minor_status = kret; @@ -621,7 +653,7 @@ gsskrb5_acceptor_wait_for_dcestyle( /* * Here we check if the client has responsed with our local seq_number, */ - if (tmp_r_seq_number != l_seq_number) { + if (tmp_r_seq_number != tmp_l_seq_number) { return GSS_S_UNSEQ_TOKEN; } } @@ -645,73 +677,102 @@ gsskrb5_acceptor_wait_for_dcestyle( } static OM_uint32 -gsskrb5_accept_sec_context( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) +gsskrb5_accept_sec_context + (OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t * delegated_cred_handle + ) { - OM_uint32 ret; - - if (*context_handle == GSS_C_NO_CONTEXT) { - ret = _gsskrb5_create_ctx(minor_status, - context_handle, - input_chan_bindings, - ACCEPTOR_START); - if (ret) return ret; - } + OM_uint32 ret = GSS_S_COMPLETE; + krb5_data fwd_data; + gss_ctx_id_t local_context; - if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM; + GSSAPI_KRB5_INIT(); - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); + krb5_data_zero (&fwd_data); + output_token->length = 0; + output_token->value = NULL; + + if (src_name != NULL) + *src_name = NULL; + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; + + if (*context_handle == GSS_C_NO_CONTEXT) { + ret = _gsskrb5_create_ctx(minor_status, + &local_context, + input_chan_bindings, + ACCEPTOR_START); + if (ret) return ret; + } else { + local_context = *context_handle; + } + + /* + * TODO: check the channel_bindings + * (above just sets them to krb5 layer) + */ - switch ((*context_handle)->state) { - case ACCEPTOR_START: - ret = gsskrb5_acceptor_start(minor_status, - context_handle, - acceptor_cred_handle, - input_token, - input_chan_bindings, - src_name, - actual_mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - break; - case ACCEPTOR_WAIT_FOR_DCESTYLE: - ret = gsskrb5_acceptor_wait_for_dcestyle(minor_status, - context_handle, - acceptor_cred_handle, - input_token, - input_chan_bindings, - src_name, - actual_mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - break; - case ACCEPTOR_READY: - /* this function should not be called after it has returned GSS_S_COMPLETE */ - ret = GSS_S_BAD_STATUS; - break; - default: - /* TODO: is this correct here? --metze */ - ret = GSS_S_BAD_STATUS; - break; + HEIMDAL_MUTEX_lock(&(local_context)->ctx_id_mutex); + + switch ((local_context)->state) { + case ACCEPTOR_START: + ret = gsskrb5_acceptor_start(minor_status, + &local_context, + acceptor_cred_handle, + input_token_buffer, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle); + break; + case ACCEPTOR_WAIT_FOR_DCESTYLE: + ret = gsskrb5_acceptor_wait_for_dcestyle(minor_status, + &local_context, + acceptor_cred_handle, + input_token_buffer, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle); + break; + case ACCEPTOR_READY: + /* this function should not be called after it has returned GSS_S_COMPLETE */ + ret = GSS_S_BAD_STATUS; + break; + default: + /* TODO: is this correct here? --metze */ + ret = GSS_S_BAD_STATUS; + break; + } + + HEIMDAL_MUTEX_unlock(&(local_context)->ctx_id_mutex); + + if (*context_handle == GSS_C_NO_CONTEXT) { + if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { + *context_handle = local_context; + } else { + gss_delete_sec_context(minor_status, + &local_context, + NULL); } + } - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - - return ret; + return ret; } static OM_uint32 @@ -1065,53 +1126,45 @@ gss_accept_sec_context gss_cred_id_t * delegated_cred_handle ) { + OM_uint32 ret; ssize_t mech_len; const u_char *p; *minor_status = 0; - if (src_name) *src_name = GSS_C_NO_NAME; - if (mech_type) *mech_type = GSS_C_NO_OID; - - output_token->length = 0; - output_token->value = NULL; - - if (ret_flags) *ret_flags = 0; - if (time_rec) *time_rec = 0; - if (delegated_cred_handle) *delegated_cred_handle = NULL; - - mech_len = gssapi_krb5_get_mech(input_token_buffer->value, - input_token_buffer->length, - &p); - - /* This could be 'dce style' kerberos, where the OID is missing :-( */ - if ((mech_len < 0) || (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_len) == 0)) { - return gsskrb5_accept_sec_context(minor_status, - context_handle, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - } else if (mech_len == GSS_SPNEGO_MECHANISM->length - && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_len) == 0) { - return spnego_accept_sec_context(minor_status, - context_handle, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - } - + mech_len = gssapi_krb5_get_mech (input_token_buffer->value, + input_token_buffer->length, + &p); + + /* This could be 'dce style' kerberos, where the OID is missing :-( */ + if ((mech_len < 0) || ((mech_len == GSS_KRB5_MECHANISM->length) + && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_len) == 0)) + ret = gsskrb5_accept_sec_context(minor_status, + context_handle, + acceptor_cred_handle, + input_token_buffer, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle); + else if (mech_len == GSS_SPNEGO_MECHANISM->length + && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_len) == 0) + ret = spnego_accept_sec_context(minor_status, + context_handle, + acceptor_cred_handle, + input_token_buffer, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle); + else return GSS_S_BAD_MECH; + + return ret; } diff --git a/source4/heimdal/lib/gssapi/copy_ccache.c b/source4/heimdal/lib/gssapi/copy_ccache.c index 4f2b3f4895..828ca64156 100644 --- a/source4/heimdal/lib/gssapi/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/copy_ccache.c @@ -105,6 +105,25 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, return GSS_S_COMPLETE; } +OM_uint32 +gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + time_t *authtime) +{ + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + if (context_handle->ticket == NULL) { + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + *authtime = context_handle->ticket->ticket.authtime; + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + OM_uint32 gss_krb5_copy_service_keyblock (OM_uint32 *minor_status, gss_ctx_id_t context_handle, diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h index 5712581d3f..4ee988b020 100644 --- a/source4/heimdal/lib/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi.h @@ -809,6 +809,10 @@ gsskrb5_extract_authz_data_from_sec_context int /*ad_type*/, gss_buffer_t /*ad_data*/); OM_uint32 +gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + time_t *authtime); +OM_uint32 gsskrb5_get_initiator_subkey (OM_uint32 * /*minor_status*/, const gss_ctx_id_t context_handle, diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c index 6a80934e46..5c6c6a0f8e 100644 --- a/source4/heimdal/lib/gssapi/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/init_sec_context.c @@ -147,6 +147,15 @@ _gsskrb5_create_ctx( return GSS_S_BAD_BINDINGS; } + /* + * We need a sequence number + */ + + krb5_auth_con_addflags(gssapi_krb5_context, + (*context_handle)->auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE, + NULL); + return GSS_S_COMPLETE; } @@ -388,15 +397,6 @@ gsskrb5_initiator_start ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); if (ret) return ret; - /* - * We need a sequence number - */ - - krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - NULL); - /* We need the key and a random local subkey */ { kret = krb5_auth_con_setkey(gssapi_krb5_context, diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index cc619314a3..97f286b83e 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -2378,6 +2378,12 @@ krb5_parse_name ( krb5_principal */*principal*/); krb5_error_code KRB5_LIB_FUNCTION +krb5_parse_name_mustrealm ( + krb5_context /*context*/, + const char */*name*/, + krb5_principal */*principal*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_name_norealm ( krb5_context /*context*/, const char */*name*/, @@ -3436,13 +3442,6 @@ krb5_write_safe_message ( krb5_error_code KRB5_LIB_FUNCTION krb5_xfree (void */*ptr*/); -krb5_error_code -parse_name ( - krb5_context /*context*/, - const char */*name*/, - krb5_boolean /*short_form*/, - krb5_principal */*principal*/); - #ifdef __cplusplus } #endif diff --git a/source4/heimdal/lib/krb5/rd_rep.c b/source4/heimdal/lib/krb5/rd_rep.c index a92eea5c04..53138d9f45 100644 --- a/source4/heimdal/lib/krb5/rd_rep.c +++ b/source4/heimdal/lib/krb5/rd_rep.c @@ -36,94 +36,80 @@ RCSID("$Id: rd_rep.c,v 1.25 2005/06/17 07:49:33 lha Exp $"); krb5_error_code KRB5_LIB_FUNCTION -_krb5_rd_rep_type(krb5_context context, - krb5_auth_context auth_context, - const krb5_data *inbuf, - krb5_ap_rep_enc_part **repl, - krb5_boolean dce_style_response) +krb5_rd_rep(krb5_context context, + krb5_auth_context auth_context, + const krb5_data *inbuf, + krb5_ap_rep_enc_part **repl) { - krb5_error_code ret; - AP_REP ap_rep; - size_t len; - krb5_data data; - krb5_crypto crypto; + krb5_error_code ret; + AP_REP ap_rep; + size_t len; + krb5_data data; + krb5_crypto crypto; - krb5_data_zero (&data); - ret = 0; + krb5_data_zero (&data); + ret = 0; - ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len); - if (ret) - return ret; - if (ap_rep.pvno != 5) { - ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); - goto out; - } - if (ap_rep.msg_type != krb_ap_rep) { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); - goto out; - } + ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len); + if (ret) + return ret; + if (ap_rep.pvno != 5) { + ret = KRB5KRB_AP_ERR_BADVERSION; + krb5_clear_error_string (context); + goto out; + } + if (ap_rep.msg_type != krb_ap_rep) { + ret = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_clear_error_string (context); + goto out; + } - ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); - if (ret) - goto out; - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_AP_REQ_ENC_PART, - &ap_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - if (ret) - goto out; + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); + if (ret) + goto out; + ret = krb5_decrypt_EncryptedData (context, + crypto, + KRB5_KU_AP_REQ_ENC_PART, + &ap_rep.enc_part, + &data); + krb5_crypto_destroy(context, crypto); + if (ret) + goto out; - *repl = malloc(sizeof(**repl)); - if (*repl == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto out; - } - ret = krb5_decode_EncAPRepPart(context, - data.data, - data.length, - *repl, - &len); - if (ret) - return ret; - - if (!dce_style_response) { - if ((*repl)->ctime != auth_context->authenticator->ctime || - (*repl)->cusec != auth_context->authenticator->cusec) { - ret = KRB5KRB_AP_ERR_MUT_FAIL; - krb5_set_error_string (context, "Mutual authentication failed: Timestamps mismatch"); - goto out; - } - } - if ((*repl)->seq_number) - krb5_auth_con_setremoteseqnumber(context, auth_context, - *((*repl)->seq_number)); - if ((*repl)->subkey) - krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey); + *repl = malloc(sizeof(**repl)); + if (*repl == NULL) { + ret = ENOMEM; + krb5_set_error_string (context, "malloc: out of memory"); + goto out; + } + ret = krb5_decode_EncAPRepPart(context, + data.data, + data.length, + *repl, + &len); + if (ret) + return ret; + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + if ((*repl)->ctime != auth_context->authenticator->ctime || + (*repl)->cusec != auth_context->authenticator->cusec) { + ret = KRB5KRB_AP_ERR_MUT_FAIL; + krb5_clear_error_string (context); + goto out; + } + } + if ((*repl)->seq_number) + krb5_auth_con_setremoteseqnumber(context, auth_context, + *((*repl)->seq_number)); + if ((*repl)->subkey) + krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey); -out: - krb5_data_free (&data); - free_AP_REP (&ap_rep); - return ret; + out: + krb5_data_free (&data); + free_AP_REP (&ap_rep); + return ret; } -krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_rep(krb5_context context, - krb5_auth_context auth_context, - const krb5_data *inbuf, - krb5_ap_rep_enc_part **repl) -{ - return _krb5_rd_rep_type(context, - auth_context, - inbuf, - repl, - FALSE); -} - void KRB5_LIB_FUNCTION krb5_free_ap_rep_enc_part (krb5_context context, krb5_ap_rep_enc_part *val) diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index 30ad08bd82..66172c10fb 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_req.c,v 1.57 2005/01/08 20:41:17 lha Exp $"); +RCSID("$Id: rd_req.c,v 1.58 2005/08/27 05:48:57 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -136,6 +136,10 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) int num_realms; krb5_error_code ret; + /* Windows w2k and w2k3 uses this */ + if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) + return 0; + if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) return KRB5KDC_ERR_TRTYPE_NOSUPP; @@ -561,6 +565,7 @@ krb5_rd_req_return_keyblock(krb5_context context, krb5_error_code ret; krb5_ap_req ap_req; krb5_principal service = NULL; + krb5_keyblock *local_keyblock; if (*auth_context == NULL) { ret = krb5_auth_con_init(context, auth_context); @@ -592,13 +597,13 @@ krb5_rd_req_return_keyblock(krb5_context context, &ap_req, server, keytab, - keyblock); + &local_keyblock); if(ret) goto out; } else { ret = krb5_copy_keyblock(context, (*auth_context)->keyblock, - keyblock); + &local_keyblock); if (ret) goto out; } @@ -607,17 +612,20 @@ krb5_rd_req_return_keyblock(krb5_context context, auth_context, &ap_req, server, - *keyblock, + local_keyblock, 0, ap_req_options, ticket); + if (ret) { + krb5_free_keyblock(context, local_keyblock); + } else { + *keyblock = local_keyblock; + } out: free_AP_REQ(&ap_req); if(service) krb5_free_principal(context, service); - if (ret) - krb5_free_keyblock(context, *keyblock); return ret; } diff --git a/source4/heimdal/lib/roken/roken-common.h b/source4/heimdal/lib/roken/roken-common.h index d85d55f433..c4ba2edb7c 100644 --- a/source4/heimdal/lib/roken/roken-common.h +++ b/source4/heimdal/lib/roken/roken-common.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: roken-common.h,v 1.61 2005/07/07 05:03:30 lha Exp $ */ +/* $Id: roken-common.h,v 1.62 2005/09/01 18:47:35 lha Exp $ */ #ifndef __ROKEN_COMMON_H__ #define __ROKEN_COMMON_H__ @@ -312,43 +312,46 @@ ewrite (int fd, const void *buf, size_t nbytes); struct hostent; const char * ROKEN_LIB_FUNCTION -hostent_find_fqdn (const struct hostent *he); +hostent_find_fqdn (const struct hostent *); void ROKEN_LIB_FUNCTION -esetenv(const char *var, const char *val, int rewrite); +esetenv(const char *, const char *, int); void ROKEN_LIB_FUNCTION -socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port); +socket_set_address_and_port (struct sockaddr *, const void *, int); size_t ROKEN_LIB_FUNCTION -socket_addr_size (const struct sockaddr *sa); +socket_addr_size (const struct sockaddr *); void ROKEN_LIB_FUNCTION -socket_set_any (struct sockaddr *sa, int af); +socket_set_any (struct sockaddr *, int); size_t ROKEN_LIB_FUNCTION -socket_sockaddr_size (const struct sockaddr *sa); +socket_sockaddr_size (const struct sockaddr *); void * ROKEN_LIB_FUNCTION -socket_get_address (struct sockaddr *sa); +socket_get_address (struct sockaddr *); int ROKEN_LIB_FUNCTION -socket_get_port (const struct sockaddr *sa); +socket_get_port (const struct sockaddr *); void ROKEN_LIB_FUNCTION -socket_set_port (struct sockaddr *sa, int port); +socket_set_port (struct sockaddr *, int); void ROKEN_LIB_FUNCTION -socket_set_portrange (int sock, int restr, int af); +socket_set_portrange (int, int, int); void ROKEN_LIB_FUNCTION -socket_set_debug (int sock); +socket_set_debug (int); void ROKEN_LIB_FUNCTION -socket_set_tos (int sock, int tos); +socket_set_tos (int, int); void ROKEN_LIB_FUNCTION -socket_set_reuseaddr (int sock, int val); +socket_set_reuseaddr (int, int); + +void ROKEN_LIB_FUNCTION +socket_set_ipv6only (int, int); char ** ROKEN_LIB_FUNCTION vstrcollect(va_list *ap); |