summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib')
-rw-r--r--source4/heimdal/lib/gssapi/accept_sec_context.c667
-rw-r--r--source4/heimdal/lib/gssapi/copy_ccache.c19
-rw-r--r--source4/heimdal/lib/gssapi/gssapi.h4
-rw-r--r--source4/heimdal/lib/gssapi/init_sec_context.c18
-rw-r--r--source4/heimdal/lib/krb5/krb5-protos.h13
-rw-r--r--source4/heimdal/lib/krb5/rd_rep.c146
-rw-r--r--source4/heimdal/lib/krb5/rd_req.c20
-rw-r--r--source4/heimdal/lib/roken/roken-common.h31
8 files changed, 495 insertions, 423 deletions
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c
index 2ba2415112..7412d84eb0 100644
--- a/source4/heimdal/lib/gssapi/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/accept_sec_context.c
@@ -274,215 +274,224 @@ gsskrb5_acceptor_ready(
return GSS_S_COMPLETE;
}
-
static OM_uint32
-gsskrb5_acceptor_start(
- OM_uint32 * minor_status,
- gss_ctx_id_t * context_handle,
- const gss_cred_id_t acceptor_cred_handle,
- const gss_buffer_t input_token,
- const gss_channel_bindings_t input_chan_bindings,
- gss_name_t * src_name,
- gss_OID * mech_type,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec,
- gss_cred_id_t * delegated_cred_handle)
+gsskrb5_acceptor_start
+ (OM_uint32 * minor_status,
+ gss_ctx_id_t * context_handle,
+ const gss_cred_id_t acceptor_cred_handle,
+ const gss_buffer_t input_token_buffer,
+ const gss_channel_bindings_t input_chan_bindings,
+ gss_name_t * src_name,
+ gss_OID * mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec,
+ gss_cred_id_t * delegated_cred_handle
+ )
{
- krb5_error_code kret;
- OM_uint32 ret = GSS_S_COMPLETE;
- krb5_data indata;
- krb5_flags ap_options;
- OM_uint32 flags;
- krb5_ticket *ticket = NULL;
- krb5_keytab keytab = NULL;
- krb5_keyblock *keyblock = NULL;
- int no_wrap = 0;
-
- /*
- * TODO: check the channel_bindings
- */
-
- /*
- * We need a sequence number
- */
- krb5_auth_con_addflags(gssapi_krb5_context,
- (*context_handle)->auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE,
- NULL);
-
- /*
- * We need remove the decapsulate only when GSS_C_DCE_STYLE isn't in use
- */
- ret = gssapi_krb5_decapsulate(minor_status,
- input_token,&indata,
- "\x01\x00",
- GSS_KRB5_MECHANISM);
- if (ret) {
- /* No OID wrapping apparently available. */
- no_wrap = 1;
- indata.length = input_token->length;
- indata.data = input_token->value;
- }
+ krb5_error_code kret;
+ OM_uint32 ret = GSS_S_COMPLETE;
+ krb5_data indata;
+ krb5_flags ap_options;
+ OM_uint32 flags;
+ krb5_ticket *ticket = NULL;
+ krb5_keytab keytab = NULL;
+ krb5_keyblock *keyblock = NULL;
+ krb5_data fwd_data;
+ int is_cfx = 0;
+
+ krb5_data_zero (&fwd_data);
+
+ /*
+ * We may, or may not, have an escapsulation.
+ */
+ ret = gssapi_krb5_decapsulate (minor_status,
+ input_token_buffer,
+ &indata,
+ "\x01\x00",
+ GSS_KRB5_MECHANISM);
- /*
- * We need to get our keytab
- */
- if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
- if (gssapi_krb5_keytab != NULL) {
- keytab = gssapi_krb5_keytab;
- }
- } else {
- keytab = acceptor_cred_handle->keytab;
- }
+ if (ret) {
+ /* No OID wrapping apparently available. */
+ indata.length = input_token_buffer->length;
+ indata.data = input_token_buffer->value;
+ }
- /*
- * We need to check the ticket and create the AP-REP packet
- */
- kret = krb5_rd_req_return_keyblock(gssapi_krb5_context,
- &(*context_handle)->auth_context,
- &indata,
- (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred_handle->principal,
- keytab,
- &ap_options,
- &ticket,
- &keyblock);
- if (kret) {
- *minor_status = kret;
- gssapi_krb5_set_error_string ();
- return GSS_S_FAILURE;
+ /*
+ * We need to get our keytab
+ */
+ if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
+ if (gssapi_krb5_keytab != NULL) {
+ keytab = gssapi_krb5_keytab;
}
+ } else if (acceptor_cred_handle->keytab != NULL) {
+ keytab = acceptor_cred_handle->keytab;
+ }
+
+ /*
+ * We need to check the ticket and create the AP-REP packet
+ */
+ kret = krb5_rd_req_return_keyblock(gssapi_krb5_context,
+ &(*context_handle)->auth_context,
+ &indata,
+ (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred_handle->principal,
+ keytab,
+ &ap_options,
+ &ticket,
+ &keyblock);
+ if (kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
+ }
+
+ /*
+ * We need to remember some data on the context_handle
+ */
+ (*context_handle)->ticket = ticket;
+ (*context_handle)->service_keyblock = keyblock;
+ (*context_handle)->lifetime = ticket->ticket.endtime;
+
+ /*
+ * We need to copy the principal names to the context and the calling layer
+ */
+ kret = krb5_copy_principal(gssapi_krb5_context,
+ ticket->client,
+ &(*context_handle)->source);
+ if (kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ }
- /*
- * We need to remember some data on the context_handle
- */
- (*context_handle)->ticket = ticket;
- (*context_handle)->service_keyblock = keyblock;
- (*context_handle)->lifetime = ticket->ticket.endtime;
-
- /*
- * We need to copy the principal names to the context and the calling layer
- */
- kret = krb5_copy_principal(gssapi_krb5_context,
- ticket->client,
- &(*context_handle)->source);
- if (kret) {
- *minor_status = kret;
- gssapi_krb5_set_error_string ();
- return GSS_S_FAILURE;
- }
+ kret = krb5_copy_principal (gssapi_krb5_context,
+ ticket->server,
+ &(*context_handle)->target);
+ if (kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
+ }
+
+ /*
+ * We need to setup some compat stuff, this assumes that context_handle->target is already set
+ */
+ ret = _gss_DES3_get_mic_compat(minor_status, *context_handle);
+ if (ret) {
+ return ret;
+ }
- kret = krb5_copy_principal(gssapi_krb5_context,
- ticket->server,
- &(*context_handle)->target);
+ if (src_name != NULL) {
+ kret = krb5_copy_principal (gssapi_krb5_context,
+ ticket->client,
+ src_name);
if (kret) {
- *minor_status = kret;
- gssapi_krb5_set_error_string ();
- return GSS_S_FAILURE;
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
}
+ }
- /*
- * We need to setup some compat stuff, this assumes that context_handle->target is already set
- */
- ret = _gss_DES3_get_mic_compat(minor_status, *context_handle);
- if (ret) return ret;
-
- /*
- * We need to get the flags out of the 8003 checksum
- */
- {
- krb5_authenticator authenticator;
-
- kret = krb5_auth_con_getauthenticator(gssapi_krb5_context,
+ /*
+ * We need to get the flags out of the 8003 checksum
+ */
+ {
+ krb5_authenticator authenticator;
+
+ kret = krb5_auth_con_getauthenticator(gssapi_krb5_context,
(*context_handle)->auth_context,
&authenticator);
- if (kret) {
- *minor_status = kret;
- gssapi_krb5_set_error_string ();
- return GSS_S_FAILURE;
- }
-
- ret = gssapi_krb5_verify_8003_checksum(minor_status,
- input_chan_bindings,
- authenticator->cksum,
- &flags,
- &(*context_handle)->fwd_data);
- krb5_free_authenticator(gssapi_krb5_context, &authenticator);
- if (ret) return ret;
- }
-
- /* And remember them for later */
- (*context_handle)->flags = flags;
-
- if(flags & GSS_C_MUTUAL_FLAG) {
- int is_cfx = 0;
- krb5_data outbuf;
-
- gsskrb5_is_cfx(*context_handle, &is_cfx);
-
- if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {
- kret = krb5_auth_con_addflags(gssapi_krb5_context,
- (*context_handle)->auth_context,
- KRB5_AUTH_CONTEXT_USE_SUBKEY,
- NULL);
- (*context_handle)->more_flags |= ACCEPTOR_SUBKEY;
- }
-
- kret = krb5_mk_rep(gssapi_krb5_context,
- (*context_handle)->auth_context,
- &outbuf);
- if (kret) {
- *minor_status = kret;
- gssapi_krb5_set_error_string ();
- return GSS_S_FAILURE;
- }
-
- if (!(flags & GSS_C_DCE_STYLE)) {
- ret = gssapi_krb5_encapsulate(minor_status,
- &outbuf,
- output_token,
- "\x02\x00",
- GSS_KRB5_MECHANISM);
- krb5_data_free (&outbuf);
- if (ret) return ret;
- } else {
- output_token->length = outbuf.length;
- output_token->value = outbuf.data;
- }
+ if(kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
}
- /*
- * We need to set the return value for the calling layer
- */
- if (ret_flags) *ret_flags = flags;
-
- if (time_rec) {
- ret = gssapi_lifetime_left(minor_status,
- (*context_handle)->lifetime,
- time_rec);
- if (ret) return ret;
- }
+ ret = gssapi_krb5_verify_8003_checksum(minor_status,
+ input_chan_bindings,
+ authenticator->cksum,
+ &flags,
+ &fwd_data);
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+ if (ret)
+ if (ret) return ret;
+ }
+
+ if(flags & GSS_C_MUTUAL_FLAG) {
+ krb5_data outbuf;
+
+ gsskrb5_is_cfx(*context_handle, &is_cfx);
+
+ if (is_cfx != 0
+ || (ap_options & AP_OPTS_USE_SUBKEY)) {
+ kret = krb5_auth_con_addflags(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ KRB5_AUTH_CONTEXT_USE_SUBKEY,
+ NULL);
+ (*context_handle)->more_flags |= ACCEPTOR_SUBKEY;
+ }
+
+ kret = krb5_mk_rep(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ &outbuf);
+ if (kret) {
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return GSS_S_FAILURE;
+ }
+
+ if (!(flags & GSS_C_DCE_STYLE)) {
+ ret = gssapi_krb5_encapsulate(minor_status,
+ &outbuf,
+ output_token,
+ "\x02\x00",
+ GSS_KRB5_MECHANISM);
+ krb5_data_free (&outbuf);
+ if (ret) return ret;
+ } else {
+ output_token->length = outbuf.length;
+ output_token->value = outbuf.data;
+ }
+ }
+
+ /*
+ * We need to send the flags back to the caller
+ */
+ flags |= GSS_C_TRANS_FLAG;
- if (src_name) {
- kret = krb5_copy_principal(gssapi_krb5_context,
- (*context_handle)->source,
- src_name);
- if (kret) {
- *minor_status = kret;
- gssapi_krb5_set_error_string ();
- return GSS_S_FAILURE;
- }
- }
+ if (ret_flags)
+ *ret_flags = flags;
+
+ /* And remember them for later */
+
+ (*context_handle)->lifetime = ticket->ticket.endtime;
+ (*context_handle)->flags = flags;
+ (*context_handle)->more_flags |= OPEN;
+
+ if (mech_type)
+ *mech_type = GSS_KRB5_MECHANISM;
+
+ if (time_rec) {
+ ret = gssapi_lifetime_left(minor_status,
+ (*context_handle)->lifetime,
+ time_rec);
+ if (ret)
+ if (ret) return ret;
+ }
- /*
- * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from the client
- */
- if (flags & GSS_C_DCE_STYLE) {
- (*context_handle)->state = ACCEPTOR_WAIT_FOR_DCESTYLE;
- return GSS_S_CONTINUE_NEEDED;
- }
+ /*
+ * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from the client
+ */
+ if (flags & GSS_C_DCE_STYLE) {
+ (*context_handle)->state = ACCEPTOR_WAIT_FOR_DCESTYLE;
+ return GSS_S_CONTINUE_NEEDED;
+ }
- return gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle);
+ return gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle);
}
static OM_uint32
@@ -490,7 +499,7 @@ gsskrb5_acceptor_wait_for_dcestyle(
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
const gss_cred_id_t acceptor_cred_handle,
- const gss_buffer_t input_token,
+ const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
gss_name_t * src_name,
gss_OID * mech_type,
@@ -506,8 +515,8 @@ gsskrb5_acceptor_wait_for_dcestyle(
OM_uint32 l_seq_number;
/* We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP */
- inbuf.length = input_token->length;
- inbuf.data = input_token->value;
+ inbuf.length = input_token_buffer->length;
+ inbuf.data = input_token_buffer->value;
/*
* We need to remeber the old remote seq_number, then check if the client has replied with our local seq_number,
@@ -547,18 +556,41 @@ gsskrb5_acceptor_wait_for_dcestyle(
*/
{
krb5_ap_rep_enc_part *repl;
+ int32_t auth_flags;
+
+ kret = krb5_auth_con_removeflags(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ KRB5_AUTH_CONTEXT_DO_TIME, &auth_flags);
+ if (kret) { /* Can't happen */
+ gssapi_krb5_set_error_string ();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
- kret = _krb5_rd_rep_type(gssapi_krb5_context,
- (*context_handle)->auth_context,
- &inbuf,
- &repl,
- TRUE);
+ kret = krb5_rd_rep(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ &inbuf,
+ &repl);
if (kret) {
gssapi_krb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
+
+ /* Because the inbuf above is a final leg from client
+ * to server, we don't have a use for a 'reply'
+ * here */
krb5_free_ap_rep_enc_part(gssapi_krb5_context, repl);
+
+ /* Do no harm, put the flags back */
+ kret = krb5_auth_con_setflags(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ auth_flags);
+ if (kret) { /* Can't happen */
+ gssapi_krb5_set_error_string ();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
}
/* We need to check the liftime */
@@ -598,7 +630,7 @@ gsskrb5_acceptor_wait_for_dcestyle(
*/
{
OM_uint32 tmp_r_seq_number;
- OM_uint32 l_seq_number;
+ OM_uint32 tmp_l_seq_number;
kret = krb5_auth_getremoteseqnumber(gssapi_krb5_context,
(*context_handle)->auth_context,
@@ -611,7 +643,7 @@ gsskrb5_acceptor_wait_for_dcestyle(
kret = krb5_auth_con_getlocalseqnumber(gssapi_krb5_context,
(*context_handle)->auth_context,
- &l_seq_number);
+ &tmp_l_seq_number);
if (kret) {
gssapi_krb5_set_error_string ();
*minor_status = kret;
@@ -621,7 +653,7 @@ gsskrb5_acceptor_wait_for_dcestyle(
/*
* Here we check if the client has responsed with our local seq_number,
*/
- if (tmp_r_seq_number != l_seq_number) {
+ if (tmp_r_seq_number != tmp_l_seq_number) {
return GSS_S_UNSEQ_TOKEN;
}
}
@@ -645,73 +677,102 @@ gsskrb5_acceptor_wait_for_dcestyle(
}
static OM_uint32
-gsskrb5_accept_sec_context(
- OM_uint32 * minor_status,
- gss_ctx_id_t * context_handle,
- const gss_cred_id_t acceptor_cred_handle,
- const gss_buffer_t input_token,
- const gss_channel_bindings_t input_chan_bindings,
- gss_name_t * src_name,
- gss_OID * actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec,
- gss_cred_id_t * delegated_cred_handle)
+gsskrb5_accept_sec_context
+ (OM_uint32 * minor_status,
+ gss_ctx_id_t * context_handle,
+ const gss_cred_id_t acceptor_cred_handle,
+ const gss_buffer_t input_token_buffer,
+ const gss_channel_bindings_t input_chan_bindings,
+ gss_name_t * src_name,
+ gss_OID * mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec,
+ gss_cred_id_t * delegated_cred_handle
+ )
{
- OM_uint32 ret;
-
- if (*context_handle == GSS_C_NO_CONTEXT) {
- ret = _gsskrb5_create_ctx(minor_status,
- context_handle,
- input_chan_bindings,
- ACCEPTOR_START);
- if (ret) return ret;
- }
+ OM_uint32 ret = GSS_S_COMPLETE;
+ krb5_data fwd_data;
+ gss_ctx_id_t local_context;
- if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM;
+ GSSAPI_KRB5_INIT();
- HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex);
+ krb5_data_zero (&fwd_data);
+ output_token->length = 0;
+ output_token->value = NULL;
+
+ if (src_name != NULL)
+ *src_name = NULL;
+ if (mech_type)
+ *mech_type = GSS_KRB5_MECHANISM;
+
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ ret = _gsskrb5_create_ctx(minor_status,
+ &local_context,
+ input_chan_bindings,
+ ACCEPTOR_START);
+ if (ret) return ret;
+ } else {
+ local_context = *context_handle;
+ }
+
+ /*
+ * TODO: check the channel_bindings
+ * (above just sets them to krb5 layer)
+ */
- switch ((*context_handle)->state) {
- case ACCEPTOR_START:
- ret = gsskrb5_acceptor_start(minor_status,
- context_handle,
- acceptor_cred_handle,
- input_token,
- input_chan_bindings,
- src_name,
- actual_mech_type,
- output_token,
- ret_flags,
- time_rec,
- delegated_cred_handle);
- break;
- case ACCEPTOR_WAIT_FOR_DCESTYLE:
- ret = gsskrb5_acceptor_wait_for_dcestyle(minor_status,
- context_handle,
- acceptor_cred_handle,
- input_token,
- input_chan_bindings,
- src_name,
- actual_mech_type,
- output_token,
- ret_flags,
- time_rec,
- delegated_cred_handle);
- break;
- case ACCEPTOR_READY:
- /* this function should not be called after it has returned GSS_S_COMPLETE */
- ret = GSS_S_BAD_STATUS;
- break;
- default:
- /* TODO: is this correct here? --metze */
- ret = GSS_S_BAD_STATUS;
- break;
+ HEIMDAL_MUTEX_lock(&(local_context)->ctx_id_mutex);
+
+ switch ((local_context)->state) {
+ case ACCEPTOR_START:
+ ret = gsskrb5_acceptor_start(minor_status,
+ &local_context,
+ acceptor_cred_handle,
+ input_token_buffer,
+ input_chan_bindings,
+ src_name,
+ mech_type,
+ output_token,
+ ret_flags,
+ time_rec,
+ delegated_cred_handle);
+ break;
+ case ACCEPTOR_WAIT_FOR_DCESTYLE:
+ ret = gsskrb5_acceptor_wait_for_dcestyle(minor_status,
+ &local_context,
+ acceptor_cred_handle,
+ input_token_buffer,
+ input_chan_bindings,
+ src_name,
+ mech_type,
+ output_token,
+ ret_flags,
+ time_rec,
+ delegated_cred_handle);
+ break;
+ case ACCEPTOR_READY:
+ /* this function should not be called after it has returned GSS_S_COMPLETE */
+ ret = GSS_S_BAD_STATUS;
+ break;
+ default:
+ /* TODO: is this correct here? --metze */
+ ret = GSS_S_BAD_STATUS;
+ break;
+ }
+
+ HEIMDAL_MUTEX_unlock(&(local_context)->ctx_id_mutex);
+
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
+ *context_handle = local_context;
+ } else {
+ gss_delete_sec_context(minor_status,
+ &local_context,
+ NULL);
}
+ }
- HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
-
- return ret;
+ return ret;
}
static OM_uint32
@@ -1065,53 +1126,45 @@ gss_accept_sec_context
gss_cred_id_t * delegated_cred_handle
)
{
+ OM_uint32 ret;
ssize_t mech_len;
const u_char *p;
*minor_status = 0;
- if (src_name) *src_name = GSS_C_NO_NAME;
- if (mech_type) *mech_type = GSS_C_NO_OID;
-
- output_token->length = 0;
- output_token->value = NULL;
-
- if (ret_flags) *ret_flags = 0;
- if (time_rec) *time_rec = 0;
- if (delegated_cred_handle) *delegated_cred_handle = NULL;
-
- mech_len = gssapi_krb5_get_mech(input_token_buffer->value,
- input_token_buffer->length,
- &p);
-
- /* This could be 'dce style' kerberos, where the OID is missing :-( */
- if ((mech_len < 0) || (mech_len == GSS_KRB5_MECHANISM->length
- && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_len) == 0)) {
- return gsskrb5_accept_sec_context(minor_status,
- context_handle,
- acceptor_cred_handle,
- input_token_buffer,
- input_chan_bindings,
- src_name,
- mech_type,
- output_token,
- ret_flags,
- time_rec,
- delegated_cred_handle);
- } else if (mech_len == GSS_SPNEGO_MECHANISM->length
- && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_len) == 0) {
- return spnego_accept_sec_context(minor_status,
- context_handle,
- acceptor_cred_handle,
- input_token_buffer,
- input_chan_bindings,
- src_name,
- mech_type,
- output_token,
- ret_flags,
- time_rec,
- delegated_cred_handle);
- }
-
+ mech_len = gssapi_krb5_get_mech (input_token_buffer->value,
+ input_token_buffer->length,
+ &p);
+
+ /* This could be 'dce style' kerberos, where the OID is missing :-( */
+ if ((mech_len < 0) || ((mech_len == GSS_KRB5_MECHANISM->length)
+ && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_len) == 0))
+ ret = gsskrb5_accept_sec_context(minor_status,
+ context_handle,
+ acceptor_cred_handle,
+ input_token_buffer,
+ input_chan_bindings,
+ src_name,
+ mech_type,
+ output_token,
+ ret_flags,
+ time_rec,
+ delegated_cred_handle);
+ else if (mech_len == GSS_SPNEGO_MECHANISM->length
+ && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_len) == 0)
+ ret = spnego_accept_sec_context(minor_status,
+ context_handle,
+ acceptor_cred_handle,
+ input_token_buffer,
+ input_chan_bindings,
+ src_name,
+ mech_type,
+ output_token,
+ ret_flags,
+ time_rec,
+ delegated_cred_handle);
+ else
return GSS_S_BAD_MECH;
+
+ return ret;
}
diff --git a/source4/heimdal/lib/gssapi/copy_ccache.c b/source4/heimdal/lib/gssapi/copy_ccache.c
index 4f2b3f4895..828ca64156 100644
--- a/source4/heimdal/lib/gssapi/copy_ccache.c
+++ b/source4/heimdal/lib/gssapi/copy_ccache.c
@@ -105,6 +105,25 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
+OM_uint32
+gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ time_t *authtime)
+{
+ HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+ if (context_handle->ticket == NULL) {
+ HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ *authtime = context_handle->ticket->ticket.authtime;
+ HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+}
+
OM_uint32 gss_krb5_copy_service_keyblock
(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h
index 5712581d3f..4ee988b020 100644
--- a/source4/heimdal/lib/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi.h
@@ -809,6 +809,10 @@ gsskrb5_extract_authz_data_from_sec_context
int /*ad_type*/,
gss_buffer_t /*ad_data*/);
OM_uint32
+gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ time_t *authtime);
+OM_uint32
gsskrb5_get_initiator_subkey
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t context_handle,
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c
index 6a80934e46..5c6c6a0f8e 100644
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -147,6 +147,15 @@ _gsskrb5_create_ctx(
return GSS_S_BAD_BINDINGS;
}
+ /*
+ * We need a sequence number
+ */
+
+ krb5_auth_con_addflags(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE,
+ NULL);
+
return GSS_S_COMPLETE;
}
@@ -388,15 +397,6 @@ gsskrb5_initiator_start
ret = _gss_DES3_get_mic_compat(minor_status, *context_handle);
if (ret) return ret;
- /*
- * We need a sequence number
- */
-
- krb5_auth_con_addflags(gssapi_krb5_context,
- (*context_handle)->auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE,
- NULL);
-
/* We need the key and a random local subkey */
{
kret = krb5_auth_con_setkey(gssapi_krb5_context,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index cc619314a3..97f286b83e 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -2378,6 +2378,12 @@ krb5_parse_name (
krb5_principal */*principal*/);
krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name_mustrealm (
+ krb5_context /*context*/,
+ const char */*name*/,
+ krb5_principal */*principal*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_parse_name_norealm (
krb5_context /*context*/,
const char */*name*/,
@@ -3436,13 +3442,6 @@ krb5_write_safe_message (
krb5_error_code KRB5_LIB_FUNCTION
krb5_xfree (void */*ptr*/);
-krb5_error_code
-parse_name (
- krb5_context /*context*/,
- const char */*name*/,
- krb5_boolean /*short_form*/,
- krb5_principal */*principal*/);
-
#ifdef __cplusplus
}
#endif
diff --git a/source4/heimdal/lib/krb5/rd_rep.c b/source4/heimdal/lib/krb5/rd_rep.c
index a92eea5c04..53138d9f45 100644
--- a/source4/heimdal/lib/krb5/rd_rep.c
+++ b/source4/heimdal/lib/krb5/rd_rep.c
@@ -36,94 +36,80 @@
RCSID("$Id: rd_rep.c,v 1.25 2005/06/17 07:49:33 lha Exp $");
krb5_error_code KRB5_LIB_FUNCTION
-_krb5_rd_rep_type(krb5_context context,
- krb5_auth_context auth_context,
- const krb5_data *inbuf,
- krb5_ap_rep_enc_part **repl,
- krb5_boolean dce_style_response)
+krb5_rd_rep(krb5_context context,
+ krb5_auth_context auth_context,
+ const krb5_data *inbuf,
+ krb5_ap_rep_enc_part **repl)
{
- krb5_error_code ret;
- AP_REP ap_rep;
- size_t len;
- krb5_data data;
- krb5_crypto crypto;
+ krb5_error_code ret;
+ AP_REP ap_rep;
+ size_t len;
+ krb5_data data;
+ krb5_crypto crypto;
- krb5_data_zero (&data);
- ret = 0;
+ krb5_data_zero (&data);
+ ret = 0;
- ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len);
- if (ret)
- return ret;
- if (ap_rep.pvno != 5) {
- ret = KRB5KRB_AP_ERR_BADVERSION;
- krb5_clear_error_string (context);
- goto out;
- }
- if (ap_rep.msg_type != krb_ap_rep) {
- ret = KRB5KRB_AP_ERR_MSG_TYPE;
- krb5_clear_error_string (context);
- goto out;
- }
+ ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len);
+ if (ret)
+ return ret;
+ if (ap_rep.pvno != 5) {
+ ret = KRB5KRB_AP_ERR_BADVERSION;
+ krb5_clear_error_string (context);
+ goto out;
+ }
+ if (ap_rep.msg_type != krb_ap_rep) {
+ ret = KRB5KRB_AP_ERR_MSG_TYPE;
+ krb5_clear_error_string (context);
+ goto out;
+ }
- ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
- if (ret)
- goto out;
- ret = krb5_decrypt_EncryptedData (context,
- crypto,
- KRB5_KU_AP_REQ_ENC_PART,
- &ap_rep.enc_part,
- &data);
- krb5_crypto_destroy(context, crypto);
- if (ret)
- goto out;
+ ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+ if (ret)
+ goto out;
+ ret = krb5_decrypt_EncryptedData (context,
+ crypto,
+ KRB5_KU_AP_REQ_ENC_PART,
+ &ap_rep.enc_part,
+ &data);
+ krb5_crypto_destroy(context, crypto);
+ if (ret)
+ goto out;
- *repl = malloc(sizeof(**repl));
- if (*repl == NULL) {
- ret = ENOMEM;
- krb5_set_error_string (context, "malloc: out of memory");
- goto out;
- }
- ret = krb5_decode_EncAPRepPart(context,
- data.data,
- data.length,
- *repl,
- &len);
- if (ret)
- return ret;
-
- if (!dce_style_response) {
- if ((*repl)->ctime != auth_context->authenticator->ctime ||
- (*repl)->cusec != auth_context->authenticator->cusec) {
- ret = KRB5KRB_AP_ERR_MUT_FAIL;
- krb5_set_error_string (context, "Mutual authentication failed: Timestamps mismatch");
- goto out;
- }
- }
- if ((*repl)->seq_number)
- krb5_auth_con_setremoteseqnumber(context, auth_context,
- *((*repl)->seq_number));
- if ((*repl)->subkey)
- krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
+ *repl = malloc(sizeof(**repl));
+ if (*repl == NULL) {
+ ret = ENOMEM;
+ krb5_set_error_string (context, "malloc: out of memory");
+ goto out;
+ }
+ ret = krb5_decode_EncAPRepPart(context,
+ data.data,
+ data.length,
+ *repl,
+ &len);
+ if (ret)
+ return ret;
+
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+ if ((*repl)->ctime != auth_context->authenticator->ctime ||
+ (*repl)->cusec != auth_context->authenticator->cusec) {
+ ret = KRB5KRB_AP_ERR_MUT_FAIL;
+ krb5_clear_error_string (context);
+ goto out;
+ }
+ }
+ if ((*repl)->seq_number)
+ krb5_auth_con_setremoteseqnumber(context, auth_context,
+ *((*repl)->seq_number));
+ if ((*repl)->subkey)
+ krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
-out:
- krb5_data_free (&data);
- free_AP_REP (&ap_rep);
- return ret;
+ out:
+ krb5_data_free (&data);
+ free_AP_REP (&ap_rep);
+ return ret;
}
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_rep(krb5_context context,
- krb5_auth_context auth_context,
- const krb5_data *inbuf,
- krb5_ap_rep_enc_part **repl)
-{
- return _krb5_rd_rep_type(context,
- auth_context,
- inbuf,
- repl,
- FALSE);
-}
-
void KRB5_LIB_FUNCTION
krb5_free_ap_rep_enc_part (krb5_context context,
krb5_ap_rep_enc_part *val)
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index 30ad08bd82..66172c10fb 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: rd_req.c,v 1.57 2005/01/08 20:41:17 lha Exp $");
+RCSID("$Id: rd_req.c,v 1.58 2005/08/27 05:48:57 lha Exp $");
static krb5_error_code
decrypt_tkt_enc_part (krb5_context context,
@@ -136,6 +136,10 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
int num_realms;
krb5_error_code ret;
+ /* Windows w2k and w2k3 uses this */
+ if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0)
+ return 0;
+
if(enc->transited.tr_type != DOMAIN_X500_COMPRESS)
return KRB5KDC_ERR_TRTYPE_NOSUPP;
@@ -561,6 +565,7 @@ krb5_rd_req_return_keyblock(krb5_context context,
krb5_error_code ret;
krb5_ap_req ap_req;
krb5_principal service = NULL;
+ krb5_keyblock *local_keyblock;
if (*auth_context == NULL) {
ret = krb5_auth_con_init(context, auth_context);
@@ -592,13 +597,13 @@ krb5_rd_req_return_keyblock(krb5_context context,
&ap_req,
server,
keytab,
- keyblock);
+ &local_keyblock);
if(ret)
goto out;
} else {
ret = krb5_copy_keyblock(context,
(*auth_context)->keyblock,
- keyblock);
+ &local_keyblock);
if (ret)
goto out;
}
@@ -607,17 +612,20 @@ krb5_rd_req_return_keyblock(krb5_context context,
auth_context,
&ap_req,
server,
- *keyblock,
+ local_keyblock,
0,
ap_req_options,
ticket);
+ if (ret) {
+ krb5_free_keyblock(context, local_keyblock);
+ } else {
+ *keyblock = local_keyblock;
+ }
out:
free_AP_REQ(&ap_req);
if(service)
krb5_free_principal(context, service);
- if (ret)
- krb5_free_keyblock(context, *keyblock);
return ret;
}
diff --git a/source4/heimdal/lib/roken/roken-common.h b/source4/heimdal/lib/roken/roken-common.h
index d85d55f433..c4ba2edb7c 100644
--- a/source4/heimdal/lib/roken/roken-common.h
+++ b/source4/heimdal/lib/roken/roken-common.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: roken-common.h,v 1.61 2005/07/07 05:03:30 lha Exp $ */
+/* $Id: roken-common.h,v 1.62 2005/09/01 18:47:35 lha Exp $ */
#ifndef __ROKEN_COMMON_H__
#define __ROKEN_COMMON_H__
@@ -312,43 +312,46 @@ ewrite (int fd, const void *buf, size_t nbytes);
struct hostent;
const char * ROKEN_LIB_FUNCTION
-hostent_find_fqdn (const struct hostent *he);
+hostent_find_fqdn (const struct hostent *);
void ROKEN_LIB_FUNCTION
-esetenv(const char *var, const char *val, int rewrite);
+esetenv(const char *, const char *, int);
void ROKEN_LIB_FUNCTION
-socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port);
+socket_set_address_and_port (struct sockaddr *, const void *, int);
size_t ROKEN_LIB_FUNCTION
-socket_addr_size (const struct sockaddr *sa);
+socket_addr_size (const struct sockaddr *);
void ROKEN_LIB_FUNCTION
-socket_set_any (struct sockaddr *sa, int af);
+socket_set_any (struct sockaddr *, int);
size_t ROKEN_LIB_FUNCTION
-socket_sockaddr_size (const struct sockaddr *sa);
+socket_sockaddr_size (const struct sockaddr *);
void * ROKEN_LIB_FUNCTION
-socket_get_address (struct sockaddr *sa);
+socket_get_address (struct sockaddr *);
int ROKEN_LIB_FUNCTION
-socket_get_port (const struct sockaddr *sa);
+socket_get_port (const struct sockaddr *);
void ROKEN_LIB_FUNCTION
-socket_set_port (struct sockaddr *sa, int port);
+socket_set_port (struct sockaddr *, int);
void ROKEN_LIB_FUNCTION
-socket_set_portrange (int sock, int restr, int af);
+socket_set_portrange (int, int, int);
void ROKEN_LIB_FUNCTION
-socket_set_debug (int sock);
+socket_set_debug (int);
void ROKEN_LIB_FUNCTION
-socket_set_tos (int sock, int tos);
+socket_set_tos (int, int);
void ROKEN_LIB_FUNCTION
-socket_set_reuseaddr (int sock, int val);
+socket_set_reuseaddr (int, int);
+
+void ROKEN_LIB_FUNCTION
+socket_set_ipv6only (int, int);
char ** ROKEN_LIB_FUNCTION
vstrcollect(va_list *ap);