diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/libads/kerberos.c | 28 | ||||
-rw-r--r-- | source3/libads/kerberos_keytab.c | 22 | ||||
-rw-r--r-- | source3/libads/kerberos_verify.c | 20 | ||||
-rw-r--r-- | source3/libads/krb5_setpw.c | 6 | ||||
-rw-r--r-- | source3/libads/sasl.c | 2 | ||||
-rw-r--r-- | source3/libsmb/clikrb5.c | 93 |
6 files changed, 120 insertions, 51 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index e5211813d3..960709a5f0 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -90,7 +90,7 @@ int kerberos_kinit_password_ext(const char *principal, return code; } - if ((code = krb5_parse_name(ctx, principal, &me))) { + if ((code = smb_krb5_parse_name(ctx, principal, &me))) { krb5_free_context(ctx); return code; } @@ -260,21 +260,21 @@ krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, char *unparsed_name = NULL, *salt_princ_s = NULL; krb5_principal ret_princ = NULL; - if (krb5_unparse_name(context, host_princ, &unparsed_name) != 0) { + if (smb_krb5_unparse_name(context, host_princ, &unparsed_name) != 0) { return (krb5_principal)NULL; } if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) { - krb5_free_unparsed_name(context, unparsed_name); + SAFE_FREE(unparsed_name); return (krb5_principal)NULL; } - if (krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) { - krb5_free_unparsed_name(context, unparsed_name); + if (smb_krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) { + SAFE_FREE(unparsed_name); SAFE_FREE(salt_princ_s); return (krb5_principal)NULL; } - krb5_free_unparsed_name(context, unparsed_name); + SAFE_FREE(unparsed_name); SAFE_FREE(salt_princ_s); return ret_princ; } @@ -308,11 +308,11 @@ BOOL kerberos_secrets_store_salting_principal(const char *service, asprintf(&princ_s, "%s@%s", service, lp_realm()); } - if (krb5_parse_name(context, princ_s, &princ) != 0) { + if (smb_krb5_parse_name(context, princ_s, &princ) != 0) { goto out; } - if (krb5_unparse_name(context, princ, &unparsed_name) != 0) { + if (smb_krb5_unparse_name(context, princ, &unparsed_name) != 0) { goto out; } @@ -331,10 +331,8 @@ BOOL kerberos_secrets_store_salting_principal(const char *service, SAFE_FREE(key); SAFE_FREE(princ_s); + SAFE_FREE(unparsed_name); - if (unparsed_name) { - krb5_free_unparsed_name(context, unparsed_name); - } if (context) { krb5_free_context(context); } @@ -396,8 +394,8 @@ static krb5_error_code get_service_ticket(krb5_context ctx, asprintf(&service_s, "%s@%s", service_principal, lp_realm()); } - if ((err = krb5_parse_name(ctx, service_s, &creds.server))) { - DEBUG(0,("get_service_ticket: krb5_parse_name %s failed: %s\n", + if ((err = smb_krb5_parse_name(ctx, service_s, &creds.server))) { + DEBUG(0,("get_service_ticket: smb_krb5_parse_name %s failed: %s\n", service_s, error_message(err))); goto out; } @@ -476,8 +474,8 @@ static BOOL verify_service_password(krb5_context ctx, asprintf(&salting_s, "%s@%s", salting_principal, lp_realm()); } - if ((err = krb5_parse_name(ctx, salting_s, &salting_kprinc))) { - DEBUG(0,("verify_service_password: krb5_parse_name %s failed: %s\n", + if ((err = smb_krb5_parse_name(ctx, salting_s, &salting_kprinc))) { + DEBUG(0,("verify_service_password: smb_krb5_parse_name %s failed: %s\n", salting_s, error_message(err))); goto out; } diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index f6ed107ee0..fc87b687d1 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -130,9 +130,9 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) /* Guess at how the KDC is salting keys for this principal. */ kerberos_derive_salting_principal(princ_s); - ret = krb5_parse_name(context, princ_s, &princ); + ret = smb_krb5_parse_name(context, princ_s, &princ); if (ret) { - DEBUG(1,("ads_keytab_add_entry: krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret))); + DEBUG(1,("ads_keytab_add_entry: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret))); goto out; } @@ -150,9 +150,10 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) { BOOL compare_name_ok = False; - ret = krb5_unparse_name(context, kt_entry.principal, &ktprinc); + ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc); if (ret) { - DEBUG(1,("ads_keytab_add_entry: krb5_unparse_name failed (%s)\n", error_message(ret))); + DEBUG(1,("ads_keytab_add_entry: smb_krb5_unparse_name failed (%s)\n", + error_message(ret))); goto out; } @@ -176,8 +177,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) ktprinc, kt_entry.vno)); } - krb5_free_unparsed_name(context, ktprinc); - ktprinc = NULL; + SAFE_FREE(ktprinc); if (compare_name_ok) { if (kt_entry.vno == kvno - 1) { @@ -581,9 +581,9 @@ int ads_keytab_create_default(ADS_STRUCT *ads) char *p; /* This returns a malloc'ed string in ktprinc. */ - ret = krb5_unparse_name(context, kt_entry.principal, &ktprinc); + ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc); if (ret) { - DEBUG(1,("krb5_unparse_name failed (%s)\n", error_message(ret))); + DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret))); goto done; } /* @@ -606,12 +606,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads) break; } if (!strcmp(oldEntries[i], ktprinc)) { - krb5_free_unparsed_name(context, ktprinc); + SAFE_FREE(ktprinc); break; } } if (i == found) { - krb5_free_unparsed_name(context, ktprinc); + SAFE_FREE(ktprinc); } } smb_krb5_kt_free_entry(context, &kt_entry); @@ -620,7 +620,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads) ret = 0; for (i = 0; oldEntries[i]; i++) { ret |= ads_keytab_add_entry(ads, oldEntries[i]); - krb5_free_unparsed_name(context, oldEntries[i]); + SAFE_FREE(oldEntries[i]); } krb5_kt_end_seq_get(context, keytab, &cursor); } diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 934c1131eb..fa957aa9c0 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -90,9 +90,10 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut if (ret != KRB5_KT_END && ret != ENOENT ) { while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) { - ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s); + ret = smb_krb5_unparse_name(context, kt_entry.principal, &entry_princ_s); if (ret) { - DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret))); + DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_unparse_name failed (%s)\n", + error_message(ret))); goto out; } @@ -138,8 +139,7 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut } /* Free the name we parsed. */ - krb5_free_unparsed_name(context, entry_princ_s); - entry_princ_s = NULL; + SAFE_FREE(entry_princ_s); /* Free the entry we just read. */ smb_krb5_kt_free_entry(context, &kt_entry); @@ -165,9 +165,7 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut } } - if (entry_princ_s) { - krb5_free_unparsed_name(context, entry_princ_s); - } + SAFE_FREE(entry_princ_s); { krb5_keytab_entry zero_kt_entry; @@ -343,9 +341,9 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, asprintf(&host_princ_s, "%s$", global_myname()); strlower_m(host_princ_s); - ret = krb5_parse_name(context, host_princ_s, &host_princ); + ret = smb_krb5_parse_name(context, host_princ_s, &host_princ); if (ret) { - DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n", + DEBUG(1,("ads_verify_ticket: smb_krb5_parse_name(%s) failed (%s)\n", host_princ_s, error_message(ret))); goto out; } @@ -459,8 +457,8 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, #endif #endif - if ((ret = krb5_unparse_name(context, client_principal, principal))) { - DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n", + if ((ret = smb_krb5_unparse_name(context, client_principal, principal))) { + DEBUG(3,("ads_verify_ticket: smb_krb5_unparse_name failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index 415c1e9229..254ca7b2a3 100644 --- a/source3/libads/krb5_setpw.c +++ b/source3/libads/krb5_setpw.c @@ -521,7 +521,7 @@ ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ, realm++; asprintf(&princ_name, "kadmin/changepw@%s", realm); - ret = krb5_parse_name(context, princ_name, &creds.server); + ret = smb_krb5_parse_name(context, princ_name, &creds.server); if (ret) { krb5_cc_close(context, ccache); krb5_free_context(context); @@ -531,7 +531,7 @@ ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ, free(princ_name); /* parse the principal we got as a function argument */ - ret = krb5_parse_name(context, princ, &principal); + ret = smb_krb5_parse_name(context, princ, &principal); if (ret) { krb5_cc_close(context, ccache); krb5_free_principal(context, creds.server); @@ -633,7 +633,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, return ADS_ERROR_KRB5(ret); } - if ((ret = krb5_parse_name(context, principal, + if ((ret = smb_krb5_parse_name(context, principal, &princ))) { krb5_free_context(context); DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret))); diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index d8d33a924f..a12af43eb3 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -304,7 +304,7 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) if (!ADS_ERR_OK(status)) { return status; } - status = ADS_ERROR_KRB5(krb5_parse_name(ctx, sname, &principal)); + status = ADS_ERROR_KRB5(smb_krb5_parse_name(ctx, sname, &principal)); if (!ADS_ERR_OK(status)) { return status; } diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 4943f67b77..1f43b91e38 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -38,6 +38,78 @@ #define KRB5_KEY_DATA(k) ((k)->contents) #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ +/************************************************************** + Wrappers around kerberos string functions that convert from + utf8 -> unix charset and vica versa. +**************************************************************/ + +/************************************************************** + krb5_parse_name that takes a UNIX charset. +**************************************************************/ + +krb5_error_code smb_krb5_parse_name(krb5_context context, + const char *name, /* in unix charset */ + krb5_principal *principal) +{ + krb5_error_code ret; + char *utf8_name; + + if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { + return ENOMEM; + } + + ret = krb5_parse_name(context, utf8_name, principal); + SAFE_FREE(utf8_name); + return ret; +} + +#ifdef HAVE_KRB5_PARSE_NAME_NOREALM +/************************************************************** + krb5_parse_name_norealm that takes a UNIX charset. +**************************************************************/ + +static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, + const char *name, /* in unix charset */ + krb5_principal *principal) +{ + krb5_error_code ret; + char *utf8_name; + + if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { + return ENOMEM; + } + + ret = krb5_parse_name_norealm(context, utf8_name, principal); + SAFE_FREE(utf8_name); + return ret; +} +#endif + +/************************************************************** + krb5_parse_name that returns a UNIX charset name. Must + be freed with normal free() call. +**************************************************************/ + +krb5_error_code smb_krb5_unparse_name(krb5_context context, + krb5_const_principal principal, + char **unix_name) +{ + krb5_error_code ret; + char *utf8_name; + + ret = krb5_unparse_name(context, principal, &utf8_name); + if (ret) { + return ret; + } + + if (pull_utf8_allocate(unix_name, utf8_name)==-1) { + krb5_free_unparsed_name(context, utf8_name); + return ENOMEM; + } + krb5_free_unparsed_name(context, utf8_name); + return 0; +} + #ifndef HAVE_KRB5_SET_REAL_TIME /* * This function is not in the Heimdal mainline. @@ -459,7 +531,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, BOOL creds_ready = False; int i = 0, maxtries = 3; - retval = krb5_parse_name(context, principal, &server); + retval = smb_krb5_parse_name(context, principal, &server); if (retval) { DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal)); return retval; @@ -795,10 +867,11 @@ get_key_from_keytab(krb5_context context, } if ( DEBUGLEVEL >= 10 ) { - krb5_unparse_name(context, server, &name); - DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n", - kvno, enctype, name)); - krb5_free_unparsed_name(context, name); + if (smb_krb5_unparse_name(context, server, &name) == 0) { + DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n", + kvno, enctype, name)); + SAFE_FREE(name); + } } ret = krb5_kt_get_entry(context, @@ -943,7 +1016,7 @@ out: krb5_principal *principal) { #ifdef HAVE_KRB5_PARSE_NAME_NOREALM - return krb5_parse_name_norealm(context, name, principal); + return smb_krb5_parse_name_norealm_conv(context, name, principal); #endif /* we are cheating here because parse_name will in fact set the realm. @@ -951,7 +1024,7 @@ out: * ignores the realm anyway when calling * smb_krb5_principal_compare_any_realm later - Guenther */ - return krb5_parse_name(context, name, principal); + return smb_krb5_parse_name(context, name, principal); } BOOL smb_krb5_principal_compare_any_realm(krb5_context context, @@ -1022,7 +1095,7 @@ out: krb5_creds creds; if (client_string) { - ret = krb5_parse_name(context, client_string, &client); + ret = smb_krb5_parse_name(context, client_string, &client); if (ret) { goto done; } @@ -1063,7 +1136,7 @@ out: memset(&creds_in, 0, sizeof(creds_in)); if (client_string) { - ret = krb5_parse_name(context, client_string, &creds_in.client); + ret = smb_krb5_parse_name(context, client_string, &creds_in.client); if (ret) { goto done; } @@ -1075,7 +1148,7 @@ out: } if (service_string) { - ret = krb5_parse_name(context, service_string, &creds_in.server); + ret = smb_krb5_parse_name(context, service_string, &creds_in.server); if (ret) { goto done; } |