diff options
-rw-r--r-- | source3/configure.in | 1 | ||||
-rw-r--r-- | source3/librpc/crypto/gse.c | 35 | ||||
-rw-r--r-- | source3/wscript | 2 | ||||
-rw-r--r-- | source4/heimdal_build/wscript_configure | 1 |
4 files changed, 34 insertions, 5 deletions
diff --git a/source3/configure.in b/source3/configure.in index 883f0b1df0..a463aa910d 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3870,6 +3870,7 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS) # MIT krb5 1.8 does not expose this call (yet) AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>]) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 42e9c942a9..22b940a1f3 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -85,6 +85,24 @@ struct gse_context { bool authenticated; }; +#ifndef HAVE_GSS_OID_EQUAL + +static bool gss_oid_equal(const gss_OID o1, const gss_OID o2) +{ + if (o1 == o2) { + return true; + } + if ((o1 == NULL && o2 != NULL) || (o1 != NULL && o2 == NULL)) { + return false; + } + if (o1->length != o2->length) { + return false; + } + return memcmp(o1->elements, o2->elements, o1->length) == false; +} + +#endif + /* free non talloc dependent contexts */ static int gse_context_destructor(void *ptr) { @@ -125,10 +143,19 @@ static int gse_context_destructor(void *ptr) gss_maj = gss_release_cred(&gss_min, &gse_ctx->delegated_creds); } - if (gse_ctx->ret_mech) { - gss_maj = gss_release_oid(&gss_min, - &gse_ctx->ret_mech); - } + + /* MIT and Heimdal differ as to if you can call + * gss_release_oid() on this OID, generated by + * gss_{accept,init}_sec_context(). However, as long as the + * oid is gss_mech_krb5 (which it always is at the moment), + * then this is a moot point, as both declare this particular + * OID static, and so no memory is lost. This assert is in + * place to ensure that the programmer who wishes to extend + * this code to EAP or other GSS mechanisms determines an + * implementation-dependent way of releasing any dynamically + * allocated OID */ + SMB_ASSERT(gss_oid_equal(&gse_ctx->gss_mech, GSS_C_NO_OID) || gss_oid_equal(&gse_ctx->gss_mech, gss_mech_krb5)); + return 0; } diff --git a/source3/wscript b/source3/wscript index 6081ac9d4d..cdafc1683a 100644 --- a/source3/wscript +++ b/source3/wscript @@ -632,7 +632,7 @@ msg.msg_acctrightslen = sizeof(fd); if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \ conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'): have_gssapi=True - conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute', 'gssapi gssapi_krb5 krb5') + conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal', 'gssapi gssapi_krb5 krb5') conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') conf.CHECK_FUNCS(''' krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index f711fe7f28..f96c683baf 100644 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -82,6 +82,7 @@ conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1) conf.define('HAVE_GSS_DISPLAY_STATUS', 1) conf.define('HAVE_GSS_WRAP_IOV', 1) conf.define('HAVE_GSS_KRB5_IMPORT_CRED', 1) +conf.define('HAVE_GSS_OID_EQUAL', 1) conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1) conf.define('HAVE_LIBGSSAPI', 1) conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1) |