From 1874c564db100600945c257b97d235757156dc24 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 13 Sep 2007 15:59:46 +0000 Subject: r25133: Fix sasl wrapping (for ldap sign&seal). The gss_import_name() broke as we switched from the internal MIT OID "gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE* bug") to pass the string principal directly. Jerry, Jeremy, neither I could figure out the need of passing in a krb5_principal at all nor could I reproduce the crash you were seeing. I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6, 1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1. Guenther (This used to be commit cb2dc715e33467c8b588161e816e72a948f6860c) --- source3/libads/sasl.c | 51 +++++---------------------------------------------- 1 file changed, 5 insertions(+), 46 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index a92bef7ecf..c4b383e026 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -607,9 +607,7 @@ failed: #ifdef HAVE_KRB5 struct ads_service_principal { - krb5_context ctx; char *string; - krb5_principal principal; #ifdef HAVE_GSSAPI gss_name_t name; #endif @@ -625,14 +623,6 @@ static void ads_free_service_principal(struct ads_service_principal *p) gss_release_name(&minor_status, &p->name); } #endif - if (p->principal) { - krb5_free_principal(p->ctx, p->principal); - } - - if (p->ctx) { - krb5_free_context(p->ctx); - } - ZERO_STRUCTP(p); } @@ -641,15 +631,10 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, struct ads_service_principal *p) { ADS_STATUS status; - krb5_enctype enc_types[] = { -#ifdef ENCTYPE_ARCFOUR_HMAC - ENCTYPE_ARCFOUR_HMAC, -#endif - ENCTYPE_DES_CBC_MD5, - ENCTYPE_NULL}; #ifdef HAVE_GSSAPI gss_buffer_desc input_name; - gss_OID_desc nt_principal = + /* GSS_KRB5_NT_PRINCIPAL_NAME */ + gss_OID_desc nt_principal = {10, CONST_DISCARD(char *, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")}; uint32 minor_status; int gss_rc; @@ -678,35 +663,9 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, } } - initialize_krb5_error_table(); - status = ADS_ERROR_KRB5(krb5_init_context(&p->ctx)); - if (!ADS_ERR_OK(status)) { - ads_free_service_principal(p); - return status; - } - status = ADS_ERROR_KRB5(krb5_set_default_tgs_ktypes(p->ctx, enc_types)); - if (!ADS_ERR_OK(status)) { - ads_free_service_principal(p); - return status; - } - status = ADS_ERROR_KRB5(smb_krb5_parse_name(p->ctx, p->string, &p->principal)); - if (!ADS_ERR_OK(status)) { - ads_free_service_principal(p); - return status; - } - #ifdef HAVE_GSSAPI - /* - * The MIT libraries have a *HORRIBLE* bug - input_value.value needs - * to point to the *address* of the krb5_principal, and the gss libraries - * to a shallow copy of the krb5_principal pointer - so we need to keep - * the krb5_principal around until we do the gss_release_name. MIT *SUCKS* ! - * Just one more way in which MIT engineers screwed me over.... JRA. - * - * That's the reason for principal not beeing a local var in this function - */ - input_name.value = &p->principal; - input_name.length = sizeof(p->principal); + input_name.value = p->string; + input_name.length = strlen(p->string); gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &p->name); if (gss_rc) { @@ -715,7 +674,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, } #endif - return status; + return ADS_SUCCESS; } /* -- cgit