summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/gssapi/krb5')
-rw-r--r--source4/heimdal/lib/gssapi/krb5/accept_sec_context.c83
-rw-r--r--source4/heimdal/lib/gssapi/krb5/arcfour.c30
-rw-r--r--source4/heimdal/lib/gssapi/krb5/external.c10
-rw-r--r--source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h3
-rw-r--r--source4/heimdal/lib/gssapi/krb5/init_sec_context.c32
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c19
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/wrap.c1
8 files changed, 108 insertions, 72 deletions
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index e42bb11b85..6ac80461c3 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: accept_sec_context.c,v 1.64 2006/10/25 04:19:45 lha Exp $");
+RCSID("$Id: accept_sec_context.c,v 1.65 2006/11/07 14:52:05 lha Exp $");
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
@@ -264,9 +264,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
OM_uint32 ret = GSS_S_COMPLETE;
krb5_data indata;
krb5_flags ap_options;
- krb5_ticket *ticket = NULL;
krb5_keytab keytab = NULL;
- krb5_keyblock *keyblock = NULL;
int is_cfx = 0;
const gsskrb5_cred acceptor_cred = (gsskrb5_cred)acceptor_cred_handle;
@@ -298,34 +296,65 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
/*
* We need to check the ticket and create the AP-REP packet
*/
- kret = krb5_rd_req_return_keyblock(_gsskrb5_context,
- &ctx->auth_context,
- &indata,
- (acceptor_cred == NULL) ? NULL : acceptor_cred->principal,
- keytab,
- &ap_options,
- &ticket,
- &keyblock);
- if (kret) {
- ret = GSS_S_FAILURE;
- *minor_status = kret;
- _gsskrb5_set_error_string ();
- return ret;
+
+ {
+ krb5_rd_req_in_ctx in = NULL;
+ krb5_rd_req_out_ctx out = NULL;
+
+ kret = krb5_rd_req_in_ctx_alloc(_gsskrb5_context, &in);
+ if (kret == 0)
+ kret = krb5_rd_req_in_set_keytab(_gsskrb5_context, in, keytab);
+ if (kret) {
+ if (in)
+ krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ _gsskrb5_set_error_string ();
+ return ret;
+ }
+
+ kret = krb5_rd_req_ctx(_gsskrb5_context,
+ &ctx->auth_context,
+ &indata,
+ (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
+ in, &out);
+ krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
+ if (kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ _gsskrb5_set_error_string ();
+ return ret;
+ }
+
+ /*
+ * We need to remember some data on the context_handle.
+ */
+ kret = krb5_rd_req_out_get_ap_req_options(_gsskrb5_context, out,
+ &ap_options);
+ if (kret == 0)
+ kret = krb5_rd_req_out_get_ticket(_gsskrb5_context, out,
+ &ctx->ticket);
+ if (kret == 0)
+ kret = krb5_rd_req_out_get_keyblock(_gsskrb5_context, out,
+ &ctx->service_keyblock);
+ ctx->lifetime = ctx->ticket->ticket.endtime;
+
+ krb5_rd_req_out_ctx_free(_gsskrb5_context, out);
+ if (kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ _gsskrb5_set_error_string ();
+ return ret;
+ }
}
- /*
- * We need to remember some data on the context_handle.
- */
- ctx->ticket = ticket;
- ctx->service_keyblock = keyblock;
- ctx->lifetime = ticket->ticket.endtime;
/*
* We need to copy the principal names to the context and the
* calling layer.
*/
kret = krb5_copy_principal(_gsskrb5_context,
- ticket->client,
+ ctx->ticket->client,
&ctx->source);
if (kret) {
ret = GSS_S_FAILURE;
@@ -333,7 +362,9 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
_gsskrb5_set_error_string ();
}
- kret = krb5_copy_principal(_gsskrb5_context, ticket->server, &ctx->target);
+ kret = krb5_copy_principal(_gsskrb5_context,
+ ctx->ticket->server,
+ &ctx->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
@@ -351,7 +382,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if (src_name != NULL) {
kret = krb5_copy_principal (_gsskrb5_context,
- ticket->client,
+ ctx->ticket->client,
(gsskrb5_name*)src_name);
if (kret) {
ret = GSS_S_FAILURE;
@@ -471,7 +502,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
/* Remember the flags */
- ctx->lifetime = ticket->ticket.endtime;
+ ctx->lifetime = ctx->ticket->ticket.endtime;
ctx->more_flags |= OPEN;
if (mech_type)
diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c
index 82851f5a78..2c43ed8b32 100644
--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c
+++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: arcfour.c,v 1.29 2006/10/07 22:14:05 lha Exp $");
+RCSID("$Id: arcfour.c,v 1.30 2006/11/07 19:05:16 lha Exp $");
/*
* Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@@ -355,17 +355,16 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if (conf_state)
*conf_state = 0;
- if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
- datalen = input_message_buffer->length + 1 /* padding */;
-
- len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
- _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
- } else {
- datalen = input_message_buffer->length;
+ datalen = input_message_buffer->length;
+ if (IS_DCE_STYLE(context_handle)) {
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
total_len += datalen;
+ } else {
+ datalen += 1; /* padding */
+ len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+ _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
}
output_message_buffer->length = total_len;
@@ -418,9 +417,8 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
memcpy(p, input_message_buffer->value, input_message_buffer->length);
- if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
- p[input_message_buffer->length] = 1; /* PADDING */
- }
+ if (!IS_DCE_STYLE(context_handle))
+ p[input_message_buffer->length] = 1; /* padding */
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
p0 + 16, 8, /* SGN_CKSUM */
@@ -518,13 +516,13 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
p0 = input_message_buffer->value;
- if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
- len = input_message_buffer->length;
- } else {
+ if (IS_DCE_STYLE(context_handle)) {
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE +
GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
+ } else {
+ len = input_message_buffer->length;
}
omret = _gssapi_verify_mech_header(&p0,
@@ -635,7 +633,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
}
memset(k6_data, 0, sizeof(k6_data));
- if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
+ if (!IS_DCE_STYLE(context_handle)) {
ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
if (ret) {
_gsskrb5_release_buffer(minor_status, output_message_buffer);
@@ -688,7 +686,7 @@ max_wrap_length_arcfour(const gsskrb5_ctx ctx,
* - we only need to encapsulate the WRAP token
* However, since this is a fixed since, we just
*/
- if (ctx->flags & GSS_C_DCE_STYLE) {
+ if (IS_DCE_STYLE(ctx)) {
size_t len, total_len;
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c
index 7419bc2fe8..ece03ddf57 100644
--- a/source4/heimdal/lib/gssapi/krb5/external.c
+++ b/source4/heimdal/lib/gssapi/krb5/external.c
@@ -34,7 +34,7 @@
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
-RCSID("$Id: external.c,v 1.18 2006/10/20 21:50:24 lha Exp $");
+RCSID("$Id: external.c,v 1.21 2006/11/07 21:05:03 lha Exp $");
/*
* The implementation must reserve static storage for a
@@ -340,12 +340,18 @@ static gss_OID_desc gss_krb5_get_authtime_x_desc =
gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc;
-/* 1.2.752.43.13.14 */
+/* 1.2.752.43.13.13 */
static gss_OID_desc gss_krb5_get_service_keyblock_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc;
+/* 1.2.752.43.13.14 */
+static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
+
+gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
+
/* 1.2.752.43.14.1 */
static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
index 4d814032c3..ea7a561b5b 100644
--- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gsskrb5_locl.h,v 1.6 2006/10/07 22:14:49 lha Exp $ */
+/* $Id: gsskrb5_locl.h,v 1.7 2006/11/07 17:57:43 lha Exp $ */
#ifndef GSSKRB5_LOCL_H
#define GSSKRB5_LOCL_H
@@ -56,6 +56,7 @@ struct gss_msg_order;
typedef struct {
struct krb5_auth_context_data *auth_context;
krb5_principal source, target;
+#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
OM_uint32 flags;
enum { LOCAL = 1, OPEN = 2,
COMPAT_OLD_DES3 = 4,
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index 00f2543833..7a97b6262c 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: init_sec_context.c,v 1.72 2006/10/24 23:03:19 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.73 2006/11/07 17:40:01 lha Exp $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
@@ -549,18 +549,18 @@ failure:
static OM_uint32
repl_mutual
- (OM_uint32 * minor_status,
- gsskrb5_ctx ctx,
- const gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- const gss_channel_bindings_t input_chan_bindings,
- const gss_buffer_t input_token,
- gss_OID * actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec
- )
+(OM_uint32 * minor_status,
+ gsskrb5_ctx ctx,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+ )
{
OM_uint32 ret;
krb5_error_code kret;
@@ -574,7 +574,7 @@ repl_mutual
if (actual_mech_type)
*actual_mech_type = GSS_KRB5_MECHANISM;
- if (req_flags & GSS_C_DCE_STYLE) {
+ if (ctx->flags & GSS_C_DCE_STYLE) {
/* There is no OID wrapping. */
indata.length = input_token->length;
indata.data = input_token->value;
@@ -619,8 +619,8 @@ repl_mutual
*minor_status = 0;
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
- ctx->lifetime,
- time_rec);
+ ctx->lifetime,
+ time_rec);
} else {
ret = GSS_S_COMPLETE;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
index 0b46cc5495..ee4210d74a 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: inquire_sec_context_by_oid.c,v 1.8 2006/10/24 15:55:28 lha Exp $");
+RCSID("$Id: inquire_sec_context_by_oid.c,v 1.11 2006/11/07 14:34:35 lha Exp $");
static int
oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
@@ -149,6 +149,11 @@ static OM_uint32 inquire_sec_context_get_subkey
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret)
goto out;
+ if (key == NULL) {
+ _gsskrb5_set_status("have no subkey of type %d", keytype);
+ ret = EINVAL;
+ goto out;
+ }
ret = krb5_store_keyblock(sp, *key);
krb5_free_keyblock (_gsskrb5_context, key);
@@ -400,6 +405,7 @@ get_authtime(OM_uint32 *minor_status,
{
gss_buffer_desc value;
+ unsigned char buf[4];
OM_uint32 authtime;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -414,14 +420,9 @@ get_authtime(OM_uint32 *minor_status,
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
- value.length = 4;
- value.value = malloc(value.length);
- if (!value.value) {
- _gsskrb5_clear_status();
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
- _gsskrb5_encode_om_uint32(authtime, value.value);
+ _gsskrb5_encode_om_uint32(authtime, buf);
+ value.length = sizeof(buf);
+ value.value = buf;
return gss_add_buffer_set_member(minor_status,
&value,
diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
index 67f5e8e722..fb098679b2 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
@@ -36,7 +36,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: set_sec_context_option.c,v 1.6 2006/10/20 18:58:22 lha Exp $");
+RCSID("$Id: set_sec_context_option.c,v 1.7 2006/11/04 03:01:14 lha Exp $");
static OM_uint32
get_bool(OM_uint32 *minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c
index 8514137999..ebbc975b8a 100644
--- a/source4/heimdal/lib/gssapi/krb5/wrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/wrap.c
@@ -103,7 +103,6 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx, krb5_keyblock **key)
_gsskrb5_set_status("No token key available");
return GSS_KRB5_S_KG_NO_SUBKEY;
}
- _gsskrb5_clear_status();
return 0;
}
generated by cgit (git 2.34.1) at 2024-07-28 15:40:51 +0000