From a925f039ee382df0f3be434108416bab0d17e8c0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 1 Aug 2008 07:08:51 +0200 Subject: heimdal: update to lorikeet-heimdal rev 801 metze (This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b) --- .../heimdal/lib/gssapi/krb5/accept_sec_context.c | 75 +++++- .../heimdal/lib/gssapi/krb5/delete_sec_context.c | 4 +- source4/heimdal/lib/gssapi/krb5/display_status.c | 4 +- source4/heimdal/lib/gssapi/krb5/external.c | 177 +++++++++----- source4/heimdal/lib/gssapi/krb5/get_mic.c | 6 +- source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h | 11 +- .../heimdal/lib/gssapi/krb5/import_sec_context.c | 8 +- source4/heimdal/lib/gssapi/krb5/init_sec_context.c | 272 +++++++++++++++------ source4/heimdal/lib/gssapi/krb5/set_cred_option.c | 2 +- .../lib/gssapi/krb5/set_sec_context_option.c | 61 ++++- source4/heimdal/lib/gssapi/krb5/unwrap.c | 8 +- source4/heimdal/lib/gssapi/krb5/verify_mic.c | 6 +- source4/heimdal/lib/gssapi/krb5/wrap.c | 14 +- 13 files changed, 473 insertions(+), 175 deletions(-) (limited to 'source4/heimdal/lib/gssapi/krb5') diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index 73b93ceba4..8dbd087da6 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $"); +RCSID("$Id: accept_sec_context.c 23433 2008-07-26 18:44:26Z lha $"); HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; krb5_keytab _gsskrb5_keytab; @@ -250,6 +250,62 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status, return GSS_S_COMPLETE; } +static OM_uint32 +send_error_token(OM_uint32 *minor_status, + krb5_context context, + krb5_error_code kret, + krb5_principal server, + krb5_data *indata, + gss_buffer_t output_token) +{ + krb5_principal ap_req_server = NULL; + krb5_error_code ret; + krb5_data outbuf; + + /* build server from request if the acceptor had not selected one */ + if (server == NULL) { + AP_REQ ap_req; + + ret = krb5_decode_ap_req(context, indata, &ap_req); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + ret = _krb5_principalname2krb5_principal(context, + &ap_req_server, + ap_req.ticket.sname, + ap_req.ticket.realm); + free_AP_REQ(&ap_req); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + server = ap_req_server; + } + + ret = krb5_mk_error(context, kret, NULL, NULL, NULL, + server, NULL, NULL, &outbuf); + if (ap_req_server) + krb5_free_principal(context, ap_req_server); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = _gsskrb5_encapsulate(minor_status, + &outbuf, + output_token, + "\x03\x00", + GSS_KRB5_MECHANISM); + krb5_data_free (&outbuf); + if (ret) + return ret; + + *minor_status = 0; + return GSS_S_CONTINUE_NEEDED; +} + + static OM_uint32 gsskrb5_acceptor_start(OM_uint32 * minor_status, gsskrb5_ctx ctx, @@ -304,6 +360,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, { krb5_rd_req_in_ctx in = NULL; krb5_rd_req_out_ctx out = NULL; + krb5_principal server = NULL; + + if (acceptor_cred) + server = acceptor_cred->principal; kret = krb5_rd_req_in_ctx_alloc(context, &in); if (kret == 0) @@ -319,17 +379,20 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, kret = krb5_rd_req_ctx(context, &ctx->auth_context, &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal, + server, in, &out); krb5_rd_req_in_ctx_free(context, in); if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; + /* + * No reply in non-MUTUAL mode, but we don't know that its + * non-MUTUAL mode yet, thats inside the 8003 checksum. + */ + return send_error_token(minor_status, context, kret, + server, &indata, output_token); } /* - * We need to remember some data on the context_handle. + * we need to remember some data on the context_handle. */ kret = krb5_rd_req_out_get_ap_req_options(context, out, &ap_options); diff --git a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c index abad986550..9c618ac6a6 100644 --- a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: delete_sec_context.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: delete_sec_context.c 23420 2008-07-26 18:37:48Z lha $"); OM_uint32 _gsskrb5_delete_sec_context(OM_uint32 * minor_status, @@ -61,6 +61,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status, HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_free (context, ctx->auth_context); + if (ctx->kcred) + krb5_free_creds(context, ctx->kcred); if(ctx->source) krb5_free_principal (context, ctx->source); if(ctx->target) diff --git a/source4/heimdal/lib/gssapi/krb5/display_status.c b/source4/heimdal/lib/gssapi/krb5/display_status.c index c0192522a7..f932261ffa 100644 --- a/source4/heimdal/lib/gssapi/krb5/display_status.c +++ b/source4/heimdal/lib/gssapi/krb5/display_status.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: display_status.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: display_status.c 23316 2008-06-23 04:32:32Z lha $"); static const char * calling_error(OM_uint32 v) @@ -135,7 +135,7 @@ _gsskrb5_set_status (const char *fmt, ...) vasprintf(&str, fmt, args); va_end(args); if (str) { - krb5_set_error_string(context, str); + krb5_set_error_message(context, 0, str); free(str); } } diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index 03fe61dc57..2ee018708a 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -34,7 +34,7 @@ #include "krb5/gsskrb5_locl.h" #include -RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $"); +RCSID("$Id: external.c 23420 2008-07-26 18:37:48Z lha $"); /* * The implementation must reserve static storage for a @@ -49,9 +49,10 @@ RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $"); */ static gss_OID_desc gss_c_nt_user_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")}; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")}; -gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_USER_NAME = + &gss_c_nt_user_name_oid_desc; /* * The implementation must reserve static storage for a @@ -66,9 +67,10 @@ gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; */ static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")}; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")}; -gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_MACHINE_UID_NAME = + &gss_c_nt_machine_uid_name_oid_desc; /* * The implementation must reserve static storage for a @@ -83,9 +85,10 @@ gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; */ static gss_OID_desc gss_c_nt_string_uid_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")}; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")}; -gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_STRING_UID_NAME = + &gss_c_nt_string_uid_name_oid_desc; /* * The implementation must reserve static storage for a @@ -106,9 +109,10 @@ gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; */ static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc = -{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")}; + {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")}; -gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_HOSTBASED_SERVICE_X = + &gss_c_nt_hostbased_service_x_oid_desc; /* * The implementation must reserve static storage for a @@ -122,9 +126,10 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; * to point to that gss_OID_desc. */ static gss_OID_desc gss_c_nt_hostbased_service_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")}; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")}; -gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_HOSTBASED_SERVICE = + &gss_c_nt_hostbased_service_oid_desc; /* * The implementation must reserve static storage for a @@ -138,9 +143,10 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; */ static gss_OID_desc gss_c_nt_anonymous_oid_desc = -{6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")}; + {6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")}; -gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_ANONYMOUS = + &gss_c_nt_anonymous_oid_desc; /* * The implementation must reserve static storage for a @@ -154,9 +160,10 @@ gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; */ static gss_OID_desc gss_c_nt_export_name_oid_desc = -{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") }; + {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") }; -gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_EXPORT_NAME = + &gss_c_nt_export_name_oid_desc; /* * This name form shall be represented by the Object Identifier {iso(1) @@ -166,9 +173,10 @@ gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; */ static gss_OID_desc gss_krb5_nt_principal_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") }; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") }; -gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_PRINCIPAL_NAME = + &gss_krb5_nt_principal_name_oid_desc; /* * This name form shall be represented by the Object Identifier {iso(1) @@ -177,7 +185,8 @@ gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; * type is "GSS_KRB5_NT_USER_NAME". */ -gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_USER_NAME = + &gss_c_nt_user_name_oid_desc; /* * This name form shall be represented by the Object Identifier {iso(1) @@ -186,7 +195,8 @@ gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ -gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_MACHINE_UID_NAME = + &gss_c_nt_machine_uid_name_oid_desc; /* * This name form shall be represented by the Object Identifier {iso(1) @@ -195,7 +205,8 @@ gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ -gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_STRING_UID_NAME = + &gss_c_nt_string_uid_name_oid_desc; /* * To support ongoing experimentation, testing, and evolution of the @@ -217,14 +228,15 @@ gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; #if 0 /* This is the old OID */ static gss_OID_desc gss_krb5_mechanism_oid_desc = -{5, rk_UNCONST("\x2b\x05\x01\x05\x02")}; + {5, rk_UNCONST("\x2b\x05\x01\x05\x02")}; #endif static gss_OID_desc gss_krb5_mechanism_oid_desc = -{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; -gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_MECHANISM = + &gss_krb5_mechanism_oid_desc; /* * draft-ietf-cat-iakerb-09, IAKERB: @@ -240,23 +252,26 @@ gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; */ static gss_OID_desc gss_iakerb_proxy_mechanism_oid_desc = -{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")}; + {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")}; -gss_OID GSS_IAKERB_PROXY_MECHANISM = &gss_iakerb_proxy_mechanism_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_IAKERB_PROXY_MECHANISM = + &gss_iakerb_proxy_mechanism_oid_desc; static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc = -{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") }; + {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") }; -gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_IAKERB_MIN_MSG_MECHANISM = + &gss_iakerb_min_msg_mechanism_oid_desc; /* * */ static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc = -{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; + {9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; -gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_PEER_HAS_UPDATED_SPNEGO = + &gss_c_peer_has_updated_spnego_oid_desc; /* * 1.2.752.43.13 Heimdal GSS-API Extentions @@ -264,111 +279,143 @@ gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc; /* 1.2.752.43.13.1 */ static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")}; -gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_COPY_CCACHE_X = + &gss_krb5_copy_ccache_x_oid_desc; /* 1.2.752.43.13.2 */ static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")}; -gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_TKT_FLAGS_X = + &gss_krb5_get_tkt_flags_x_oid_desc; /* 1.2.752.43.13.3 */ static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")}; -gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = + &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; /* 1.2.752.43.13.4 */ static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")}; -gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_COMPAT_DES3_MIC_X = + &gss_krb5_compat_des3_mic_x_oid_desc; /* 1.2.752.43.13.5 */ static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")}; -gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = + &gss_krb5_register_acceptor_identity_x_desc; /* 1.2.752.43.13.6 */ static gss_OID_desc gss_krb5_export_lucid_context_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")}; -gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXPORT_LUCID_CONTEXT_X = + &gss_krb5_export_lucid_context_x_desc; /* 1.2.752.43.13.6.1 */ static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc = -{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")}; + {7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")}; -gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = + &gss_krb5_export_lucid_context_v1_x_desc; /* 1.2.752.43.13.7 */ static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")}; -gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_DNS_CANONICALIZE_X = + &gss_krb5_set_dns_canonicalize_x_desc; /* 1.2.752.43.13.8 */ static gss_OID_desc gss_krb5_get_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")}; -gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_SUBKEY_X = + &gss_krb5_get_subkey_x_desc; /* 1.2.752.43.13.9 */ static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")}; -gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_INITIATOR_SUBKEY_X = + &gss_krb5_get_initiator_subkey_x_desc; /* 1.2.752.43.13.10 */ static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")}; -gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = + &gss_krb5_get_acceptor_subkey_x_desc; /* 1.2.752.43.13.11 */ static gss_OID_desc gss_krb5_send_to_kdc_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")}; -gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SEND_TO_KDC_X = + &gss_krb5_send_to_kdc_x_desc; /* 1.2.752.43.13.12 */ static gss_OID_desc gss_krb5_get_authtime_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")}; -gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_AUTHTIME_X = + &gss_krb5_get_authtime_x_desc; /* 1.2.752.43.13.13 */ static gss_OID_desc gss_krb5_get_service_keyblock_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")}; -gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_SERVICE_KEYBLOCK_X = + &gss_krb5_get_service_keyblock_x_desc; /* 1.2.752.43.13.14 */ static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")}; -gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = + &gss_krb5_set_allowable_enctypes_x_desc; /* 1.2.752.43.13.15 */ static gss_OID_desc gss_krb5_set_default_realm_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")}; -gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_DEFAULT_REALM_X = + &gss_krb5_set_default_realm_x_desc; /* 1.2.752.43.13.16 */ static gss_OID_desc gss_krb5_ccache_name_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")}; -gss_OID GSS_KRB5_CCACHE_NAME_X = &gss_krb5_ccache_name_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_CCACHE_NAME_X = + &gss_krb5_ccache_name_x_desc; + +/* 1.2.752.43.13.17 */ +static gss_OID_desc gss_krb5_set_time_offset_x_desc = + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")}; + +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_TIME_OFFSET_X = + &gss_krb5_set_time_offset_x_desc; + +/* 1.2.752.43.13.18 */ +static gss_OID_desc gss_krb5_get_time_offset_x_desc = + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")}; + +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_TIME_OFFSET_X = + &gss_krb5_get_time_offset_x_desc; /* 1.2.752.43.14.1 */ static gss_OID_desc gss_sasl_digest_md5_mechanism_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; -gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_SASL_DIGEST_MD5_MECHANISM = + &gss_sasl_digest_md5_mechanism_desc; /* * Context for krb5 calls. diff --git a/source4/heimdal/lib/gssapi/krb5/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c index 133481ffe1..f689e624a8 100644 --- a/source4/heimdal/lib/gssapi/krb5/get_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: get_mic.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: get_mic.c 23112 2008-04-27 18:51:26Z lha $"); static OM_uint32 mic_des @@ -88,7 +88,7 @@ mic_des memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); memcpy (p - 8, hash, 8); /* SGN_CKSUM */ @@ -108,7 +108,7 @@ mic_des (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h index 3e8c1b8fa6..d9af44f960 100644 --- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h +++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gsskrb5_locl.h 22655 2008-02-26 12:40:35Z lha $ */ +/* $Id: gsskrb5_locl.h 23435 2008-07-26 20:49:35Z lha $ */ #ifndef GSSKRB5_LOCL_H #define GSSKRB5_LOCL_H @@ -62,11 +62,14 @@ typedef struct { enum { LOCAL = 1, OPEN = 2, COMPAT_OLD_DES3 = 4, COMPAT_OLD_DES3_SELECTED = 8, - ACCEPTOR_SUBKEY = 16 + ACCEPTOR_SUBKEY = 16, + RETRIED = 32, + CLOSE_CCACHE = 64 } more_flags; enum gss_ctx_id_t_state { /* initiator states */ INITIATOR_START, + INITIATOR_RESTART, INITIATOR_WAIT_FOR_MUTAL, INITIATOR_READY, /* acceptor states */ @@ -74,6 +77,8 @@ typedef struct { ACCEPTOR_WAIT_FOR_DCESTYLE, ACCEPTOR_READY } state; + krb5_creds *kcred; + krb5_ccache ccache; struct krb5_ticket *ticket; OM_uint32 lifetime; HEIMDAL_MUTEX ctx_id_mutex; diff --git a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c index 3300036a81..5fd8c94104 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: import_sec_context.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: import_sec_context.c 22997 2008-04-15 19:36:25Z lha $"); OM_uint32 _gsskrb5_import_sec_context ( @@ -52,8 +52,7 @@ _gsskrb5_import_sec_context ( krb5_data data; gss_buffer_desc buffer; krb5_keyblock keyblock; - int32_t tmp; - int32_t flags; + int32_t flags, tmp; gsskrb5_ctx ctx; gss_name_t name; @@ -96,8 +95,9 @@ _gsskrb5_import_sec_context ( /* retrieve the auth context */ ac = ctx->auth_context; - if (krb5_ret_uint32 (sp, &ac->flags) != 0) + if (krb5_ret_int32 (sp, &tmp) != 0) goto failure; + ac->flags = tmp; if (flags & SC_LOCAL_ADDRESS) { if (krb5_ret_address (sp, localp = &local) != 0) goto failure; diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index c455a5dc8b..c9b9e15588 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: init_sec_context.c 22671 2008-03-09 23:57:54Z lha $"); +RCSID("$Id: init_sec_context.c 23422 2008-07-26 18:38:29Z lha $"); /* * copy the addresses from `input_chan_bindings' (if any) to @@ -121,6 +121,8 @@ _gsskrb5_create_ctx( ctx->auth_context = NULL; ctx->source = NULL; ctx->target = NULL; + ctx->kcred = NULL; + ctx->ccache = NULL; ctx->state = state; ctx->flags = 0; ctx->more_flags = 0; @@ -134,9 +136,7 @@ _gsskrb5_create_ctx( kret = krb5_auth_con_init (context, &ctx->auth_context); if (kret) { *minor_status = kret; - HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); - return GSS_S_FAILURE; } @@ -232,27 +232,32 @@ gsskrb5_initiator_ready( gsskrb5_ctx ctx, krb5_context context) { - OM_uint32 ret; - int32_t seq_number; - int is_cfx = 0; - OM_uint32 flags = ctx->flags; - - krb5_auth_getremoteseqnumber (context, - ctx->auth_context, - &seq_number); - - _gsskrb5i_is_cfx(ctx, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &ctx->order, - _gssapi_msg_order_f(flags), - seq_number, 0, is_cfx); - if (ret) return ret; + OM_uint32 ret; + int32_t seq_number; + int is_cfx = 0; + OM_uint32 flags = ctx->flags; + + krb5_free_creds(context, ctx->kcred); + ctx->kcred = NULL; - ctx->state = INITIATOR_READY; - ctx->more_flags |= OPEN; + if (ctx->more_flags & CLOSE_CCACHE) + krb5_cc_close(context, ctx->ccache); + ctx->ccache = NULL; - return GSS_S_COMPLETE; + krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number); + + _gsskrb5i_is_cfx(ctx, &is_cfx); + + ret = _gssapi_msg_order_create(minor_status, + &ctx->order, + _gssapi_msg_order_f(flags), + seq_number, 0, is_cfx); + if (ret) return ret; + + ctx->state = INITIATOR_READY; + ctx->more_flags |= OPEN; + + return GSS_S_COMPLETE; } /* @@ -333,7 +338,6 @@ init_auth const gss_OID mech_type, OM_uint32 req_flags, OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, const gss_buffer_t input_token, gss_OID * actual_mech_type, gss_buffer_t output_token, @@ -343,14 +347,7 @@ init_auth { OM_uint32 ret = GSS_S_FAILURE; krb5_error_code kret; - krb5_flags ap_options; - krb5_creds *kcred = NULL; krb5_data outbuf; - krb5_ccache ccache = NULL; - uint32_t flags; - krb5_data authenticator; - Checksum cksum; - krb5_enctype enctype; krb5_data fwd_data; OM_uint32 lifetime_rec; @@ -363,16 +360,17 @@ init_auth *actual_mech_type = GSS_KRB5_MECHANISM; if (cred == NULL) { - kret = krb5_cc_default (context, &ccache); + kret = krb5_cc_default (context, &ctx->ccache); if (kret) { *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } + ctx->more_flags |= CLOSE_CCACHE; } else - ccache = cred->ccache; + ctx->ccache = cred->ccache; - kret = krb5_cc_get_principal (context, ccache, &ctx->source); + kret = krb5_cc_get_principal (context, ctx->ccache, &ctx->source); if (kret) { *minor_status = kret; ret = GSS_S_FAILURE; @@ -407,16 +405,16 @@ init_auth ret = gsskrb5_get_creds(minor_status, context, - ccache, + ctx->ccache, ctx, ctx->target, time_req, time_rec, - &kcred); + &ctx->kcred); if (ret) goto failure; - ctx->lifetime = kcred->times.endtime; + ctx->lifetime = ctx->kcred->times.endtime; ret = _gsskrb5_lifetime_left(minor_status, context, @@ -434,17 +432,59 @@ init_auth krb5_auth_con_setkey(context, ctx->auth_context, - &kcred->session); + &ctx->kcred->session); kret = krb5_auth_con_generatelocalsubkey(context, ctx->auth_context, - &kcred->session); + &ctx->kcred->session); if(kret) { *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } - + + return GSS_S_COMPLETE; + +failure: + if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE)) + krb5_cc_close(context, ctx->ccache); + ctx->ccache = NULL; + + return ret; + +} + +static OM_uint32 +init_auth_restart +(OM_uint32 * minor_status, + gsskrb5_cred cred, + gsskrb5_ctx ctx, + krb5_context context, + OM_uint32 req_flags, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) +{ + OM_uint32 ret = GSS_S_FAILURE; + krb5_error_code kret; + krb5_flags ap_options; + krb5_data outbuf; + uint32_t flags; + krb5_data authenticator; + Checksum cksum; + krb5_enctype enctype; + krb5_data fwd_data, timedata; + int32_t offset = 0, oldoffset; + + krb5_data_zero(&outbuf); + krb5_data_zero(&fwd_data); + + *minor_status = 0; + /* * If the credential doesn't have ok-as-delegate, check what local * policy say about ok-as-delegate, default is FALSE that makes @@ -452,12 +492,24 @@ init_auth * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the * KDC doesn't set ok-as-delegate. */ - if (!kcred->flags.b.ok_as_delegate) { - krb5_boolean delegate; + if (!ctx->kcred->flags.b.ok_as_delegate) { + krb5_boolean delegate, realm_setting; + krb5_data data; - krb5_appdefault_boolean(context, - "gssapi", name->realm, - "ok-as-delegate", FALSE, &delegate); + realm_setting = FALSE; + + ret = krb5_cc_get_config(context, ctx->ccache, NULL, + "realm-config", &data); + if (ret == 0) { + /* XXX 1 is use ok-as-delegate */ + if (data.length > 0 && (((unsigned char *)data.data)[0]) & 1) + realm_setting = TRUE; + krb5_data_free(&data); + } + + krb5_appdefault_boolean(context, "gssapi", ctx->target->realm, + "ok-as-delegate", realm_setting, + &delegate); if (delegate) req_flags &= ~GSS_C_DELEG_FLAG; } @@ -467,7 +519,8 @@ init_auth if (req_flags & GSS_C_DELEG_FLAG) do_delegation (context, ctx->auth_context, - ccache, kcred, name, &fwd_data, &flags); + ctx->ccache, ctx->kcred, ctx->target, + &fwd_data, &flags); if (req_flags & GSS_C_MUTUAL_FLAG) { flags |= GSS_C_MUTUAL_FLAG; @@ -518,16 +571,33 @@ init_auth enctype = ctx->auth_context->keyblock->keytype; + ret = krb5_cc_get_config(context, ctx->ccache, ctx->target, + "time-offset", &timedata); + if (ret == 0) { + if (timedata.length == 4) { + const u_char *p = timedata.data; + offset = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); + } + krb5_data_free(&timedata); + } + + if (offset) { + krb5_get_kdc_sec_offset (context, &oldoffset, NULL); + krb5_set_kdc_sec_offset (context, offset, -1); + } + kret = krb5_build_authenticator (context, ctx->auth_context, enctype, - kcred, + ctx->kcred, &cksum, NULL, &authenticator, KRB5_KU_AP_REQ_AUTH); if (kret) { + if (offset) + krb5_set_kdc_sec_offset (context, oldoffset, -1); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; @@ -535,11 +605,12 @@ init_auth kret = krb5_build_ap_req (context, enctype, - kcred, + ctx->kcred, ap_options, authenticator, &outbuf); - + if (offset) + krb5_set_kdc_sec_offset (context, oldoffset, -1); if (kret) { *minor_status = kret; ret = GSS_S_FAILURE; @@ -552,16 +623,12 @@ init_auth } else { ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); + krb5_data_free (&outbuf); if (ret) goto failure; - - krb5_data_free (&outbuf); } - krb5_free_creds(context, kcred); free_Checksum(&cksum); - if (cred == NULL) - krb5_cc_close(context, ccache); if (flags & GSS_C_MUTUAL_FLAG) { ctx->state = INITIATOR_WAIT_FOR_MUTAL; @@ -570,15 +637,14 @@ init_auth return gsskrb5_initiator_ready(minor_status, ctx, context); failure: - if(kcred) - krb5_free_creds(context, kcred); - if (ccache && cred == NULL) - krb5_cc_close(context, ccache); + if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE)) + krb5_cc_close(context, ctx->ccache); + ctx->ccache = NULL; return ret; - } + static OM_uint32 repl_mutual (OM_uint32 * minor_status, @@ -617,8 +683,46 @@ repl_mutual &indata, "\x02\x00", GSS_KRB5_MECHANISM); - if (ret) { - /* XXX - Handle AP_ERROR */ + if (ret == GSS_S_DEFECTIVE_TOKEN) { + /* check if there is an error token sent instead */ + ret = _gsskrb5_decapsulate (minor_status, + input_token, + &indata, + "\x03\x00", + GSS_KRB5_MECHANISM); + if (ret == GSS_S_COMPLETE) { + KRB_ERROR error; + + kret = krb5_rd_error(context, &indata, &error); + if (kret == 0) { + kret = krb5_error_from_rd_error(context, &error, NULL); + + /* save the time skrew for this host */ + if (kret == KRB5KRB_AP_ERR_SKEW) { + krb5_data timedata; + unsigned char p[4]; + int32_t t = error.stime - time(NULL); + + p[0] = (t >> 24) & 0xFF; + p[1] = (t >> 16) & 0xFF; + p[2] = (t >> 8) & 0xFF; + p[3] = (t >> 0) & 0xFF; + + timedata.data = p; + timedata.length = sizeof(p); + + krb5_cc_set_config(context, ctx->ccache, ctx->target, + "time-offset", &timedata); + + if ((ctx->more_flags & RETRIED) == 0) + ctx->state = INITIATOR_RESTART; + ctx->more_flags |= RETRIED; + } + free_KRB_ERROR (&error); + } + *minor_status = kret; + return GSS_S_FAILURE; + } return ret; } } @@ -661,30 +765,31 @@ repl_mutual *ret_flags = ctx->flags; if (req_flags & GSS_C_DCE_STYLE) { - int32_t con_flags; + int32_t local_seq, remote_seq; krb5_data outbuf; - /* Do don't do sequence number for the mk-rep */ - krb5_auth_con_removeflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - &con_flags); + /* + * So DCE_STYLE is strange. The client echos the seq number + * that the server used in the server's mk_rep in its own + * mk_rep(). After when done, it resets to it's own seq number + * for the gss_wrap calls. + */ - kret = krb5_mk_rep(context, - ctx->auth_context, - &outbuf); + krb5_auth_getremoteseqnumber(context, ctx->auth_context, &remote_seq); + krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &local_seq); + krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, remote_seq); + + kret = krb5_mk_rep(context, ctx->auth_context, &outbuf); if (kret) { *minor_status = kret; return GSS_S_FAILURE; } + /* reset local seq number */ + krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); + output_token->length = outbuf.length; output_token->value = outbuf.data; - - krb5_auth_con_removeflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - NULL); } return gsskrb5_initiator_ready(minor_status, ctx, context); @@ -768,6 +873,7 @@ OM_uint32 _gsskrb5_init_sec_context HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + again: switch (ctx->state) { case INITIATOR_START: ret = init_auth(minor_status, @@ -778,12 +884,26 @@ OM_uint32 _gsskrb5_init_sec_context mech_type, req_flags, time_req, - input_chan_bindings, input_token, actual_mech_type, output_token, ret_flags, time_rec); + if (ret != GSS_S_COMPLETE) + break; + /* FALL THOUGH */ + case INITIATOR_RESTART: + ret = init_auth_restart(minor_status, + cred, + ctx, + context, + req_flags, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); break; case INITIATOR_WAIT_FOR_MUTAL: ret = repl_mutual(minor_status, @@ -798,6 +918,8 @@ OM_uint32 _gsskrb5_init_sec_context output_token, ret_flags, time_rec); + if (ctx->state == INITIATOR_RESTART) + goto again; break; case INITIATOR_READY: /* diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c index 85b50d0322..8c554fb8e0 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -32,7 +32,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: set_cred_option.c 22655 2008-02-26 12:40:35Z lha $"); +RCSID("$Id: set_cred_option.c 23331 2008-06-27 12:01:48Z lha $"); /* 1.2.752.43.13.17 */ static gss_OID_desc gss_krb5_cred_no_ci_flags_x_oid_desc = diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 50441a11ad..fd76838af5 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -36,7 +36,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: set_sec_context_option.c 20384 2007-04-18 08:51:06Z lha $"); +RCSID("$Id: set_sec_context_option.c 23420 2008-07-26 18:37:48Z lha $"); static OM_uint32 get_bool(OM_uint32 *minor_status, @@ -70,6 +70,36 @@ get_string(OM_uint32 *minor_status, return GSS_S_COMPLETE; } +static OM_uint32 +get_int32(OM_uint32 *minor_status, + const gss_buffer_t value, + OM_uint32 *ret) +{ + *minor_status = 0; + if (value == NULL || value->length == 0) + *ret = 0; + else if (value->length == sizeof(*ret)) + memcpy(ret, value->value, sizeof(*ret)); + else + return GSS_S_UNAVAILABLE; + + return GSS_S_COMPLETE; +} + +static OM_uint32 +set_int32(OM_uint32 *minor_status, + const gss_buffer_t value, + OM_uint32 set) +{ + *minor_status = 0; + if (value->length == sizeof(set)) + memcpy(value->value, &set, sizeof(set)); + else + return GSS_S_UNAVAILABLE; + + return GSS_S_COMPLETE; +} + OM_uint32 _gsskrb5_set_sec_context_option (OM_uint32 *minor_status, @@ -185,6 +215,35 @@ _gsskrb5_set_sec_context_option return GSS_S_FAILURE; return GSS_S_COMPLETE; + } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) { + OM_uint32 offset; + time_t t; + + maj_stat = get_int32(minor_status, value, &offset); + if (maj_stat != GSS_S_COMPLETE) + return maj_stat; + + t = time(NULL) + offset; + + krb5_set_real_time(context, t, 0); + + *minor_status = 0; + return GSS_S_COMPLETE; + } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) { + krb5_timestamp sec; + int32_t usec; + time_t t; + + t = time(NULL); + + krb5_us_timeofday (context, &sec, &usec); + + maj_stat = set_int32(minor_status, value, sec - t); + if (maj_stat != GSS_S_COMPLETE) + return maj_stat; + + *minor_status = 0; + return GSS_S_COMPLETE; } *minor_status = EINVAL; diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index d0a33d86fb..eec4078a70 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: unwrap.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: unwrap.c 23112 2008-04-27 18:51:26Z lha $"); static OM_uint32 unwrap_des @@ -93,7 +93,7 @@ unwrap_des for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); memset (&zero, 0, sizeof(zero)); DES_cbc_encrypt ((void *)p, (void *)p, @@ -119,7 +119,7 @@ unwrap_des memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); if (memcmp (p - 8, hash, 8) != 0) @@ -130,7 +130,7 @@ unwrap_des HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); p -= 16; - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)hash, DES_DECRYPT); diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 52381afcc2..560c14bc89 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: verify_mic.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: verify_mic.c 23112 2008-04-27 18:51:26Z lha $"); static OM_uint32 verify_mic_des @@ -83,7 +83,7 @@ verify_mic_des memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); if (memcmp (p - 8, hash, 8) != 0) { @@ -97,7 +97,7 @@ verify_mic_des HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); p -= 16; - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)hash, DES_DECRYPT); diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index d41379870a..6d00f2adcf 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: wrap.c 19035 2006-11-14 09:49:56Z lha $"); +RCSID("$Id: wrap.c 23316 2008-06-23 04:32:32Z lha $"); /* * Return initiator subkey, or if that doesn't exists, the subkey. @@ -61,7 +61,7 @@ _gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx, ctx->auth_context, key); if (ret == 0 && *key == NULL) { - krb5_set_error_string(context, "No initiator subkey available"); + krb5_set_error_message(context, 0, "No initiator subkey available"); return GSS_KRB5_S_KG_NO_SUBKEY; } return ret; @@ -85,7 +85,7 @@ _gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx, key); } if (ret == 0 && *key == NULL) { - krb5_set_error_string(context, "No acceptor subkey available"); + krb5_set_error_message(context, 0, "No acceptor subkey available"); return GSS_KRB5_S_KG_NO_SUBKEY; } return ret; @@ -106,7 +106,7 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx, _gsskrb5i_get_initiator_subkey(ctx, context, key); } if (*key == NULL) { - krb5_set_error_string(context, "No token key available"); + krb5_set_error_message(context, 0, "No token key available"); return GSS_KRB5_S_KG_NO_SUBKEY; } return 0; @@ -259,7 +259,7 @@ wrap_des memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); memcpy (p - 8, hash, 8); @@ -279,7 +279,7 @@ wrap_des (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); @@ -296,7 +296,7 @@ wrap_des for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); memset (&zero, 0, sizeof(zero)); DES_cbc_encrypt ((void *)p, (void *)p, -- cgit