summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c18
-rw-r--r--source4/heimdal/lib/asn1/der_put.c3
-rw-r--r--source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h6
-rw-r--r--source4/heimdal/lib/gssapi/krb5/copy_ccache.c5
-rw-r--r--source4/heimdal/lib/gssapi/krb5/external.c9
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c23
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_krb5.c79
-rw-r--r--source4/heimdal/lib/krb5/context.c6
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c88
-rw-r--r--source4/heimdal/lib/krb5/mk_req.c2
-rw-r--r--source4/heimdal/lib/krb5/store_mem.c33
11 files changed, 199 insertions, 73 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 9f796dc9d1..8e40973e4a 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -198,13 +198,31 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
if (ret) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
+ talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
+ if (lp_realm() && *lp_realm()) {
+ char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm());
+ if (!upper_realm) {
+ DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
+ talloc_free(gensec_gssapi_state);
+ return NT_STATUS_NO_MEMORY;
+ }
+ ret = gsskrb5_set_default_realm(upper_realm);
+ talloc_free(upper_realm);
+ if (ret) {
+ DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
+ talloc_free(gensec_gssapi_state);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ }
+
ret = smb_krb5_init_context(gensec_gssapi_state,
&gensec_gssapi_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
error_message(ret)));
+ talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
return NT_STATUS_OK;
diff --git a/source4/heimdal/lib/asn1/der_put.c b/source4/heimdal/lib/asn1/der_put.c
index 2fe90df9a9..b006f233ca 100644
--- a/source4/heimdal/lib/asn1/der_put.c
+++ b/source4/heimdal/lib/asn1/der_put.c
@@ -335,9 +335,6 @@ der_put_utctime (unsigned char *p, size_t len,
return 0;
}
-/* This API is not what you might expect. p is a pointer to the *end*
- * (last byte) of the buffer, of length len */
-
int
der_put_oid (unsigned char *p, size_t len,
const heim_oid *data, size_t *size)
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
index 67a9a12bfe..f06a994008 100644
--- a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
+++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi_krb5.h,v 1.12 2006/11/05 00:06:09 lha Exp $ */
+/* $Id: gssapi_krb5.h,v 1.14 2006/11/08 23:01:01 lha Exp $ */
#ifndef GSSAPI_KRB5_H_
#define GSSAPI_KRB5_H_
@@ -64,6 +64,7 @@ extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
extern gss_OID GSS_KRB5_SEND_TO_KDC_X;
+extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
/* Extensions inquire context */
extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
@@ -130,6 +131,9 @@ OM_uint32
gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *);
OM_uint32
+gsskrb5_set_default_realm(const char *);
+
+OM_uint32
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *);
struct EncryptionKey;
diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
index 99aa2ccb43..91d21a1aec 100644
--- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
+++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: copy_ccache.c,v 1.15 2006/10/07 22:14:22 lha Exp $");
+RCSID("$Id: copy_ccache.c,v 1.16 2006/11/08 02:42:50 lha Exp $");
#if 0
OM_uint32
@@ -188,4 +188,3 @@ out:
*minor_status = kret;
return GSS_S_FAILURE;
}
-
diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c
index ece03ddf57..0681bd4038 100644
--- a/source4/heimdal/lib/gssapi/krb5/external.c
+++ b/source4/heimdal/lib/gssapi/krb5/external.c
@@ -34,7 +34,7 @@
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
-RCSID("$Id: external.c,v 1.21 2006/11/07 21:05:03 lha Exp $");
+RCSID("$Id: external.c,v 1.22 2006/11/08 23:00:20 lha Exp $");
/*
* The implementation must reserve static storage for a
@@ -352,6 +352,13 @@ static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
+/* 1.2.752.43.13.15 */
+static gss_OID_desc gss_krb5_set_default_realm_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")};
+
+gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc;
+
+
/* 1.2.752.43.14.1 */
static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
index fb098679b2..dc1495efc1 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
@@ -36,7 +36,7 @@
#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: set_sec_context_option.c,v 1.7 2006/11/04 03:01:14 lha Exp $");
+RCSID("$Id: set_sec_context_option.c,v 1.8 2006/11/08 23:06:42 lha Exp $");
static OM_uint32
get_bool(OM_uint32 *minor_status,
@@ -120,6 +120,27 @@ _gsskrb5_set_sec_context_option
*minor_status = 0;
return GSS_S_COMPLETE;
+ } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
+ char *str;
+
+ if (value == NULL || value->length == 0) {
+ *minor_status = 0;
+ return GSS_S_CALL_INACCESSIBLE_READ;
+ }
+ str = malloc(value->length + 1);
+ if (str) {
+ *minor_status = 0;
+ return GSS_S_UNAVAILABLE;
+ }
+ memcpy(str, value->value, value->length);
+ str[value->length] = '\0';
+
+ krb5_set_default_realm(_gsskrb5_context, str);
+ free(str);
+
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+
} else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
if (value == NULL || value->length == 0) {
diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
index fd66fb04f5..34cdbeb3c1 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
@@ -27,11 +27,11 @@
*/
#include "mech_locl.h"
-RCSID("$Id: gss_krb5.c,v 1.16 2006/11/07 14:41:35 lha Exp $");
+RCSID("$Id: gss_krb5.c,v 1.20 2006/11/08 23:11:03 lha Exp $");
#include <krb5.h>
#include <roken.h>
-#include "krb5/gsskrb5_locl.h"
+
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
@@ -416,6 +416,24 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c)
return GSS_S_COMPLETE;
}
+/*
+ *
+ */
+
+OM_uint32
+gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ OM_uint32 num_enctypes,
+ krb5_enctype *enctypes)
+{
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
OM_uint32
gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
{
@@ -443,6 +461,10 @@ gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
return (GSS_S_COMPLETE);
}
+/*
+ *
+ */
+
OM_uint32
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
@@ -450,11 +472,8 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
{
gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
OM_uint32 maj_stat;
- krb5_error_code ret;
- OM_uint32 time32;
if (context_handle == GSS_C_NO_CONTEXT) {
- _gsskrb5_set_status("no context handle");
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
@@ -468,14 +487,12 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
return maj_stat;
if (data_set == GSS_C_NO_BUFFER_SET) {
- _gsskrb5_set_status("no buffers returned");
gss_release_buffer_set(minor_status, &data_set);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
if (data_set->count != 1) {
- _gsskrb5_set_status("%d != 1 buffers returned", data_set->count);
gss_release_buffer_set(minor_status, &data_set);
*minor_status = EINVAL;
return GSS_S_FAILURE;
@@ -483,26 +500,26 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
if (data_set->elements[0].length != 4) {
gss_release_buffer_set(minor_status, &data_set);
- _gsskrb5_set_status("Error extracting authtime from security context: only got %d < 4 bytes",
- data_set->elements[0].length);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
- ret = _gsskrb5_decode_om_uint32(data_set->elements[0].value, &time32);
- if (ret) {
- gss_release_buffer_set(minor_status, &data_set);
- *minor_status = ret;
- return GSS_S_FAILURE;
+ {
+ unsigned char *buf = data_set->elements[0].value;
+ *authtime = (buf[3] <<24) | (buf[2] << 16) |
+ (buf[1] << 8) | (buf[0] << 0);
}
- *authtime = time32;
gss_release_buffer_set(minor_status, &data_set);
-
+
*minor_status = 0;
return GSS_S_COMPLETE;
}
+/*
+ *
+ */
+
OM_uint32
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
@@ -598,6 +615,10 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
+/*
+ *
+ */
+
static OM_uint32
gsskrb5_extract_key(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
@@ -668,6 +689,10 @@ out:
return GSS_S_COMPLETE;
}
+/*
+ *
+ */
+
OM_uint32
gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
@@ -700,3 +725,25 @@ gsskrb5_get_subkey(OM_uint32 *minor_status,
GSS_KRB5_GET_SUBKEY_X,
keyblock);
}
+
+OM_uint32
+gsskrb5_set_default_realm(const char *realm)
+{
+ struct _gss_mech_switch *m;
+ gss_buffer_desc buffer;
+ OM_uint32 junk;
+
+ _gss_load_mech();
+
+ buffer.value = rk_UNCONST(realm);
+ buffer.length = strlen(realm);
+
+ SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+ if (m->gm_mech.gm_set_sec_context_option == NULL)
+ continue;
+ m->gm_mech.gm_set_sec_context_option(&junk, NULL,
+ GSS_KRB5_SET_DEFAULT_REALM_X, &buffer);
+ }
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index a25bb80786..f3b0fad347 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include <com_err.h>
-RCSID("$Id: context.c,v 1.110 2006/11/04 03:27:47 lha Exp $");
+RCSID("$Id: context.c,v 1.111 2006/11/08 02:55:46 lha Exp $");
#define INIT_FIELD(C, T, E, D, F) \
(C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
@@ -707,13 +707,13 @@ krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
}
time_t KRB5_LIB_FUNCTION
-krb5_get_time_wrap (krb5_context context)
+krb5_get_max_time_skew (krb5_context context)
{
return context->max_skew;
}
void KRB5_LIB_FUNCTION
-krb5_set_time_wrap (krb5_context context, time_t t)
+krb5_set_max_time_skew (krb5_context context, time_t t)
{
context->max_skew = t;
}
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index 661d05663b..6eebf1fa80 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -162,8 +162,7 @@ krb5_get_forwarded_creds (krb5_context context,
{
krb5_error_code ret;
krb5_creds *out_creds;
- krb5_addresses *paddrs = NULL;
- krb5_addresses addrs;
+ krb5_addresses addrs, *paddrs;
KRB_CRED cred;
KrbCredInfo *krb_cred_info;
EncKrbCredPart enc_krb_cred_part;
@@ -172,53 +171,58 @@ krb5_get_forwarded_creds (krb5_context context,
size_t buf_size;
krb5_kdc_flags kdc_flags;
krb5_crypto crypto;
+ struct addrinfo *ai;
int save_errno;
krb5_creds *ticket;
char *realm;
- krb5_boolean noaddr_ever;
-
- addrs.len = 0;
- addrs.val = NULL;
realm = in_creds->client->realm;
- krb5_appdefault_boolean(context, NULL, realm, "no-addresses-ever",
- TRUE, &noaddr_ever);
- if (!noaddr_ever) {
- struct addrinfo *ai;
- paddrs = &addrs;
-
- /*
- * If tickets are address-less, forward address-less tickets.
- */
-
- ret = _krb5_get_krbtgt (context,
- ccache,
- realm,
- &ticket);
- if(ret == 0) {
- if (ticket->addresses.len == 0)
- paddrs = NULL;
- krb5_free_creds (context, ticket);
- }
-
- if (paddrs != NULL) {
-
- ret = getaddrinfo (hostname, NULL, NULL, &ai);
- if (ret) {
- save_errno = errno;
- krb5_set_error_string(context, "resolving %s: %s",
- hostname, gai_strerror(ret));
- return krb5_eai_to_heim_errno(ret, save_errno);
- }
-
- ret = add_addrs (context, &addrs, ai);
- freeaddrinfo (ai);
- if (ret)
- return ret;
- }
+ addrs.len = 0;
+ addrs.val = NULL;
+ paddrs = &addrs;
+
+ {
+ krb5_boolean noaddr;
+ krb5_appdefault_boolean(context, NULL, realm,
+ "no-addresses", KRB5_ADDRESSLESS_DEFAULT,
+ &noaddr);
+ if (noaddr)
+ paddrs = NULL;
}
+
+ /*
+ * If tickets are address-less, forward address-less tickets.
+ */
+
+ if (paddrs) {
+ ret = _krb5_get_krbtgt (context,
+ ccache,
+ realm,
+ &ticket);
+ if(ret == 0) {
+ if (ticket->addresses.len == 0)
+ paddrs = NULL;
+ krb5_free_creds (context, ticket);
+ }
+ }
+
+ if (paddrs != NULL) {
+ ret = getaddrinfo (hostname, NULL, NULL, &ai);
+ if (ret) {
+ save_errno = errno;
+ krb5_set_error_string(context, "resolving %s: %s",
+ hostname, gai_strerror(ret));
+ return krb5_eai_to_heim_errno(ret, save_errno);
+ }
+
+ ret = add_addrs (context, &addrs, ai);
+ freeaddrinfo (ai);
+ if (ret)
+ return ret;
+ }
+
kdc_flags.b = int2KDCOptions(flags);
ret = krb5_get_kdc_cred (context,
diff --git a/source4/heimdal/lib/krb5/mk_req.c b/source4/heimdal/lib/krb5/mk_req.c
index 44e5d9c222..adc077e13f 100644
--- a/source4/heimdal/lib/krb5/mk_req.c
+++ b/source4/heimdal/lib/krb5/mk_req.c
@@ -64,9 +64,7 @@ krb5_mk_req_exact(krb5_context context,
if (auth_context && *auth_context && (*auth_context)->keytype)
this_cred.session.keytype = (*auth_context)->keytype;
- /* This is the network contact with the KDC */
ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred);
-
krb5_free_cred_contents(context, &this_cred);
if (ret)
return ret;
diff --git a/source4/heimdal/lib/krb5/store_mem.c b/source4/heimdal/lib/krb5/store_mem.c
index decf74adce..d2b6d18252 100644
--- a/source4/heimdal/lib/krb5/store_mem.c
+++ b/source4/heimdal/lib/krb5/store_mem.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "store-int.h"
-RCSID("$Id: store_mem.c,v 1.12 2004/05/25 21:44:17 lha Exp $");
+RCSID("$Id: store_mem.c,v 1.13 2006/11/07 23:02:53 lha Exp $");
typedef struct mem_storage{
unsigned char *base;
@@ -64,6 +64,12 @@ mem_store(krb5_storage *sp, const void *data, size_t size)
return size;
}
+static ssize_t
+mem_no_store(krb5_storage *sp, const void *data, size_t size)
+{
+ return -1;
+}
+
static off_t
mem_seek(krb5_storage *sp, off_t offset, int whence)
{
@@ -117,3 +123,28 @@ krb5_storage_from_data(krb5_data *data)
{
return krb5_storage_from_mem(data->data, data->length);
}
+
+krb5_storage * KRB5_LIB_FUNCTION
+krb5_storage_from_readonly_mem(const void *buf, size_t len)
+{
+ krb5_storage *sp = malloc(sizeof(krb5_storage));
+ mem_storage *s;
+ if(sp == NULL)
+ return NULL;
+ s = malloc(sizeof(*s));
+ if(s == NULL) {
+ free(sp);
+ return NULL;
+ }
+ sp->data = s;
+ sp->flags = 0;
+ sp->eof_code = HEIM_ERR_EOF;
+ s->base = rk_UNCONST(buf);
+ s->size = len;
+ s->ptr = rk_UNCONST(buf);
+ sp->fetch = mem_fetch;
+ sp->store = mem_no_store;
+ sp->seek = mem_seek;
+ sp->free = NULL;
+ return sp;
+}