From 6913dddf644525f4bdadfb740b5bff41abe030b2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 Dec 2005 22:18:34 +0000 Subject: r12000: Update to current lorikeet-heimdal, including in particular support for referencing an existing in-MEMORY keytab (required for the new way we push that to GSSAPI). Andrew Bartlett (This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954) --- source4/heimdal/lib/krb5/cache.c | 5 ++- source4/heimdal/lib/krb5/keytab_memory.c | 66 ++++++++++++++++++++++++++++++-- source4/heimdal/lib/krb5/krb5-protos.h | 18 +++++++++ source4/heimdal/lib/krb5/krb5.h | 2 +- source4/heimdal/lib/krb5/rd_req.c | 23 +++++++++-- 5 files changed, 105 insertions(+), 9 deletions(-) (limited to 'source4/heimdal/lib/krb5') diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c index 25dc2cb8c0..0c821cb11d 100644 --- a/source4/heimdal/lib/krb5/cache.c +++ b/source4/heimdal/lib/krb5/cache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: cache.c,v 1.74 2005/11/01 09:36:41 lha Exp $"); +RCSID("$Id: cache.c,v 1.76 2005/11/29 09:10:47 lha Exp $"); /* * Add a new ccache type with operations `ops', overwriting any @@ -701,6 +701,9 @@ krb5_cc_get_prefix_ops(krb5_context context, const char *prefix) char *p, *p1; int i; + if (prefix[0] == '/') + return &krb5_fcc_ops; + p = strdup(prefix); if (p == NULL) { krb5_set_error_string(context, "malloc - out of memory"); diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c index 1d866fa11e..afa8f433ac 100644 --- a/source4/heimdal/lib/krb5/keytab_memory.c +++ b/source4/heimdal/lib/krb5/keytab_memory.c @@ -33,26 +33,64 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_memory.c,v 1.6 2005/05/18 04:44:40 lha Exp $"); +RCSID("$Id: keytab_memory.c,v 1.7 2005/12/01 12:40:22 lha Exp $"); /* memory operations -------------------------------------------- */ struct mkt_data { krb5_keytab_entry *entries; int num_entries; + char *name; + int refcount; + struct mkt_data *next; }; +/* this mutex protects mkt_head, ->refcount, and ->next + * content is not protected (name is static and need no protection) + */ +static HEIMDAL_MUTEX mkt_mutex = HEIMDAL_MUTEX_INITIALIZER; +static struct mkt_data *mkt_head; + + static krb5_error_code mkt_resolve(krb5_context context, const char *name, krb5_keytab id) { struct mkt_data *d; - d = malloc(sizeof(*d)); + + HEIMDAL_MUTEX_lock(&mkt_mutex); + + for (d = mkt_head; d != NULL; d = d->next) + if (strcmp(d->name, name) == 0) + break; + if (d) { + if (d->refcount < 1) + krb5_abortx(context, "Double close on memory keytab, " + "refcount < 1 %d", d->refcount); + d->refcount++; + id->data = d; + HEIMDAL_MUTEX_unlock(&mkt_mutex); + return 0; + } + + d = calloc(1, sizeof(*d)); if(d == NULL) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + d->name = strdup(name); + if (d->name == NULL) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + free(d); krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } d->entries = NULL; d->num_entries = 0; + d->refcount = 1; + d->next = mkt_head; + mkt_head = d; + HEIMDAL_MUTEX_unlock(&mkt_mutex); id->data = d; return 0; } @@ -60,8 +98,27 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id) static krb5_error_code mkt_close(krb5_context context, krb5_keytab id) { - struct mkt_data *d = id->data; + struct mkt_data *d = id->data, **dp; int i; + + HEIMDAL_MUTEX_lock(&mkt_mutex); + if (d->refcount < 1) + krb5_abortx(context, + "krb5 internal error, memory keytab refcount < 1 on close"); + + if (--d->refcount > 0) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + return 0; + } + for (dp = &mkt_head; *dp != NULL; dp = &(*dp)->next) { + if (*dp == d) { + *dp = d->next; + break; + } + } + HEIMDAL_MUTEX_unlock(&mkt_mutex); + + free(d->name); for(i = 0; i < d->num_entries; i++) krb5_kt_free_entry(context, &d->entries[i]); free(d->entries); @@ -75,7 +132,8 @@ mkt_get_name(krb5_context context, char *name, size_t namesize) { - strlcpy(name, "", namesize); + struct mkt_data *d = id->data; + strlcpy(name, d->name, namesize); return 0; } diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index 33e35ca60e..301b8853e4 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -20,6 +20,24 @@ extern "C" { #endif #endif +void +initialize_heim_error_table (void); + +void +initialize_heim_error_table_r (struct et_list **/*list*/); + +void +initialize_k524_error_table (void); + +void +initialize_k524_error_table_r (struct et_list **/*list*/); + +void +initialize_krb5_error_table (void); + +void +initialize_krb5_error_table_r (struct et_list **/*list*/); + krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc ( krb5_context /*context*/, diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index fe9a0e5e7a..adee4708e6 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.239 2005/10/12 12:39:28 lha Exp $ */ +/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index 582b71db03..313c14f6e6 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: rd_req.c,v 1.58 2005/08/27 05:48:57 lha Exp $"); +RCSID("$Id: rd_req.c,v 1.61 2005/11/29 18:22:51 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -136,7 +136,11 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) int num_realms; krb5_error_code ret; - /* Windows w2k and w2k3 uses this */ + /* + * Windows 2000 and 2003 uses this inside their TGT so its normaly + * not seen by others, however, samba4 joined with a Windows AD as + * a Domain Controller gets exposed to this. + */ if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) return 0; @@ -417,6 +421,19 @@ krb5_verify_ap_req2(krb5_context context, goto out; } + /* check timestamp in authenticator */ + { + krb5_timestamp now; + + krb5_timeofday (context, &now); + + if (abs(ac->authenticator->ctime - now) > context->max_skew) { + ret = KRB5KRB_AP_ERR_SKEW; + krb5_clear_error_string (context); + goto out; + } + } + if (ac->authenticator->seq_number) krb5_auth_con_setremoteseqnumber(context, ac, *ac->authenticator->seq_number); -- cgit