diff options
Diffstat (limited to 'source4/heimdal')
19 files changed, 508 insertions, 224 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 19287b31cc..84c16190f9 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.223 2006/10/17 02:16:29 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.224 2006/11/04 17:05:28 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -1063,13 +1063,14 @@ _kdc_as_rep(krb5_context context, free_PA_ENC_TS_ENC(&p); if (abs(kdc_time - p.patimestamp) > context->max_skew) { char client_time[100]; - + krb5_format_time(context, p.patimestamp, client_time, sizeof(client_time), TRUE); - ret = KRB5KRB_AP_ERR_SKEW; - kdc_log(context, config, 0, - "Too large time skew, client time %s is out by %u > %u seconds -- %s", + ret = KRB5KRB_AP_ERR_SKEW; + kdc_log(context, config, 0, + "Too large time skew, " + "client time %s is out by %u > %u seconds -- %s", client_time, (unsigned)abs(kdc_time - p.patimestamp), context->max_skew, diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index e3d77c0621..1a300cce3e 100755 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: pkinit.c,v 1.72 2006/10/24 17:51:33 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.73 2006/11/07 17:24:57 lha Exp $"); #ifdef PKINIT @@ -528,8 +528,10 @@ _kdc_pk_rd_padata(krb5_context context, &eContent, &signer_certs); if (ret) { - kdc_log(context, config, 0, - "PK-INIT failed to verify signature %d", ret); + char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret); + krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d", + s, ret); + free(s); goto out; } @@ -1376,6 +1378,36 @@ _kdc_pk_initialize(krb5_context context, return ret; } + { + hx509_query *q; + hx509_cert cert; + + ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + if (ret) { + krb5_warnx(context, "PKINIT: out of memory"); + return ENOMEM; + } + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, + &cert); + hx509_query_free(kdc_identity->hx509ctx, q); + if (ret == 0) { + if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert, + oid_id_pkkdcekuoid(), 0)) + krb5_warnx(context, "WARNING Found KDC certificate " + "is missing the PK-INIT KDC EKU, this is bad for " + "interoperability."); + hx509_cert_free(cert); + } else + krb5_warnx(context, "PKINIT: failed to find a signing " + "certifiate with a public key"); + } + ret = krb5_config_get_bool_default(context, NULL, FALSE, diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h index 8c025c8366..67a9a12bfe 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_krb5.h,v 1.10 2006/10/20 22:04:03 lha Exp $ */ +/* $Id: gssapi_krb5.h,v 1.12 2006/11/05 00:06:09 lha Exp $ */ #ifndef GSSAPI_KRB5_H_ #define GSSAPI_KRB5_H_ diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index e42bb11b85..6ac80461c3 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: accept_sec_context.c,v 1.64 2006/10/25 04:19:45 lha Exp $"); +RCSID("$Id: accept_sec_context.c,v 1.65 2006/11/07 14:52:05 lha Exp $"); HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; krb5_keytab _gsskrb5_keytab; @@ -264,9 +264,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, OM_uint32 ret = GSS_S_COMPLETE; krb5_data indata; krb5_flags ap_options; - krb5_ticket *ticket = NULL; krb5_keytab keytab = NULL; - krb5_keyblock *keyblock = NULL; int is_cfx = 0; const gsskrb5_cred acceptor_cred = (gsskrb5_cred)acceptor_cred_handle; @@ -298,34 +296,65 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, /* * We need to check the ticket and create the AP-REP packet */ - kret = krb5_rd_req_return_keyblock(_gsskrb5_context, - &ctx->auth_context, - &indata, - (acceptor_cred == NULL) ? NULL : acceptor_cred->principal, - keytab, - &ap_options, - &ticket, - &keyblock); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - _gsskrb5_set_error_string (); - return ret; + + { + krb5_rd_req_in_ctx in = NULL; + krb5_rd_req_out_ctx out = NULL; + + kret = krb5_rd_req_in_ctx_alloc(_gsskrb5_context, &in); + if (kret == 0) + kret = krb5_rd_req_in_set_keytab(_gsskrb5_context, in, keytab); + if (kret) { + if (in) + krb5_rd_req_in_ctx_free(_gsskrb5_context, in); + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } + + kret = krb5_rd_req_ctx(_gsskrb5_context, + &ctx->auth_context, + &indata, + (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal, + in, &out); + krb5_rd_req_in_ctx_free(_gsskrb5_context, in); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } + + /* + * We need to remember some data on the context_handle. + */ + kret = krb5_rd_req_out_get_ap_req_options(_gsskrb5_context, out, + &ap_options); + if (kret == 0) + kret = krb5_rd_req_out_get_ticket(_gsskrb5_context, out, + &ctx->ticket); + if (kret == 0) + kret = krb5_rd_req_out_get_keyblock(_gsskrb5_context, out, + &ctx->service_keyblock); + ctx->lifetime = ctx->ticket->ticket.endtime; + + krb5_rd_req_out_ctx_free(_gsskrb5_context, out); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } } - /* - * We need to remember some data on the context_handle. - */ - ctx->ticket = ticket; - ctx->service_keyblock = keyblock; - ctx->lifetime = ticket->ticket.endtime; /* * We need to copy the principal names to the context and the * calling layer. */ kret = krb5_copy_principal(_gsskrb5_context, - ticket->client, + ctx->ticket->client, &ctx->source); if (kret) { ret = GSS_S_FAILURE; @@ -333,7 +362,9 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, _gsskrb5_set_error_string (); } - kret = krb5_copy_principal(_gsskrb5_context, ticket->server, &ctx->target); + kret = krb5_copy_principal(_gsskrb5_context, + ctx->ticket->server, + &ctx->target); if (kret) { ret = GSS_S_FAILURE; *minor_status = kret; @@ -351,7 +382,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, if (src_name != NULL) { kret = krb5_copy_principal (_gsskrb5_context, - ticket->client, + ctx->ticket->client, (gsskrb5_name*)src_name); if (kret) { ret = GSS_S_FAILURE; @@ -471,7 +502,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, /* Remember the flags */ - ctx->lifetime = ticket->ticket.endtime; + ctx->lifetime = ctx->ticket->ticket.endtime; ctx->more_flags |= OPEN; if (mech_type) diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index 82851f5a78..2c43ed8b32 100644 --- a/source4/heimdal/lib/gssapi/krb5/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: arcfour.c,v 1.29 2006/10/07 22:14:05 lha Exp $"); +RCSID("$Id: arcfour.c,v 1.30 2006/11/07 19:05:16 lha Exp $"); /* * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt @@ -355,17 +355,16 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, if (conf_state) *conf_state = 0; - if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) { - datalen = input_message_buffer->length + 1 /* padding */; - - len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE; - _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - } else { - datalen = input_message_buffer->length; + datalen = input_message_buffer->length; + if (IS_DCE_STYLE(context_handle)) { len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); total_len += datalen; + } else { + datalen += 1; /* padding */ + len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE; + _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); } output_message_buffer->length = total_len; @@ -418,9 +417,8 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; memcpy(p, input_message_buffer->value, input_message_buffer->length); - if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) { - p[input_message_buffer->length] = 1; /* PADDING */ - } + if (!IS_DCE_STYLE(context_handle)) + p[input_message_buffer->length] = 1; /* padding */ ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, p0 + 16, 8, /* SGN_CKSUM */ @@ -518,13 +516,13 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, p0 = input_message_buffer->value; - if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) { - len = input_message_buffer->length; - } else { + if (IS_DCE_STYLE(context_handle)) { len = GSS_ARCFOUR_WRAP_TOKEN_SIZE + GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE; if (input_message_buffer->length < len) return GSS_S_BAD_MECH; + } else { + len = input_message_buffer->length; } omret = _gssapi_verify_mech_header(&p0, @@ -635,7 +633,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, } memset(k6_data, 0, sizeof(k6_data)); - if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) { + if (!IS_DCE_STYLE(context_handle)) { ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); if (ret) { _gsskrb5_release_buffer(minor_status, output_message_buffer); @@ -688,7 +686,7 @@ max_wrap_length_arcfour(const gsskrb5_ctx ctx, * - we only need to encapsulate the WRAP token * However, since this is a fixed since, we just */ - if (ctx->flags & GSS_C_DCE_STYLE) { + if (IS_DCE_STYLE(ctx)) { size_t len, total_len; len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index 7419bc2fe8..ece03ddf57 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -34,7 +34,7 @@ #include "krb5/gsskrb5_locl.h" #include <gssapi_mech.h> -RCSID("$Id: external.c,v 1.18 2006/10/20 21:50:24 lha Exp $"); +RCSID("$Id: external.c,v 1.21 2006/11/07 21:05:03 lha Exp $"); /* * The implementation must reserve static storage for a @@ -340,12 +340,18 @@ static gss_OID_desc gss_krb5_get_authtime_x_desc = gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc; -/* 1.2.752.43.13.14 */ +/* 1.2.752.43.13.13 */ static gss_OID_desc gss_krb5_get_service_keyblock_x_desc = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")}; gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc; +/* 1.2.752.43.13.14 */ +static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")}; + +gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc; + /* 1.2.752.43.14.1 */ static gss_OID_desc gss_sasl_digest_md5_mechanism_desc = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h index 4d814032c3..ea7a561b5b 100644 --- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h +++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gsskrb5_locl.h,v 1.6 2006/10/07 22:14:49 lha Exp $ */ +/* $Id: gsskrb5_locl.h,v 1.7 2006/11/07 17:57:43 lha Exp $ */ #ifndef GSSKRB5_LOCL_H #define GSSKRB5_LOCL_H @@ -56,6 +56,7 @@ struct gss_msg_order; typedef struct { struct krb5_auth_context_data *auth_context; krb5_principal source, target; +#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0) OM_uint32 flags; enum { LOCAL = 1, OPEN = 2, COMPAT_OLD_DES3 = 4, diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index 00f2543833..7a97b6262c 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: init_sec_context.c,v 1.72 2006/10/24 23:03:19 lha Exp $"); +RCSID("$Id: init_sec_context.c,v 1.73 2006/11/07 17:40:01 lha Exp $"); /* * copy the addresses from `input_chan_bindings' (if any) to @@ -549,18 +549,18 @@ failure: static OM_uint32 repl_mutual - (OM_uint32 * minor_status, - gsskrb5_ctx ctx, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) +(OM_uint32 * minor_status, + gsskrb5_ctx ctx, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) { OM_uint32 ret; krb5_error_code kret; @@ -574,7 +574,7 @@ repl_mutual if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM; - if (req_flags & GSS_C_DCE_STYLE) { + if (ctx->flags & GSS_C_DCE_STYLE) { /* There is no OID wrapping. */ indata.length = input_token->length; indata.data = input_token->value; @@ -619,8 +619,8 @@ repl_mutual *minor_status = 0; if (time_rec) { ret = _gsskrb5_lifetime_left(minor_status, - ctx->lifetime, - time_rec); + ctx->lifetime, + time_rec); } else { ret = GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c index 0b46cc5495..ee4210d74a 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -32,7 +32,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: inquire_sec_context_by_oid.c,v 1.8 2006/10/24 15:55:28 lha Exp $"); +RCSID("$Id: inquire_sec_context_by_oid.c,v 1.11 2006/11/07 14:34:35 lha Exp $"); static int oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix) @@ -149,6 +149,11 @@ static OM_uint32 inquire_sec_context_get_subkey HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); if (ret) goto out; + if (key == NULL) { + _gsskrb5_set_status("have no subkey of type %d", keytype); + ret = EINVAL; + goto out; + } ret = krb5_store_keyblock(sp, *key); krb5_free_keyblock (_gsskrb5_context, key); @@ -400,6 +405,7 @@ get_authtime(OM_uint32 *minor_status, { gss_buffer_desc value; + unsigned char buf[4]; OM_uint32 authtime; HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); @@ -414,14 +420,9 @@ get_authtime(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - value.length = 4; - value.value = malloc(value.length); - if (!value.value) { - _gsskrb5_clear_status(); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - _gsskrb5_encode_om_uint32(authtime, value.value); + _gsskrb5_encode_om_uint32(authtime, buf); + value.length = sizeof(buf); + value.value = buf; return gss_add_buffer_set_member(minor_status, &value, diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 67f5e8e722..fb098679b2 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -36,7 +36,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: set_sec_context_option.c,v 1.6 2006/10/20 18:58:22 lha Exp $"); +RCSID("$Id: set_sec_context_option.c,v 1.7 2006/11/04 03:01:14 lha Exp $"); static OM_uint32 get_bool(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index 8514137999..ebbc975b8a 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -103,7 +103,6 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx, krb5_keyblock **key) _gsskrb5_set_status("No token key available"); return GSS_KRB5_S_KG_NO_SUBKEY; } - _gsskrb5_clear_status(); return 0; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index c6ea3cecb7..fd66fb04f5 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,12 +27,11 @@ */ #include "mech_locl.h" -#include "krb5/gsskrb5_locl.h" -RCSID("$Id: gss_krb5.c,v 1.13 2006/10/20 22:05:02 lha Exp $"); +RCSID("$Id: gss_krb5.c,v 1.16 2006/11/07 14:41:35 lha Exp $"); #include <krb5.h> #include <roken.h> - +#include "krb5/gsskrb5_locl.h" OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, @@ -264,7 +263,10 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, krb5_storage *sp = NULL; uint32_t num; - if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT || version != 1) { + if (context_handle == NULL + || *context_handle == GSS_C_NO_CONTEXT + || version != 1) + { ret = EINVAL; return GSS_S_FAILURE; } @@ -509,9 +511,8 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, { gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; OM_uint32 maj_stat; - gss_OID_desc authz_oid_flat; - heim_oid authz_oid; - heim_oid new_authz_oid; + gss_OID_desc oid_flat; + heim_oid baseoid, oid; size_t size; if (context_handle == GSS_C_NO_CONTEXT) { @@ -523,57 +524,55 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements, GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length, - &authz_oid, NULL) != 0) { + &baseoid, NULL) != 0) { *minor_status = EINVAL; return GSS_S_FAILURE; } - new_authz_oid.length = authz_oid.length + 1; - new_authz_oid.components = malloc(new_authz_oid.length * sizeof(*new_authz_oid.components)); - if (!new_authz_oid.components) { - free(authz_oid.components); + oid.length = baseoid.length + 1; + oid.components = calloc(oid.length, sizeof(*oid.components)); + if (oid.components == NULL) { + der_free_oid(&baseoid); *minor_status = ENOMEM; return GSS_S_FAILURE; } - memcpy(new_authz_oid.components, authz_oid.components, - authz_oid.length * sizeof(*authz_oid.components)); + memcpy(oid.components, baseoid.components, + baseoid.length * sizeof(*baseoid.components)); - free(authz_oid.components); + der_free_oid(&baseoid); - new_authz_oid.components[new_authz_oid.length - 1] = ad_type; - - authz_oid_flat.length = der_length_oid(&new_authz_oid); - authz_oid_flat.elements = malloc(authz_oid_flat.length); - - if (!authz_oid_flat.elements) { - free(new_authz_oid.components); + oid.components[oid.length - 1] = ad_type; + oid_flat.length = der_length_oid(&oid); + oid_flat.elements = malloc(oid_flat.length); + if (oid_flat.elements == NULL) { + free(oid.components); *minor_status = ENOMEM; return GSS_S_FAILURE; } - if (der_put_oid((unsigned char *)authz_oid_flat.elements + authz_oid_flat.length - 1, - authz_oid_flat.length, - &new_authz_oid, &size) != 0) { - free(new_authz_oid.components); + if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1, + oid_flat.length, &oid, &size) != 0) { + free(oid.components); *minor_status = EINVAL; return GSS_S_FAILURE; } + if (oid_flat.length != size) + abort(); - free(new_authz_oid.components); + free(oid.components); /* FINALLY, we have the OID */ - maj_stat = - gss_inquire_sec_context_by_oid (minor_status, - context_handle, - &authz_oid_flat, - &data_set); + maj_stat = gss_inquire_sec_context_by_oid (minor_status, + context_handle, + &oid_flat, + &data_set); - free(authz_oid_flat.elements); + free(oid_flat.elements); if (maj_stat) return maj_stat; @@ -608,20 +607,20 @@ gsskrb5_extract_key(OM_uint32 *minor_status, krb5_error_code ret; gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; OM_uint32 major_status; + krb5_context context = NULL; krb5_storage *sp = NULL; - ret = _gsskrb5_init(); + if (context_handle == GSS_C_NO_CONTEXT) { + ret = EINVAL; + return GSS_S_FAILURE; + } + + ret = krb5_init_context(&context); if(ret) { *minor_status = ret; return GSS_S_FAILURE; } - if (context_handle == GSS_C_NO_CONTEXT) { - _gsskrb5_set_status("no context handle"); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - major_status = gss_inquire_sec_context_by_oid (minor_status, context_handle, @@ -630,15 +629,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status, if (major_status) return major_status; - if (data_set == GSS_C_NO_BUFFER_SET) { - _gsskrb5_set_status("no buffers returned"); - gss_release_buffer_set(minor_status, &data_set); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - if (data_set->count != 1) { - _gsskrb5_set_status("%d != 1 buffers returned", data_set->count); + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { gss_release_buffer_set(minor_status, &data_set); *minor_status = EINVAL; return GSS_S_FAILURE; @@ -663,16 +654,17 @@ out: gss_release_buffer_set(minor_status, &data_set); if (sp) krb5_storage_free(sp); - if (ret) { - _gsskrb5_set_error_string(); - if (keyblock) { - krb5_free_keyblock(_gsskrb5_context, *keyblock); - } + if (ret && keyblock) { + krb5_free_keyblock(context, *keyblock); + *keyblock = NULL; + } + if (context) + krb5_free_context(context); - *minor_status = ret; + *minor_status = ret; + if (ret) return GSS_S_FAILURE; - } - *minor_status = 0; + return GSS_S_COMPLETE; } @@ -705,6 +697,6 @@ gsskrb5_get_subkey(OM_uint32 *minor_status, { return gsskrb5_extract_key(minor_status, context_handle, - GSS_KRB5_GET_ACCEPTOR_SUBKEY_X, + GSS_KRB5_GET_SUBKEY_X, keyblock); } diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h index 571bce5569..255e07d056 100644 --- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h +++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -/* $Id: spnego_locl.h,v 1.11 2006/10/12 06:28:06 lha Exp $ */ +/* $Id: spnego_locl.h,v 1.12 2006/11/07 19:53:40 lha Exp $ */ #ifndef SPNEGO_LOCL_H #define SPNEGO_LOCL_H @@ -69,6 +69,8 @@ #include "spnego_asn1.h" #include <der.h> +#include <roken.h> + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) typedef struct { diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c index f7b3ffbf9e..a25bb80786 100644 --- a/source4/heimdal/lib/krb5/context.c +++ b/source4/heimdal/lib/krb5/context.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <com_err.h> -RCSID("$Id: context.c,v 1.108 2006/10/20 22:26:10 lha Exp $"); +RCSID("$Id: context.c,v 1.110 2006/11/04 03:27:47 lha Exp $"); #define INIT_FIELD(C, T, E, D, F) \ (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ @@ -181,7 +181,7 @@ init_context_from_config_file(krb5_context context) INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc"); INIT_FIELD(context, int, large_msg_size, 6000, "large_message_size"); - INIT_FIELD(context, bool, dns_canonicalize_hostname, TRUE, "dns_canonize_hostname"); + INIT_FIELD(context, bool, dns_canonicalize_hostname, TRUE, "dns_canonicalize_hostname"); context->default_cc_name = NULL; return 0; } @@ -691,7 +691,7 @@ krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag) } krb5_boolean KRB5_LIB_FUNCTION -krb5_get_dns_canonize_hostname (krb5_context context) +krb5_get_dns_canonicalize_hostname (krb5_context context) { return context->dns_canonicalize_hostname; } @@ -705,3 +705,15 @@ krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) *usec = context->kdc_usec_offset; return 0; } + +time_t KRB5_LIB_FUNCTION +krb5_get_time_wrap (krb5_context context) +{ + return context->max_skew; +} + +void KRB5_LIB_FUNCTION +krb5_set_time_wrap (krb5_context context, time_t t) +{ + context->max_skew = t; +} diff --git a/source4/heimdal/lib/krb5/expand_hostname.c b/source4/heimdal/lib/krb5/expand_hostname.c index 4d0692bcfa..46e784f561 100644 --- a/source4/heimdal/lib/krb5/expand_hostname.c +++ b/source4/heimdal/lib/krb5/expand_hostname.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: expand_hostname.c,v 1.13 2006/10/17 09:16:32 lha Exp $"); +RCSID("$Id: expand_hostname.c,v 1.14 2006/11/04 03:34:57 lha Exp $"); static krb5_error_code copy_hostname(krb5_context context, diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index 968b6079b7..0bf184a530 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -399,6 +399,11 @@ _krb5_put_int ( size_t /*size*/); krb5_error_code KRB5_LIB_FUNCTION +_krb5_rd_req_out_ctx_alloc ( + krb5_context /*context*/, + krb5_rd_req_out_ctx */*ctx*/); + +krb5_error_code KRB5_LIB_FUNCTION _krb5_s4u2self_to_checksumdata ( krb5_context /*context*/, const PA_S4U2Self */*self*/, diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index 2010e25f5a..104f10bdf2 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -1866,7 +1866,7 @@ krb5_get_default_realms ( krb5_realm **/*realms*/); krb5_boolean KRB5_LIB_FUNCTION -krb5_get_dns_canonize_hostname (krb5_context /*context*/); +krb5_get_dns_canonicalize_hostname (krb5_context /*context*/); const char* KRB5_LIB_FUNCTION krb5_get_err_text ( @@ -2177,6 +2177,9 @@ krb5_get_server_rcache ( const krb5_data */*piece*/, krb5_rcache */*id*/); +time_t KRB5_LIB_FUNCTION +krb5_get_time_wrap (krb5_context /*context*/); + krb5_boolean KRB5_LIB_FUNCTION krb5_get_use_admin_kdc (krb5_context /*context*/); @@ -2865,15 +2868,58 @@ krb5_rd_req ( krb5_ticket **/*ticket*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_return_keyblock ( +krb5_rd_req_ctx ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, const krb5_data */*inbuf*/, krb5_const_principal /*server*/, - krb5_keytab /*keytab*/, - krb5_flags */*ap_req_options*/, - krb5_ticket **/*ticket*/, - krb5_keyblock **/*return_keyblock*/); + krb5_rd_req_in_ctx /*inctx*/, + krb5_rd_req_out_ctx */*outctx*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_ctx_alloc ( + krb5_context /*context*/, + krb5_rd_req_in_ctx */*ctx*/); + +void KRB5_LIB_FUNCTION +krb5_rd_req_in_ctx_free ( + krb5_context /*context*/, + krb5_rd_req_in_ctx /*ctx*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_keyblock ( + krb5_context /*context*/, + krb5_rd_req_in_ctx /*in*/, + krb5_keyblock */*keyblock*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_keytab ( + krb5_context /*context*/, + krb5_rd_req_in_ctx /*in*/, + krb5_keytab /*keytab*/); + +void KRB5_LIB_FUNCTION +krb5_rd_req_out_ctx_free ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*ctx*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_ap_req_options ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*out*/, + krb5_flags */*ap_req_options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_keyblock ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*out*/, + krb5_keyblock **/*keyblock*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_ticket ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*out*/, + krb5_ticket **/*ticket*/); krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req_with_keyblock ( @@ -3152,6 +3198,11 @@ krb5_set_send_to_kdc_func ( void */*data*/); void KRB5_LIB_FUNCTION +krb5_set_time_wrap ( + krb5_context /*context*/, + time_t /*t*/); + +void KRB5_LIB_FUNCTION krb5_set_use_admin_kdc ( krb5_context /*context*/, krb5_boolean /*flag*/); diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 4b5058094b..f5c8b069de 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.253 2006/10/20 18:12:06 lha Exp $ */ +/* $Id: krb5.h,v 1.254 2006/11/07 00:17:42 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -78,6 +78,9 @@ typedef struct krb5_get_creds_opt_data *krb5_get_creds_opt; struct krb5_digest; typedef struct krb5_digest *krb5_digest; +typedef struct krb5_rd_req_in_ctx *krb5_rd_req_in_ctx; +typedef struct krb5_rd_req_out_ctx *krb5_rd_req_out_ctx; + typedef CKSUMTYPE krb5_cksumtype; typedef Checksum krb5_checksum; diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index c424a73a34..3352334f65 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_req.c,v 1.66 2006/10/06 17:04:29 lha Exp $"); +RCSID("$Id: rd_req.c,v 1.68 2006/11/07 17:11:31 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -506,6 +506,151 @@ krb5_verify_ap_req2(krb5_context context, return ret; } +/* + * + */ + +struct krb5_rd_req_in_ctx { + krb5_keytab keytab; + krb5_keyblock *keyblock; +}; + +struct krb5_rd_req_out_ctx { + krb5_keyblock *keyblock; + krb5_flags ap_req_options; + krb5_ticket *ticket; +}; + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx) +{ + *ctx = calloc(1, sizeof(**ctx)); + if (*ctx == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_keytab(krb5_context context, + krb5_rd_req_in_ctx in, + krb5_keytab keytab) +{ + in->keytab = keytab; /* XXX should make copy */ + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_keyblock(krb5_context context, + krb5_rd_req_in_ctx in, + krb5_keyblock *keyblock) +{ + in->keyblock = keyblock; /* XXX should make copy */ + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_ap_req_options(krb5_context context, + krb5_rd_req_out_ctx out, + krb5_flags *ap_req_options) +{ + *ap_req_options = out->ap_req_options; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_ticket(krb5_context context, + krb5_rd_req_out_ctx out, + krb5_ticket **ticket) +{ + return krb5_copy_ticket(context, out->ticket, ticket); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_keyblock(krb5_context context, + krb5_rd_req_out_ctx out, + krb5_keyblock **keyblock) +{ + return krb5_copy_keyblock(context, out->keyblock, keyblock); +} + +void KRB5_LIB_FUNCTION +krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx) +{ + free(ctx); +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_rd_req_out_ctx_alloc(krb5_context context, krb5_rd_req_out_ctx *ctx) +{ + *ctx = calloc(1, sizeof(**ctx)); + if (*ctx == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +void KRB5_LIB_FUNCTION +krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx) +{ + krb5_free_keyblock(context, ctx->keyblock); + free(ctx); +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req(krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *inbuf, + krb5_const_principal server, + krb5_keytab keytab, + krb5_flags *ap_req_options, + krb5_ticket **ticket) +{ + krb5_error_code ret; + krb5_rd_req_in_ctx in; + krb5_rd_req_out_ctx out; + + ret = krb5_rd_req_in_ctx_alloc(context, &in); + if (ret) + return ret; + + ret = krb5_rd_req_in_set_keytab(context, in, keytab); + if (ret) { + krb5_rd_req_in_ctx_free(context, in); + return ret; + } + + ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out); + krb5_rd_req_in_ctx_free(context, in); + if (ret) + return ret; + + if (ap_req_options) + *ap_req_options = out->ap_req_options; + if (ticket) { + ret = krb5_copy_ticket(context, out->ticket, ticket); + if (ret) + goto out; + } + +out: + krb5_rd_req_out_ctx_free(context, out); + return ret; +} + +/* + * + */ krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req_with_keyblock(krb5_context context, @@ -517,31 +662,41 @@ krb5_rd_req_with_keyblock(krb5_context context, krb5_ticket **ticket) { krb5_error_code ret; - krb5_ap_req ap_req; + krb5_rd_req_in_ctx in; + krb5_rd_req_out_ctx out; - if (*auth_context == NULL) { - ret = krb5_auth_con_init(context, auth_context); - if (ret) - return ret; + ret = krb5_rd_req_in_ctx_alloc(context, &in); + if (ret) + return ret; + + ret = krb5_rd_req_in_set_keyblock(context, in, keyblock); + if (ret) { + krb5_rd_req_in_ctx_free(context, in); + return ret; } - ret = krb5_decode_ap_req(context, inbuf, &ap_req); - if(ret) + ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out); + krb5_rd_req_in_ctx_free(context, in); + if (ret) return ret; - ret = krb5_verify_ap_req(context, - auth_context, - &ap_req, - server, - keyblock, - 0, - ap_req_options, - ticket); + if (ap_req_options) + *ap_req_options = out->ap_req_options; + if (ticket) { + ret = krb5_copy_ticket(context, out->ticket, ticket); + if (ret) + goto out; + } - free_AP_REQ(&ap_req); +out: + krb5_rd_req_out_ctx_free(context, out); return ret; } +/* + * + */ + static krb5_error_code get_key_from_keytab(krb5_context context, krb5_auth_context *auth_context, @@ -582,39 +737,44 @@ out: return ret; } +/* + * + */ + krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req_return_keyblock(krb5_context context, - krb5_auth_context *auth_context, - const krb5_data *inbuf, - krb5_const_principal server, - krb5_keytab keytab, - krb5_flags *ap_req_options, - krb5_ticket **ticket, - krb5_keyblock **return_keyblock) +krb5_rd_req_ctx(krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *inbuf, + krb5_const_principal server, + krb5_rd_req_in_ctx inctx, + krb5_rd_req_out_ctx *outctx) { krb5_error_code ret; krb5_ap_req ap_req; - krb5_keyblock *keyblock = NULL; krb5_principal service = NULL; + krb5_rd_req_out_ctx o = NULL; - if (return_keyblock) - *return_keyblock = NULL; + ret = _krb5_rd_req_out_ctx_alloc(context, &o); + if (ret) + goto out; if (*auth_context == NULL) { ret = krb5_auth_con_init(context, auth_context); if (ret) - return ret; + goto out; } ret = krb5_decode_ap_req(context, inbuf, &ap_req); if(ret) - return ret; + goto out; if(server == NULL){ - _krb5_principalname2krb5_principal(context, - &service, - ap_req.ticket.sname, - ap_req.ticket.realm); + ret = _krb5_principalname2krb5_principal(context, + &service, + ap_req.ticket.sname, + ap_req.ticket.realm); + if (ret) + goto out; server = service; } if (ap_req.ap_options.use_session_key && @@ -625,61 +785,51 @@ krb5_rd_req_return_keyblock(krb5_context context, goto out; } - if((*auth_context)->keyblock == NULL){ + if((*auth_context)->keyblock){ + ret = krb5_copy_keyblock(context, + (*auth_context)->keyblock, + &o->keyblock); + if (ret) + goto out; + } else if(inctx->keyblock){ + ret = krb5_copy_keyblock(context, + inctx->keyblock, + &o->keyblock); + if (ret) + goto out; + } else { + krb5_keytab keytab = NULL; + + if (inctx && inctx->keytab) + keytab = inctx->keytab; + ret = get_key_from_keytab(context, auth_context, &ap_req, server, keytab, - &keyblock); + &o->keyblock); if(ret) goto out; - } else { - ret = krb5_copy_keyblock(context, - (*auth_context)->keyblock, - &keyblock); - if (ret) - goto out; } ret = krb5_verify_ap_req(context, auth_context, &ap_req, server, - keyblock, + o->keyblock, 0, - ap_req_options, - ticket); - - if (ret == 0 && return_keyblock) - *return_keyblock = keyblock; - else - krb5_free_keyblock(context, keyblock); + &o->ap_req_options, + &o->ticket); out: + if (ret || outctx == NULL) { + krb5_rd_req_out_ctx_free(context, o); + } else + *outctx = o; + free_AP_REQ(&ap_req); if(service) krb5_free_principal(context, service); return ret; } - -krb5_error_code KRB5_LIB_FUNCTION -krb5_rd_req(krb5_context context, - krb5_auth_context *auth_context, - const krb5_data *inbuf, - krb5_const_principal server, - krb5_keytab keytab, - krb5_flags *ap_req_options, - krb5_ticket **ticket) -{ - return krb5_rd_req_return_keyblock(context, - auth_context, - inbuf, - server, - keytab, - ap_req_options, - ticket, - NULL); - -} - |