From 3c1e780ec7e16dc6667402bbc65708bf9a5c062f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 06:59:56 +0000 Subject: r19604: This is a massive commit, and I appologise in advance for it's size. This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 710 +++++++++++++++++++++++++++++ 1 file changed, 710 insertions(+) create mode 100644 source4/heimdal/lib/gssapi/mech/gss_krb5.c (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c new file mode 100644 index 0000000000..c6ea3cecb7 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -0,0 +1,710 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_krb5.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +#include "krb5/gsskrb5_locl.h" +RCSID("$Id: gss_krb5.c,v 1.13 2006/10/20 22:05:02 lha Exp $"); + +#include +#include + + +OM_uint32 +gss_krb5_copy_ccache(OM_uint32 *minor_status, + gss_cred_id_t cred, + krb5_ccache out) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + krb5_context context; + krb5_error_code kret; + krb5_ccache id; + OM_uint32 ret; + char *str; + + ret = gss_inquire_cred_by_oid(minor_status, + cred, + GSS_KRB5_COPY_CCACHE_X, + &data_set); + if (ret) + return ret; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + kret = krb5_init_context(&context); + if (kret) { + *minor_status = kret; + gss_release_buffer_set(minor_status, &data_set); + return GSS_S_FAILURE; + } + + kret = asprintf(&str, "%.*s", (int)data_set->elements[0].length, + (char *)data_set->elements[0].value); + gss_release_buffer_set(minor_status, &data_set); + if (kret == -1) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + kret = krb5_cc_resolve(context, str, &id); + free(str); + if (kret) { + *minor_status = kret; + return GSS_S_FAILURE; + } + + kret = krb5_cc_copy_cache(context, id, out); + krb5_cc_close(context, id); + krb5_free_context(context); + if (kret) { + *minor_status = kret; + return GSS_S_FAILURE; + } + + return ret; +} + +OM_uint32 +gss_krb5_import_cred(OM_uint32 *minor_status, + krb5_ccache id, + krb5_principal keytab_principal, + krb5_keytab keytab, + gss_cred_id_t *cred) +{ + gss_buffer_desc buffer; + OM_uint32 major_status; + krb5_context context; + krb5_error_code ret; + krb5_storage *sp; + krb5_data data; + char *str; + + *cred = GSS_C_NO_CREDENTIAL; + + ret = krb5_init_context(&context); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + sp = krb5_storage_emem(); + if (sp == NULL) { + *minor_status = ENOMEM; + major_status = GSS_S_FAILURE; + goto out; + } + + if (id) { + ret = krb5_cc_get_full_name(context, id, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + ret = krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + if (keytab_principal) { + ret = krb5_unparse_name(context, keytab_principal, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + + if (keytab) { + ret = krb5_kt_get_full_name(context, keytab, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + krb5_storage_to_data(sp, &data); + + buffer.value = data.data; + buffer.length = data.length; + + major_status = gss_set_cred_option(minor_status, + cred, + GSS_KRB5_IMPORT_CRED_X, + &buffer); + krb5_data_free(&data); +out: + if (sp) + krb5_storage_free(sp); + krb5_free_context(context); + return major_status; +} + +OM_uint32 +gsskrb5_register_acceptor_identity(const char *identity) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + + _gss_load_mech(); + + buffer.value = rk_UNCONST(identity); + buffer.length = strlen(identity); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + +OM_uint32 +gsskrb5_set_dns_canonicalize(int flag) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + char b = (flag != 0); + + _gss_load_mech(); + + buffer.value = &b; + buffer.length = sizeof(b); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_SET_DNS_CANONICALIZE_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + + + +static krb5_error_code +set_key(krb5_keyblock *keyblock, gss_krb5_lucid_key_t *key) +{ + key->type = keyblock->keytype; + key->length = keyblock->keyvalue.length; + key->data = malloc(key->length); + if (key->data == NULL && key->length != 0) + return ENOMEM; + memcpy(key->data, keyblock->keyvalue.data, key->length); + return 0; +} + +static void +free_key(gss_krb5_lucid_key_t *key) +{ + memset(key->data, 0, key->length); + free(key->data); + memset(key, 0, sizeof(*key)); +} + + +OM_uint32 +gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **rctx) +{ + krb5_context context = NULL; + krb5_error_code ret; + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 major_status; + gss_krb5_lucid_context_v1_t *ctx = NULL; + krb5_storage *sp = NULL; + uint32_t num; + + if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT || version != 1) { + ret = EINVAL; + return GSS_S_FAILURE; + } + + major_status = + gss_inquire_sec_context_by_oid (minor_status, + *context_handle, + GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X, + &data_set); + if (major_status) + return major_status; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ret = krb5_init_context(&context); + if (ret) + goto out; + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + ret = ENOMEM; + goto out; + } + + sp = krb5_storage_from_mem(data_set->elements[0].value, + data_set->elements[0].length); + if (sp == NULL) { + ret = ENOMEM; + goto out; + } + + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + if (num != 1) { + ret = EINVAL; + goto out; + } + ctx->version = 1; + /* initiator */ + ret = krb5_ret_uint32(sp, &ctx->initiate); + if (ret) goto out; + /* endtime */ + ret = krb5_ret_uint32(sp, &ctx->endtime); + if (ret) goto out; + /* send_seq */ + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->send_seq = ((uint64_t)num) << 32; + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->send_seq |= num; + /* recv_seq */ + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->recv_seq = ((uint64_t)num) << 32; + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->recv_seq |= num; + /* protocol */ + ret = krb5_ret_uint32(sp, &ctx->protocol); + if (ret) goto out; + if (ctx->protocol == 0) { + krb5_keyblock key; + + /* sign_alg */ + ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.sign_alg); + if (ret) goto out; + /* seal_alg */ + ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.seal_alg); + if (ret) goto out; + /* ctx_key */ + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->rfc1964_kd.ctx_key); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + } else if (ctx->protocol == 1) { + krb5_keyblock key; + + /* acceptor_subkey */ + ret = krb5_ret_uint32(sp, &ctx->cfx_kd.have_acceptor_subkey); + if (ret) goto out; + /* ctx_key */ + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->cfx_kd.ctx_key); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + /* acceptor_subkey */ + if (ctx->cfx_kd.have_acceptor_subkey) { + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->cfx_kd.acceptor_subkey); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + } + } else { + ret = EINVAL; + goto out; + } + + *rctx = ctx; + +out: + gss_release_buffer_set(minor_status, &data_set); + if (sp) + krb5_storage_free(sp); + if (context) + krb5_free_context(context); + + if (ret) { + if (ctx) + gss_krb5_free_lucid_sec_context(NULL, ctx); + + *minor_status = ret; + return GSS_S_FAILURE; + } + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) +{ + gss_krb5_lucid_context_v1_t *ctx = c; + + if (ctx->version != 1) { + if (minor_status) + *minor_status = 0; + return GSS_S_FAILURE; + } + + if (ctx->protocol == 0) { + free_key(&ctx->rfc1964_kd.ctx_key); + } else if (ctx->protocol == 1) { + free_key(&ctx->cfx_kd.ctx_key); + if (ctx->cfx_kd.have_acceptor_subkey) + free_key(&ctx->cfx_kd.acceptor_subkey); + } + free(ctx); + if (minor_status) + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + + _gss_load_mech(); + + if (c) { + buffer.value = c; + buffer.length = sizeof(*c); + } else { + buffer.value = NULL; + buffer.length = 0; + } + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_SEND_TO_KDC_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + +OM_uint32 +gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + time_t *authtime) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 maj_stat; + krb5_error_code ret; + OM_uint32 time32; + + if (context_handle == GSS_C_NO_CONTEXT) { + _gsskrb5_set_status("no context handle"); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + maj_stat = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + GSS_KRB5_GET_AUTHTIME_X, + &data_set); + if (maj_stat) + return maj_stat; + + if (data_set == GSS_C_NO_BUFFER_SET) { + _gsskrb5_set_status("no buffers returned"); + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (data_set->count != 1) { + _gsskrb5_set_status("%d != 1 buffers returned", data_set->count); + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (data_set->elements[0].length != 4) { + gss_release_buffer_set(minor_status, &data_set); + _gsskrb5_set_status("Error extracting authtime from security context: only got %d < 4 bytes", + data_set->elements[0].length); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ret = _gsskrb5_decode_om_uint32(data_set->elements[0].value, &time32); + if (ret) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = ret; + return GSS_S_FAILURE; + } + *authtime = time32; + + gss_release_buffer_set(minor_status, &data_set); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int ad_type, + gss_buffer_t ad_data) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 maj_stat; + gss_OID_desc authz_oid_flat; + heim_oid authz_oid; + heim_oid new_authz_oid; + size_t size; + + if (context_handle == GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + /* All this to append an integer to an oid... */ + + if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length, + &authz_oid, NULL) != 0) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + new_authz_oid.length = authz_oid.length + 1; + new_authz_oid.components = malloc(new_authz_oid.length * sizeof(*new_authz_oid.components)); + if (!new_authz_oid.components) { + free(authz_oid.components); + + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + memcpy(new_authz_oid.components, authz_oid.components, + authz_oid.length * sizeof(*authz_oid.components)); + + free(authz_oid.components); + + new_authz_oid.components[new_authz_oid.length - 1] = ad_type; + + authz_oid_flat.length = der_length_oid(&new_authz_oid); + authz_oid_flat.elements = malloc(authz_oid_flat.length); + + if (!authz_oid_flat.elements) { + free(new_authz_oid.components); + + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + if (der_put_oid((unsigned char *)authz_oid_flat.elements + authz_oid_flat.length - 1, + authz_oid_flat.length, + &new_authz_oid, &size) != 0) { + free(new_authz_oid.components); + + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + free(new_authz_oid.components); + + /* FINALLY, we have the OID */ + + maj_stat = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + &authz_oid_flat, + &data_set); + + free(authz_oid_flat.elements); + + if (maj_stat) + return maj_stat; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ad_data->value = malloc(data_set->elements[0].length); + if (ad_data->value == NULL) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ad_data->length = data_set->elements[0].length; + memcpy(ad_data->value, data_set->elements[0].value, ad_data->length); + gss_release_buffer_set(minor_status, &data_set); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +static OM_uint32 +gsskrb5_extract_key(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + const gss_OID oid, + krb5_keyblock **keyblock) +{ + krb5_error_code ret; + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 major_status; + krb5_storage *sp = NULL; + + ret = _gsskrb5_init(); + if(ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + if (context_handle == GSS_C_NO_CONTEXT) { + _gsskrb5_set_status("no context handle"); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + major_status = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + oid, + &data_set); + if (major_status) + return major_status; + + if (data_set == GSS_C_NO_BUFFER_SET) { + _gsskrb5_set_status("no buffers returned"); + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (data_set->count != 1) { + _gsskrb5_set_status("%d != 1 buffers returned", data_set->count); + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + sp = krb5_storage_from_mem(data_set->elements[0].value, + data_set->elements[0].length); + if (sp == NULL) { + ret = ENOMEM; + goto out; + } + + *keyblock = calloc(1, sizeof(**keyblock)); + if (keyblock == NULL) { + ret = ENOMEM; + goto out; + } + + ret = krb5_ret_keyblock(sp, *keyblock); + +out: + gss_release_buffer_set(minor_status, &data_set); + if (sp) + krb5_storage_free(sp); + if (ret) { + _gsskrb5_set_error_string(); + if (keyblock) { + krb5_free_keyblock(_gsskrb5_context, *keyblock); + } + + *minor_status = ret; + return GSS_S_FAILURE; + } + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_SERVICE_KEYBLOCK_X, + keyblock); +} + +OM_uint32 +gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_INITIATOR_SUBKEY_X, + keyblock); +} + +OM_uint32 +gsskrb5_get_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_ACCEPTOR_SUBKEY_X, + keyblock); +} -- cgit From f722b0743811a4a5caf5288fa901cc8f683b9ffd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 8 Nov 2006 01:48:35 +0000 Subject: r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 108 +++++++++++++---------------- 1 file changed, 50 insertions(+), 58 deletions(-) (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index c6ea3cecb7..fd66fb04f5 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,12 +27,11 @@ */ #include "mech_locl.h" -#include "krb5/gsskrb5_locl.h" -RCSID("$Id: gss_krb5.c,v 1.13 2006/10/20 22:05:02 lha Exp $"); +RCSID("$Id: gss_krb5.c,v 1.16 2006/11/07 14:41:35 lha Exp $"); #include #include - +#include "krb5/gsskrb5_locl.h" OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, @@ -264,7 +263,10 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, krb5_storage *sp = NULL; uint32_t num; - if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT || version != 1) { + if (context_handle == NULL + || *context_handle == GSS_C_NO_CONTEXT + || version != 1) + { ret = EINVAL; return GSS_S_FAILURE; } @@ -509,9 +511,8 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, { gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; OM_uint32 maj_stat; - gss_OID_desc authz_oid_flat; - heim_oid authz_oid; - heim_oid new_authz_oid; + gss_OID_desc oid_flat; + heim_oid baseoid, oid; size_t size; if (context_handle == GSS_C_NO_CONTEXT) { @@ -523,57 +524,55 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements, GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length, - &authz_oid, NULL) != 0) { + &baseoid, NULL) != 0) { *minor_status = EINVAL; return GSS_S_FAILURE; } - new_authz_oid.length = authz_oid.length + 1; - new_authz_oid.components = malloc(new_authz_oid.length * sizeof(*new_authz_oid.components)); - if (!new_authz_oid.components) { - free(authz_oid.components); + oid.length = baseoid.length + 1; + oid.components = calloc(oid.length, sizeof(*oid.components)); + if (oid.components == NULL) { + der_free_oid(&baseoid); *minor_status = ENOMEM; return GSS_S_FAILURE; } - memcpy(new_authz_oid.components, authz_oid.components, - authz_oid.length * sizeof(*authz_oid.components)); + memcpy(oid.components, baseoid.components, + baseoid.length * sizeof(*baseoid.components)); - free(authz_oid.components); + der_free_oid(&baseoid); - new_authz_oid.components[new_authz_oid.length - 1] = ad_type; - - authz_oid_flat.length = der_length_oid(&new_authz_oid); - authz_oid_flat.elements = malloc(authz_oid_flat.length); - - if (!authz_oid_flat.elements) { - free(new_authz_oid.components); + oid.components[oid.length - 1] = ad_type; + oid_flat.length = der_length_oid(&oid); + oid_flat.elements = malloc(oid_flat.length); + if (oid_flat.elements == NULL) { + free(oid.components); *minor_status = ENOMEM; return GSS_S_FAILURE; } - if (der_put_oid((unsigned char *)authz_oid_flat.elements + authz_oid_flat.length - 1, - authz_oid_flat.length, - &new_authz_oid, &size) != 0) { - free(new_authz_oid.components); + if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1, + oid_flat.length, &oid, &size) != 0) { + free(oid.components); *minor_status = EINVAL; return GSS_S_FAILURE; } + if (oid_flat.length != size) + abort(); - free(new_authz_oid.components); + free(oid.components); /* FINALLY, we have the OID */ - maj_stat = - gss_inquire_sec_context_by_oid (minor_status, - context_handle, - &authz_oid_flat, - &data_set); + maj_stat = gss_inquire_sec_context_by_oid (minor_status, + context_handle, + &oid_flat, + &data_set); - free(authz_oid_flat.elements); + free(oid_flat.elements); if (maj_stat) return maj_stat; @@ -608,20 +607,20 @@ gsskrb5_extract_key(OM_uint32 *minor_status, krb5_error_code ret; gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; OM_uint32 major_status; + krb5_context context = NULL; krb5_storage *sp = NULL; - ret = _gsskrb5_init(); + if (context_handle == GSS_C_NO_CONTEXT) { + ret = EINVAL; + return GSS_S_FAILURE; + } + + ret = krb5_init_context(&context); if(ret) { *minor_status = ret; return GSS_S_FAILURE; } - if (context_handle == GSS_C_NO_CONTEXT) { - _gsskrb5_set_status("no context handle"); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - major_status = gss_inquire_sec_context_by_oid (minor_status, context_handle, @@ -630,15 +629,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status, if (major_status) return major_status; - if (data_set == GSS_C_NO_BUFFER_SET) { - _gsskrb5_set_status("no buffers returned"); - gss_release_buffer_set(minor_status, &data_set); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - if (data_set->count != 1) { - _gsskrb5_set_status("%d != 1 buffers returned", data_set->count); + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { gss_release_buffer_set(minor_status, &data_set); *minor_status = EINVAL; return GSS_S_FAILURE; @@ -663,16 +654,17 @@ out: gss_release_buffer_set(minor_status, &data_set); if (sp) krb5_storage_free(sp); - if (ret) { - _gsskrb5_set_error_string(); - if (keyblock) { - krb5_free_keyblock(_gsskrb5_context, *keyblock); - } + if (ret && keyblock) { + krb5_free_keyblock(context, *keyblock); + *keyblock = NULL; + } + if (context) + krb5_free_context(context); - *minor_status = ret; + *minor_status = ret; + if (ret) return GSS_S_FAILURE; - } - *minor_status = 0; + return GSS_S_COMPLETE; } @@ -705,6 +697,6 @@ gsskrb5_get_subkey(OM_uint32 *minor_status, { return gsskrb5_extract_key(minor_status, context_handle, - GSS_KRB5_GET_ACCEPTOR_SUBKEY_X, + GSS_KRB5_GET_SUBKEY_X, keyblock); } -- cgit From ed77e4e57beee0c9c8b0c4c75626c41ebfc5b0c4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 9 Nov 2006 00:33:43 +0000 Subject: r19644: Merge up to current lorikeet-heimdal, incling adding gsskrb5_set_default_realm(), which should fix mimir's issues. Andrew Bartlett (This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 79 ++++++++++++++++++++++++------ 1 file changed, 63 insertions(+), 16 deletions(-) (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index fd66fb04f5..34cdbeb3c1 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,11 +27,11 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c,v 1.16 2006/11/07 14:41:35 lha Exp $"); +RCSID("$Id: gss_krb5.c,v 1.20 2006/11/08 23:11:03 lha Exp $"); #include #include -#include "krb5/gsskrb5_locl.h" + OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, @@ -416,6 +416,24 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) return GSS_S_COMPLETE; } +/* + * + */ + +OM_uint32 +gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, + gss_cred_id_t cred, + OM_uint32 num_enctypes, + krb5_enctype *enctypes) +{ + *minor_status = 0; + return GSS_S_COMPLETE; +} + +/* + * + */ + OM_uint32 gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) { @@ -443,6 +461,10 @@ gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) return (GSS_S_COMPLETE); } +/* + * + */ + OM_uint32 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -450,11 +472,8 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, { gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; OM_uint32 maj_stat; - krb5_error_code ret; - OM_uint32 time32; if (context_handle == GSS_C_NO_CONTEXT) { - _gsskrb5_set_status("no context handle"); *minor_status = EINVAL; return GSS_S_FAILURE; } @@ -468,14 +487,12 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, return maj_stat; if (data_set == GSS_C_NO_BUFFER_SET) { - _gsskrb5_set_status("no buffers returned"); gss_release_buffer_set(minor_status, &data_set); *minor_status = EINVAL; return GSS_S_FAILURE; } if (data_set->count != 1) { - _gsskrb5_set_status("%d != 1 buffers returned", data_set->count); gss_release_buffer_set(minor_status, &data_set); *minor_status = EINVAL; return GSS_S_FAILURE; @@ -483,26 +500,26 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, if (data_set->elements[0].length != 4) { gss_release_buffer_set(minor_status, &data_set); - _gsskrb5_set_status("Error extracting authtime from security context: only got %d < 4 bytes", - data_set->elements[0].length); *minor_status = EINVAL; return GSS_S_FAILURE; } - ret = _gsskrb5_decode_om_uint32(data_set->elements[0].value, &time32); - if (ret) { - gss_release_buffer_set(minor_status, &data_set); - *minor_status = ret; - return GSS_S_FAILURE; + { + unsigned char *buf = data_set->elements[0].value; + *authtime = (buf[3] <<24) | (buf[2] << 16) | + (buf[1] << 8) | (buf[0] << 0); } - *authtime = time32; gss_release_buffer_set(minor_status, &data_set); - + *minor_status = 0; return GSS_S_COMPLETE; } +/* + * + */ + OM_uint32 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -598,6 +615,10 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, return GSS_S_COMPLETE; } +/* + * + */ + static OM_uint32 gsskrb5_extract_key(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -668,6 +689,10 @@ out: return GSS_S_COMPLETE; } +/* + * + */ + OM_uint32 gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -700,3 +725,25 @@ gsskrb5_get_subkey(OM_uint32 *minor_status, GSS_KRB5_GET_SUBKEY_X, keyblock); } + +OM_uint32 +gsskrb5_set_default_realm(const char *realm) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + + _gss_load_mech(); + + buffer.value = rk_UNCONST(realm); + buffer.length = strlen(realm); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_SET_DEFAULT_REALM_X, &buffer); + } + + return (GSS_S_COMPLETE); +} -- cgit From 5a6288f45891be30bd8e22978f61faf487214de6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 13 Nov 2006 03:19:59 +0000 Subject: r19681: Update to current lorikeet-heimdal. I'm looking at using the realm lookup plugin, the new PAC validation code as well as Heimdal's SPNEGO implementation. Andrew Bartlett (This used to be commit 05421f45ed7811697ea491e26c9d991a7faa1a64) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 38 ++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 5 deletions(-) (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 34cdbeb3c1..76a2c2b637 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c,v 1.20 2006/11/08 23:11:03 lha Exp $"); +RCSID("$Id: gss_krb5.c,v 1.21 2006/11/10 00:57:27 lha Exp $"); #include #include @@ -421,13 +421,41 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) */ OM_uint32 -gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, +gss_krb5_set_allowable_enctypes(OM_uint32 *min_status, gss_cred_id_t cred, OM_uint32 num_enctypes, - krb5_enctype *enctypes) + int32_t *enctypes) { - *minor_status = 0; - return GSS_S_COMPLETE; + OM_uint32 maj_status; + gss_buffer_desc buffer; + krb5_storage *sp; + krb5_data data; + + sp = krb5_storage_emem(); + if (sp == NULL) { + *min_status = ENOMEM; + maj_status = GSS_S_FAILURE; + goto out; + } + + while(*enctypes) { + krb5_store_int32(sp, *enctypes); + enctypes++; + } + + krb5_storage_to_data(sp, &data); + + buffer.value = data.data; + buffer.length = data.length; + + maj_status = gss_set_cred_option(min_status, + &cred, + GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, + &buffer); +out: + if (sp) + krb5_storage_free(sp); + return maj_status; } /* -- cgit From 91adebe749beb0dc23cacaea316cb2b724776aad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 13 Jun 2007 05:44:24 +0000 Subject: r23456: Update Samba4 to current lorikeet-heimdal. Andrew Bartlett (This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 67 ++++++++++++++++++++++++++---- 1 file changed, 58 insertions(+), 9 deletions(-) (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 76a2c2b637..2500928baf 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c,v 1.21 2006/11/10 00:57:27 lha Exp $"); +RCSID("$Id: gss_krb5.c 20383 2007-04-18 08:49:53Z lha $"); #include #include @@ -164,7 +164,12 @@ gss_krb5_import_cred(OM_uint32 *minor_status, goto out; } - krb5_storage_to_data(sp, &data); + ret = krb5_storage_to_data(sp, &data); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } buffer.value = data.data; buffer.length = data.length; @@ -421,37 +426,49 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) */ OM_uint32 -gss_krb5_set_allowable_enctypes(OM_uint32 *min_status, +gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, gss_cred_id_t cred, OM_uint32 num_enctypes, int32_t *enctypes) { + krb5_error_code ret; OM_uint32 maj_status; gss_buffer_desc buffer; krb5_storage *sp; krb5_data data; + int i; sp = krb5_storage_emem(); if (sp == NULL) { - *min_status = ENOMEM; + *minor_status = ENOMEM; maj_status = GSS_S_FAILURE; goto out; } - while(*enctypes) { - krb5_store_int32(sp, *enctypes); - enctypes++; + for (i = 0; i < num_enctypes; i++) { + ret = krb5_store_int32(sp, enctypes[i]); + if (ret) { + *minor_status = ret; + maj_status = GSS_S_FAILURE; + goto out; + } } - krb5_storage_to_data(sp, &data); + ret = krb5_storage_to_data(sp, &data); + if (ret) { + *minor_status = ret; + maj_status = GSS_S_FAILURE; + goto out; + } buffer.value = data.data; buffer.length = data.length; - maj_status = gss_set_cred_option(min_status, + maj_status = gss_set_cred_option(minor_status, &cred, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, &buffer); + krb5_data_free(&data); out: if (sp) krb5_storage_free(sp); @@ -489,6 +506,38 @@ gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) return (GSS_S_COMPLETE); } +/* + * + */ + +OM_uint32 +gss_krb5_ccache_name(OM_uint32 *minor_status, + const char *name, + const char **out_name) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + + _gss_load_mech(); + + if (out_name) + *out_name = NULL; + + buffer.value = rk_UNCONST(name); + buffer.length = strlen(name); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_CCACHE_NAME_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + + /* * */ -- cgit From ec0035c9b8e0690f3bc21f3de089c39eae660916 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 3 Jul 2007 08:00:08 +0000 Subject: r23678: Update to current lorikeet-heimdal (-r 767), which should fix the panics on hosts without /dev/random. Andrew Bartlett (This used to be commit 14a4ddb131993fec72316f7e8e371638749e6f1f) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 2500928baf..9e77f42982 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c 20383 2007-04-18 08:49:53Z lha $"); +RCSID("$Id: gss_krb5.c 21123 2007-06-18 20:05:26Z lha $"); #include #include @@ -650,7 +650,7 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1, oid_flat.length, &oid, &size) != 0) { free(oid.components); - + free(oid_flat.elements); *minor_status = EINVAL; return GSS_S_FAILURE; } -- cgit From 9e6b0c28712ee77ce878809c8576826a3ba08d95 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 19 Mar 2008 10:17:42 +1100 Subject: Merge lorikeet-heimdal -r 787 into Samba4 tree. Andrew Bartlett (This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 43 ++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 9e77f42982..03081cb70f 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c 21123 2007-06-18 20:05:26Z lha $"); +RCSID("$Id: gss_krb5.c 21889 2007-08-09 07:43:24Z lha $"); #include #include @@ -253,7 +253,6 @@ free_key(gss_krb5_lucid_key_t *key) memset(key, 0, sizeof(*key)); } - OM_uint32 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, @@ -824,3 +823,43 @@ gsskrb5_set_default_realm(const char *realm) return (GSS_S_COMPLETE); } + +OM_uint32 +gss_krb5_get_tkt_flags(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + OM_uint32 *tkt_flags) +{ + + OM_uint32 major_status; + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + + if (context_handle == GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + major_status = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + GSS_KRB5_GET_TKT_FLAGS_X, + &data_set); + if (major_status) + return major_status; + + if (data_set == GSS_C_NO_BUFFER_SET || + data_set->count != 1 || + data_set->elements[0].length < 4) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + { + const u_char *p = data_set->elements[0].value; + *tkt_flags = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); + } + + gss_release_buffer_set(minor_status, &data_set); + return GSS_S_COMPLETE; +} + -- cgit From a925f039ee382df0f3be434108416bab0d17e8c0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 1 Aug 2008 07:08:51 +0200 Subject: heimdal: update to lorikeet-heimdal rev 801 metze (This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 91 ++++++++++++++++++++++++------ 1 file changed, 74 insertions(+), 17 deletions(-) (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 03081cb70f..d6b89e3e23 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,13 +27,13 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c 21889 2007-08-09 07:43:24Z lha $"); +RCSID("$Id: gss_krb5.c 23420 2008-07-26 18:37:48Z lha $"); #include #include -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_copy_ccache(OM_uint32 *minor_status, gss_cred_id_t cred, krb5_ccache out) @@ -91,7 +91,7 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status, return ret; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_import_cred(OM_uint32 *minor_status, krb5_ccache id, krb5_principal keytab_principal, @@ -186,7 +186,7 @@ out: return major_status; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_register_acceptor_identity(const char *identity) { struct _gss_mech_switch *m; @@ -208,7 +208,14 @@ gsskrb5_register_acceptor_identity(const char *identity) return (GSS_S_COMPLETE); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION +krb5_gss_register_acceptor_identity(const char *identity) +{ + return gsskrb5_register_acceptor_identity(identity); +} + + +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_dns_canonicalize(int flag) { struct _gss_mech_switch *m; @@ -253,7 +260,7 @@ free_key(gss_krb5_lucid_key_t *key) memset(key, 0, sizeof(*key)); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, OM_uint32 version, @@ -396,7 +403,7 @@ out: return GSS_S_COMPLETE; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) { gss_krb5_lucid_context_v1_t *ctx = c; @@ -424,7 +431,7 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, gss_cred_id_t cred, OM_uint32 num_enctypes, @@ -478,7 +485,7 @@ out: * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) { struct _gss_mech_switch *m; @@ -509,7 +516,7 @@ gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_ccache_name(OM_uint32 *minor_status, const char *name, const char **out_name) @@ -541,7 +548,7 @@ gss_krb5_ccache_name(OM_uint32 *minor_status, * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, time_t *authtime) @@ -596,7 +603,7 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int ad_type, @@ -769,7 +776,7 @@ out: * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, gss_ctx_id_t context_handle, krb5_keyblock **keyblock) @@ -780,7 +787,7 @@ gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, keyblock); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, gss_ctx_id_t context_handle, krb5_keyblock **keyblock) @@ -791,7 +798,7 @@ gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, keyblock); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_get_subkey(OM_uint32 *minor_status, gss_ctx_id_t context_handle, krb5_keyblock **keyblock) @@ -802,7 +809,7 @@ gsskrb5_get_subkey(OM_uint32 *minor_status, keyblock); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_default_realm(const char *realm) { struct _gss_mech_switch *m; @@ -824,7 +831,7 @@ gsskrb5_set_default_realm(const char *realm) return (GSS_S_COMPLETE); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_get_tkt_flags(OM_uint32 *minor_status, gss_ctx_id_t context_handle, OM_uint32 *tkt_flags) @@ -863,3 +870,53 @@ gss_krb5_get_tkt_flags(OM_uint32 *minor_status, return GSS_S_COMPLETE; } +OM_uint32 GSSAPI_LIB_FUNCTION +gsskrb5_set_time_offset(int offset) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + int32_t o = offset; + + _gss_load_mech(); + + buffer.value = &o; + buffer.length = sizeof(o); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_SET_TIME_OFFSET_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + +OM_uint32 GSSAPI_LIB_FUNCTION +gsskrb5_get_time_offset(int *offset) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 maj_stat, junk; + int32_t o; + + _gss_load_mech(); + + buffer.value = &o; + buffer.length = sizeof(o); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + maj_stat = m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_GET_TIME_OFFSET_X, &buffer); + + if (maj_stat == GSS_S_COMPLETE) { + *offset = o; + return maj_stat; + } + } + + return (GSS_S_UNAVAILABLE); +} -- cgit From 243321b4bbe273cf3a9105ca132caa2b53e2f263 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Aug 2008 19:35:52 +0200 Subject: heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patches This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo. metze (This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53) --- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/heimdal/lib/gssapi/mech/gss_krb5.c') diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index d6b89e3e23..e224dffe05 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c 23420 2008-07-26 18:37:48Z lha $"); +RCSID("$Id$"); #include #include @@ -52,7 +52,7 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status, if (ret) return ret; - if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count < 1) { gss_release_buffer_set(minor_status, &data_set); *minor_status = EINVAL; return GSS_S_FAILURE; -- cgit