diff options
Diffstat (limited to 'source4/heimdal')
| -rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 25 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/accept_sec_context.c | 106 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/acquire_cred.c | 50 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/arcfour.c | 8 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/copy_ccache.c | 123 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/gssapi.h | 21 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/gssapi_locl.h | 2 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/init_sec_context.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/release_cred.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/lib/hdb/db.c | 6 | ||||
| -rw-r--r-- | source4/heimdal/lib/hdb/hdb-protos.h | 4 | ||||
| -rw-r--r-- | source4/heimdal/lib/hdb/ndbm.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/cache.c | 37 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/get_for_creds.c | 22 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/keytab.c | 36 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krb5-private.h | 17 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/krb5-protos.h | 12 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/rd_cred.c | 2 |
18 files changed, 258 insertions, 219 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 565c7478f9..6f6203a92c 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.177 2005/06/15 11:34:53 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.198 2005/11/28 20:33:57 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -666,8 +666,7 @@ _kdc_check_flags(krb5_context context, starttime_str, sizeof(starttime_str), TRUE); kdc_log(context, config, 0, "Client not yet valid until %s -- %s", - starttime_str, - client_name); + starttime_str, client_name); return KRB5KDC_ERR_CLIENT_NOTYET; } @@ -676,7 +675,8 @@ _kdc_check_flags(krb5_context context, krb5_format_time(context, *client->valid_end, endtime_str, sizeof(endtime_str), TRUE); kdc_log(context, config, 0, - "Client expired at %s -- %s", endtime_str, client_name); + "Client expired at %s -- %s", + endtime_str, client_name); return KRB5KDC_ERR_NAME_EXP; } @@ -686,7 +686,8 @@ _kdc_check_flags(krb5_context context, krb5_format_time(context, *client->pw_end, pwend_str, sizeof(pwend_str), TRUE); kdc_log(context, config, 0, - "Client's key has expired at %s -- %s", pwend_str, client_name); + "Client's key has expired at %s -- %s", + pwend_str, client_name); return KRB5KDC_ERR_KEY_EXPIRED; } } @@ -717,7 +718,8 @@ _kdc_check_flags(krb5_context context, krb5_format_time(context, *server->valid_start, starttime_str, sizeof(starttime_str), TRUE); kdc_log(context, config, 0, - "Server not yet valid until %s -- %s", server_name); + "Server not yet valid until %s -- %s", + starttime_str, server_name); return KRB5KDC_ERR_SERVICE_NOTYET; } @@ -1099,11 +1101,12 @@ _kdc_as_rep(krb5_context context, pa->padata_value.data = NULL; #endif - /* RFC4120 requires: - - If the client only knows about old enctypes, then send both info replies - (we send 'info' first in the list). - - If the client is 'modern', because it knows about 'new' enc types, then - only send the 'info2' reply. + /* + * RFC4120 requires: + * - If the client only knows about old enctypes, then send + * both info replies (we send 'info' first in the list). + * - If the client is 'modern', because it knows about 'new' + * enctype types, then only send the 'info2' reply. */ /* XXX check ret */ if (only_older_enctype_p(req)) diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c index 5d43cdcb43..9ca60a6cdd 100644 --- a/source4/heimdal/lib/gssapi/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/accept_sec_context.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: accept_sec_context.c,v 1.53 2005/05/29 15:12:41 lha Exp $"); +RCSID("$Id: accept_sec_context.c,v 1.55 2005/11/25 15:57:35 lha Exp $"); HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; krb5_keytab gssapi_krb5_keytab; @@ -125,66 +125,24 @@ gsskrb5_accept_delegated_token krb5_principal principal = (*context_handle)->source; krb5_ccache ccache = NULL; krb5_error_code kret; - int32_t ac_flags, ret; - gss_cred_id_t handle = NULL; + int32_t ac_flags, ret = GSS_S_COMPLETE; - if (delegated_cred_handle == NULL) { - /* XXX Create a new delegated_cred_handle? */ - - ret = 0; + *minor_status = 0; + /* XXX Create a new delegated_cred_handle? */ + if (delegated_cred_handle == NULL) kret = krb5_cc_default (gssapi_krb5_context, &ccache); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - } else { - - *delegated_cred_handle = NULL; - - handle = calloc(1, sizeof(*handle)); - if (handle == NULL) { - ret = GSS_S_FAILURE; - *minor_status = ENOMEM; - krb5_set_error_string(gssapi_krb5_context, "out of memory"); - gssapi_krb5_set_error_string(); - *flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - if ((ret = gss_duplicate_name(minor_status, principal, - &handle->principal)) != 0) { - *flags &= ~GSS_C_DELEG_FLAG; - ret = 0; - goto end_fwd; - } - kret = krb5_cc_gen_new (gssapi_krb5_context, - &krb5_mcc_ops, - &handle->ccache); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - ret = 0; - goto end_fwd; - } - ccache = handle->ccache; - - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret) { - *flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret) { - *flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } + else + kret = krb5_cc_gen_new (gssapi_krb5_context, &krb5_mcc_ops, &ccache); + if (kret) { + *flags &= ~GSS_C_DELEG_FLAG; + goto out; } kret = krb5_cc_initialize(gssapi_krb5_context, ccache, principal); if (kret) { *flags &= ~GSS_C_DELEG_FLAG; - ret = 0; - goto end_fwd; + goto out; } krb5_auth_con_removeflags(gssapi_krb5_context, @@ -204,29 +162,29 @@ gsskrb5_accept_delegated_token *flags &= ~GSS_C_DELEG_FLAG; ret = GSS_S_FAILURE; *minor_status = kret; - goto end_fwd; + goto out; } - end_fwd: - /* if there was some kind of failure, clean up internal structures */ - if ((*flags & GSS_C_DELEG_FLAG) == 0) { - if (handle) { - if (handle->principal) - gss_release_name(minor_status, &handle->principal); - if (handle->mechanisms) - gss_release_oid_set(NULL, &handle->mechanisms); - if (handle->ccache) - krb5_cc_destroy(gssapi_krb5_context, handle->ccache); - free(handle); - handle = NULL; - } + + if (delegated_cred_handle) { + ret = gss_krb5_import_cred(minor_status, + ccache, + NULL, + NULL, + delegated_cred_handle); + if (ret != GSS_S_COMPLETE) + goto out; + + (*delegated_cred_handle)->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; + ccache = NULL; } - if (delegated_cred_handle == NULL) { - if (ccache) + +out: + if (ccache) { + if (delegated_cred_handle == NULL) krb5_cc_close(gssapi_krb5_context, ccache); + else + krb5_cc_destroy(gssapi_krb5_context, ccache); } - if (handle) - *delegated_cred_handle = handle; - return ret; } @@ -1054,7 +1012,7 @@ spnego_accept_sec_context if(len > data.length - taglen) return ASN1_OVERRUN; - ret = decode_NegTokenInit((const char *)data.data + taglen, len, + ret = decode_NegTokenInit((const unsigned char *)data.data + taglen, len, &ni, &ni_len); if (ret) return GSS_S_DEFECTIVE_TOKEN; @@ -1065,7 +1023,7 @@ spnego_accept_sec_context } for (i = 0; !found && i < ni.mechTypes->len; ++i) { - char mechbuf[17]; + unsigned char mechbuf[17]; size_t mech_len; ret = der_put_oid (mechbuf + sizeof(mechbuf) - 1, diff --git a/source4/heimdal/lib/gssapi/acquire_cred.c b/source4/heimdal/lib/gssapi/acquire_cred.c index d67b400920..44dbef3c48 100644 --- a/source4/heimdal/lib/gssapi/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/acquire_cred.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: acquire_cred.c,v 1.24 2005/10/26 11:25:16 lha Exp $"); +RCSID("$Id: acquire_cred.c,v 1.25 2005/11/02 08:56:25 lha Exp $"); OM_uint32 _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status, @@ -106,7 +106,6 @@ get_keytab(krb5_context context, krb5_keytab *keytab) static OM_uint32 acquire_initiator_cred (OM_uint32 * minor_status, krb5_context context, - krb5_keytab keytab, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, @@ -122,7 +121,7 @@ static OM_uint32 acquire_initiator_cred krb5_get_init_creds_opt *opt; krb5_ccache ccache; krb5_error_code kret; - krb5_boolean made_keytab = FALSE; + krb5_keytab keytab; ccache = NULL; def_princ = NULL; @@ -214,7 +213,7 @@ end: krb5_free_cred_contents(context, &cred); if (def_princ != NULL) krb5_free_principal(context, def_princ); - if (made_keytab) + if (keytab != NULL) krb5_kt_close(context, keytab); if (ret != GSS_S_COMPLETE) { if (ccache != NULL) @@ -230,7 +229,6 @@ end: static OM_uint32 acquire_acceptor_cred (OM_uint32 * minor_status, krb5_context context, - krb5_keytab keytab, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, @@ -244,21 +242,14 @@ static OM_uint32 acquire_acceptor_cred kret = 0; ret = GSS_S_FAILURE; - if (keytab == NULL) { - kret = get_keytab(context, &handle->keytab); - if (kret) - goto end; - handle->made_keytab = TRUE; - } else { - handle->keytab = keytab; - handle->made_keytab = FALSE; - } + kret = get_keytab(context, &handle->keytab); + if (kret) + goto end; ret = GSS_S_COMPLETE; end: if (ret != GSS_S_COMPLETE) { - if (handle->made_keytab) - krb5_kt_close(context, handle->keytab); + krb5_kt_close(context, handle->keytab); if (kret != 0) { *minor_status = kret; gssapi_krb5_set_error_string (); @@ -267,9 +258,8 @@ end: return (ret); } -OM_uint32 gsskrb5_acquire_cred +OM_uint32 gss_acquire_cred (OM_uint32 * minor_status, - struct krb5_keytab_data *keytab, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, @@ -328,7 +318,6 @@ OM_uint32 gsskrb5_acquire_cred } if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { ret = acquire_initiator_cred(minor_status, gssapi_krb5_context, - keytab, desired_name, time_req, desired_mechs, cred_usage, handle, actual_mechs, time_rec); @@ -341,7 +330,7 @@ OM_uint32 gsskrb5_acquire_cred } if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { ret = acquire_acceptor_cred(minor_status, gssapi_krb5_context, - keytab, time_req, + time_req, desired_mechs, cred_usage, handle, actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) { @@ -381,24 +370,3 @@ OM_uint32 gsskrb5_acquire_cred return (GSS_S_COMPLETE); } -OM_uint32 gss_acquire_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - return gsskrb5_acquire_cred(minor_status, - NULL, - desired_name, - time_req, - desired_mechs, - cred_usage, - output_cred_handle, - actual_mechs, - time_rec); -} diff --git a/source4/heimdal/lib/gssapi/arcfour.c b/source4/heimdal/lib/gssapi/arcfour.c index 52bb2ecf1b..01c6c75ecc 100644 --- a/source4/heimdal/lib/gssapi/arcfour.c +++ b/source4/heimdal/lib/gssapi/arcfour.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: arcfour.c,v 1.17 2005/05/06 07:13:32 lha Exp $"); +RCSID("$Id: arcfour.c,v 1.18 2005/11/01 06:55:55 lha Exp $"); /* * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt @@ -105,7 +105,7 @@ arcfour_mic_key(krb5_context context, krb5_keyblock *key, static krb5_error_code arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, u_char *sgn_cksum, size_t sgn_cksum_sz, - const char *v1, size_t l1, + const u_char *v1, size_t l1, const void *v2, size_t l2, const void *v3, size_t l3) { @@ -256,7 +256,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, p = token_buffer->value; omret = gssapi_krb5_verify_header (&p, token_buffer->length, - type, + (u_char *)type, GSS_KRB5_MECHANISM); if (omret) return omret; diff --git a/source4/heimdal/lib/gssapi/copy_ccache.c b/source4/heimdal/lib/gssapi/copy_ccache.c index 0f2f155870..782b701e44 100644 --- a/source4/heimdal/lib/gssapi/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/copy_ccache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: copy_ccache.c,v 1.9 2005/10/31 16:02:08 lha Exp $"); +RCSID("$Id: copy_ccache.c,v 1.13 2005/11/28 23:05:44 lha Exp $"); OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, @@ -63,9 +63,11 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status, OM_uint32 -gss_krb5_import_ccache(OM_uint32 *minor_status, - krb5_ccache in, - gss_cred_id_t *cred) +gss_krb5_import_cred(OM_uint32 *minor_status, + krb5_ccache id, + krb5_principal keytab_principal, + krb5_keytab keytab, + gss_cred_id_t *cred) { krb5_error_code kret; gss_cred_id_t handle; @@ -83,57 +85,94 @@ gss_krb5_import_ccache(OM_uint32 *minor_status, } HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - handle->usage = GSS_C_INITIATE; + handle->usage = 0; - kret = krb5_cc_get_principal(gssapi_krb5_context, in, &handle->principal); - if (kret) { - free(handle); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } + if (id) { + char *str; - ret = _gssapi_krb5_ccache_lifetime(minor_status, - in, - handle->principal, - &handle->lifetime); - if (ret != GSS_S_COMPLETE) { - krb5_free_principal(gssapi_krb5_context, handle->principal); - free(handle); - return ret; - } + handle->usage |= GSS_C_INITIATE; - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret != GSS_S_COMPLETE) { - krb5_free_principal(gssapi_krb5_context, handle->principal); - free(handle); - *minor_status = kret; - return GSS_S_FAILURE; + kret = krb5_cc_get_principal(gssapi_krb5_context, id, + &handle->principal); + if (kret) { + free(handle); + gssapi_krb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + + if (keytab_principal) { + krb5_boolean match; + + match = krb5_principal_compare(gssapi_krb5_context, + handle->principal, + keytab_principal); + if (match == FALSE) { + krb5_free_principal(gssapi_krb5_context, handle->principal); + free(handle); + gssapi_krb5_clear_status (); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + } + + ret = _gssapi_krb5_ccache_lifetime(minor_status, + id, + handle->principal, + &handle->lifetime); + if (ret != GSS_S_COMPLETE) { + krb5_free_principal(gssapi_krb5_context, handle->principal); + free(handle); + return ret; + } + + + kret = krb5_cc_get_full_name(gssapi_krb5_context, id, &str); + if (kret) + goto out; + + kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache); + free(str); + if (kret) + goto out; } - { - const char *type, *name; + + if (keytab) { char *str; - type = krb5_cc_get_type(gssapi_krb5_context, in); - name = krb5_cc_get_name(gssapi_krb5_context, in); - - if (asprintf(&str, "%s:%s", type, name) == -1) { - krb5_set_error_string(gssapi_krb5_context, - "malloc - out of memory"); - kret = ENOMEM; - goto out; + handle->usage |= GSS_C_ACCEPT; + + if (keytab_principal && handle->principal == NULL) { + kret = krb5_copy_principal(gssapi_krb5_context, + keytab_principal, + &handle->principal); + if (kret) + goto out; } - kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache); + kret = krb5_kt_get_full_name(gssapi_krb5_context, keytab, &str); + if (kret) + goto out; + + kret = krb5_kt_resolve(gssapi_krb5_context, str, &handle->keytab); free(str); if (kret) goto out; } + + if (id || keytab) { + ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + if (ret == GSS_S_COMPLETE) + ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); + if (ret != GSS_S_COMPLETE) { + kret = *minor_status; + goto out; + } + } + *minor_status = 0; *cred = handle; return GSS_S_COMPLETE; diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h index 64a31d1eee..20700dc826 100644 --- a/source4/heimdal/lib/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi.h @@ -775,18 +775,6 @@ OM_uint32 gss_unseal * kerberos mechanism specific functions */ -OM_uint32 gsskrb5_acquire_cred - (OM_uint32 * minor_status, - struct krb5_keytab_data *keytab, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ); - OM_uint32 gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, const char * /*name */, @@ -805,10 +793,11 @@ OM_uint32 gss_krb5_copy_service_keyblock gss_ctx_id_t context_handle, struct EncryptionKey **out); -OM_uint32 -gss_krb5_import_ccache(OM_uint32 */*minor*/, - struct krb5_ccache_data * /*in*/, - gss_cred_id_t */*out*/); +OM_uint32 gss_krb5_import_cred(OM_uint32 *minor_status, + struct krb5_ccache_data * /* id */, + struct Principal * /* keytab_principal */, + struct krb5_keytab_data * /* keytab */, + gss_cred_id_t */* cred */); OM_uint32 gss_krb5_get_tkt_flags (OM_uint32 */*minor*/, diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h index ae291d15a9..b9bea7db2e 100644 --- a/source4/heimdal/lib/gssapi/gssapi_locl.h +++ b/source4/heimdal/lib/gssapi/gssapi_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_locl.h,v 1.42 2005/10/26 11:23:48 lha Exp $ */ +/* $Id: gssapi_locl.h,v 1.43 2005/11/02 08:51:17 lha Exp $ */ #ifndef GSSAPI_LOCL_H #define GSSAPI_LOCL_H diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c index e7e8f5153e..61c020b800 100644 --- a/source4/heimdal/lib/gssapi/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/init_sec_context.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: init_sec_context.c,v 1.60 2005/10/12 07:25:18 lha Exp $"); +RCSID("$Id: init_sec_context.c,v 1.61 2005/11/02 11:52:49 lha Exp $"); /* * copy the addresses from `input_chan_bindings' (if any) to diff --git a/source4/heimdal/lib/gssapi/release_cred.c b/source4/heimdal/lib/gssapi/release_cred.c index ddd80c144b..cca3dfe379 100644 --- a/source4/heimdal/lib/gssapi/release_cred.c +++ b/source4/heimdal/lib/gssapi/release_cred.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: release_cred.c,v 1.10 2003/10/07 00:51:46 lha Exp $"); +RCSID("$Id: release_cred.c,v 1.11 2005/11/02 08:57:35 lha Exp $"); OM_uint32 gss_release_cred (OM_uint32 * minor_status, diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c index d7a4cf35ee..b9f1ab47e1 100644 --- a/source4/heimdal/lib/hdb/db.c +++ b/source4/heimdal/lib/hdb/db.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: db.c,v 1.32 2005/06/23 13:34:17 lha Exp $"); +RCSID("$Id: db.c,v 1.33 2005/11/28 23:30:51 lha Exp $"); #if HAVE_DB1 @@ -270,7 +270,7 @@ krb5_error_code hdb_db_create(krb5_context context, HDB **db, const char *filename) { - *db = malloc(sizeof(**db)); + *db = calloc(1, sizeof(**db)); if (*db == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h index 7557b46bff..f7e0c54b7c 100644 --- a/source4/heimdal/lib/hdb/hdb-protos.h +++ b/source4/heimdal/lib/hdb/hdb-protos.h @@ -120,7 +120,9 @@ hdb_free_entry ( hdb_entry */*ent*/); void -hdb_free_entry_ex(krb5_context context, hdb_entry_ex *ent); +hdb_free_entry_ex ( + krb5_context /*context*/, + hdb_entry_ex */*ent*/); void hdb_free_key (Key */*key*/); diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c index 588ff80728..dfd5bfa8f1 100644 --- a/source4/heimdal/lib/hdb/ndbm.c +++ b/source4/heimdal/lib/hdb/ndbm.c @@ -339,6 +339,8 @@ hdb_ndbm_create(krb5_context context, HDB **db, return ENOMEM; } + memset(*db, '\0', sizeof(**db)); + (*db)->hdb_db = NULL; (*db)->hdb_name = strdup(filename); if ((*db)->hdb_name == NULL) { diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c index ec956409a7..25dc2cb8c0 100644 --- a/source4/heimdal/lib/krb5/cache.c +++ b/source4/heimdal/lib/krb5/cache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: cache.c,v 1.73 2005/10/19 17:30:40 lha Exp $"); +RCSID("$Id: cache.c,v 1.74 2005/11/01 09:36:41 lha Exp $"); /* * Add a new ccache type with operations `ops', overwriting any @@ -223,6 +223,41 @@ krb5_cc_get_type(krb5_context context, } /* + * Return the complete resolvable name the ccache `id' in `str´. + * `str` should be freed with free(3). + * Returns 0 or an error (and then *str is set to NULL). + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_get_full_name(krb5_context context, + krb5_ccache id, + char **str) +{ + const char *type, *name; + + *str = NULL; + + type = krb5_cc_get_type(context, id); + if (type == NULL) { + krb5_set_error_string(context, "cache have no name of type"); + return KRB5_CC_UNKNOWN_TYPE; + } + + name = krb5_cc_get_name(context, id); + if (name == NULL) { + krb5_set_error_string(context, "cache of type %s have no name", type); + return KRB5_CC_BADNAME; + } + + if (asprintf(str, "%s:%s", type, name) == -1) { + krb5_set_error_string(context, "malloc - out of memory"); + *str = NULL; + return ENOMEM; + } + return 0; +} + +/* * Return krb5_cc_ops of a the ccache `id'. */ diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index 7bc8942f66..be5c1db47d 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_for_creds.c,v 1.45 2005/06/15 02:44:36 lha Exp $"); +RCSID("$Id: get_for_creds.c,v 1.46 2005/11/28 20:43:02 lha Exp $"); static krb5_error_code add_addrs(krb5_context context, @@ -385,17 +385,13 @@ krb5_get_forwarded_creds (krb5_context context, cred.enc_part.cipher.data = buf; cred.enc_part.cipher.length = buf_size; } else { - /* - * RFC4120 claims we should use the session key, but Heimdal - * before 0.8 used the remote subkey if it was send in the - * auth_context. - * - * Lorikeet-Heimdal is interested in windows compatiblity - * more than Heimdal compatability, so we must choose the - * session key, and break forwarding credentials to older - * Heimdal servers. - */ - + /* + * Here older versions then 0.7.2 of Heimdal used the local or + * remote subkey. That is wrong, the session key should be + * used. Heimdal 0.7.2 and newer have code to try both in the + * receiving end. + */ + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) { free(buf); diff --git a/source4/heimdal/lib/krb5/keytab.c b/source4/heimdal/lib/krb5/keytab.c index 23f6685049..43fc21c1d1 100644 --- a/source4/heimdal/lib/krb5/keytab.c +++ b/source4/heimdal/lib/krb5/keytab.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab.c,v 1.62 2005/07/06 01:14:42 lha Exp $"); +RCSID("$Id: keytab.c,v 1.63 2005/11/25 21:46:40 lha Exp $"); /* * Register a new keytab in `ops' @@ -240,6 +240,40 @@ krb5_kt_get_name(krb5_context context, } /* + * Retrieve the full name of the keytab `keytab' and store the name in + * `str'. `str' needs to be freed by the caller using free(3). + * Returns 0 or an error. On error, *str is set to NULL. + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_kt_get_full_name(krb5_context context, + krb5_keytab keytab, + char **str) +{ + char type[KRB5_KT_PREFIX_MAX_LEN]; + char name[MAXPATHLEN]; + krb5_error_code ret; + + *str = NULL; + + ret = krb5_kt_get_type(context, keytab, type, sizeof(type)); + if (ret) + return ret; + + ret = krb5_kt_get_name(context, keytab, name, sizeof(name)); + if (ret) + return ret; + + if (asprintf(str, "%s:%s", type, name) == -1) { + krb5_set_error_string(context, "malloc - out of memory"); + *str = NULL; + return ENOMEM; + } + + return 0; +} + +/* * Finish using the keytab in `id'. All resources will be released, * even on errors. Return 0 or an error. */ diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index 2645c29fe7..3602c89ec6 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -77,6 +77,15 @@ _krb5_extract_ticket ( krb5_decrypt_proc /*decrypt_proc*/, krb5_const_pointer /*decryptarg*/); +int +_krb5_find_type_in_ad ( + krb5_context /*context*/, + int /*type*/, + krb5_data */*data*/, + krb5_boolean */*found*/, + krb5_keyblock */*sessionkey*/, + const AuthorizationData */*ad*/); + void _krb5_free_krbhst_info (krb5_krbhst_info */*hi*/); @@ -399,12 +408,4 @@ _krb5_xunlock ( krb5_context /*context*/, int /*fd*/); -int -_krb5_find_type_in_ad(krb5_context context, - int type, - krb5_data *data, - int *found, - krb5_keyblock *sessionkey, - const AuthorizationData *ad); - #endif /* __krb5_private_h__ */ diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index a46f8b8f8f..33e35ca60e 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -607,6 +607,12 @@ krb5_cc_gen_new ( const krb5_cc_ops */*ops*/, krb5_ccache */*id*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_get_full_name ( + krb5_context /*context*/, + krb5_ccache /*id*/, + char **/*str*/); + const char* KRB5_LIB_FUNCTION krb5_cc_get_name ( krb5_context /*context*/, @@ -2186,6 +2192,12 @@ krb5_kt_get_entry ( krb5_keytab_entry */*entry*/); krb5_error_code KRB5_LIB_FUNCTION +krb5_kt_get_full_name ( + krb5_context /*context*/, + krb5_keytab /*keytab*/, + char **/*str*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_name ( krb5_context /*context*/, krb5_keytab /*keytab*/, diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c index 07f142267c..d62adadf26 100644 --- a/source4/heimdal/lib/krb5/rd_cred.c +++ b/source4/heimdal/lib/krb5/rd_cred.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_cred.c,v 1.25 2005/09/23 03:37:57 lha Exp $"); +RCSID("$Id: rd_cred.c,v 1.26 2005/11/02 08:36:42 lha Exp $"); static krb5_error_code compare_addrs(krb5_context context, |