diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2011-12-20 16:13:59 -0500 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-12-22 10:37:50 -0500 |
commit | 768591607fc89d3a14fa00c9c8f78e83f3f6b565 (patch) | |
tree | f9c362e381a38c67631764b66156ef2d57169fe9 /src/util | |
parent | 85ecf49fdacd910f804caab1be7bf68d23702dc9 (diff) | |
download | sssd-768591607fc89d3a14fa00c9c8f78e83f3f6b565.tar.gz sssd-768591607fc89d3a14fa00c9c8f78e83f3f6b565.tar.bz2 sssd-768591607fc89d3a14fa00c9c8f78e83f3f6b565.zip |
Add compatibility layer for Heimdal Kerberos implementation
Diffstat (limited to 'src/util')
-rw-r--r-- | src/util/sss_krb5.c | 70 | ||||
-rw-r--r-- | src/util/sss_krb5.h | 15 |
2 files changed, 73 insertions, 12 deletions
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index 3311ef54..fe76afc5 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -44,6 +44,8 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, int i = 0; errno_t ret; char *principal_string; + const char *realm_name; + int realm_len; /** * Priority of lookup: @@ -164,9 +166,11 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, } if (_realm) { + sss_krb5_princ_realm(krb_ctx, client_princ, + &realm_name, + &realm_len); *_realm = talloc_asprintf(mem_ctx, "%.*s", - krb5_princ_realm(ctx, client_princ)->length, - krb5_princ_realm(ctx, client_princ)->data); + realm_len, realm_name); if (!*_realm) { DEBUG(1, ("talloc_asprintf failed")); if (_principal) talloc_zfree(*_principal); @@ -322,7 +326,7 @@ int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name, found = true; } free(kt_principal); - krberr = krb5_free_keytab_entry_contents(context, &entry); + krberr = sss_krb5_free_keytab_entry_contents(context, &entry); if (krberr) { /* This should never happen. The API docs for this function * specify only success for this function @@ -378,18 +382,19 @@ static bool match_principal(krb5_context ctx, const char *pattern_primary, const char *pattern_realm) { - krb5_data *realm_data; char *primary = NULL; char *primary_str = NULL; int primary_str_len = 0; int tmp_len; int len_diff; + const char *realm_name; + int realm_len; int mode = MODE_NORMAL; TALLOC_CTX *tmp_ctx; bool ret = false; - realm_data = krb5_princ_realm(ctx, principal); + sss_krb5_princ_realm(ctx, principal, &realm_name, &realm_len); tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { @@ -425,8 +430,8 @@ static bool match_principal(krb5_context ctx, } } - if (!pattern_realm || (realm_data->length == strlen(pattern_realm) && - strncmp(realm_data->data, pattern_realm, realm_data->length) == 0)) { + if (!pattern_realm || (realm_len == strlen(pattern_realm) && + strncmp(realm_name, pattern_realm, realm_len) == 0)) { DEBUG(7, ("Principal matched to the sample (%s@%s).\n", pattern_primary, pattern_realm)); ret = true; @@ -466,7 +471,7 @@ krb5_error_code find_principal_in_keytab(krb5_context ctx, break; } - kerr = krb5_free_keytab_entry_contents(ctx, &entry); + kerr = sss_krb5_free_keytab_entry_contents(ctx, &entry); if (kerr != 0) { DEBUG(1, ("Failed to free keytab entry.\n")); } @@ -504,7 +509,7 @@ krb5_error_code find_principal_in_keytab(krb5_context ctx, kerr = 0; done: - kerr_d = krb5_free_keytab_entry_contents(ctx, &entry); + kerr_d = sss_krb5_free_keytab_entry_contents(ctx, &entry); if (kerr_d != 0) { DEBUG(1, ("Failed to free keytab entry.\n")); } @@ -917,9 +922,50 @@ cleanup: void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts, int canonicalize) { -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE - return krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); + /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal + * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of + * arguments. We should use a better configure check in the future. + */ +#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES) + krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); #else - DEBUG(SSSDBG_OP_FAILURE, ("Kerberos principal canonicalization is not avaliable!\n")); + DEBUG(SSSDBG_OP_FAILURE, ("Kerberos principal canonicalization is not available!\n")); #endif } + +#ifdef HAVE_KRB5_PRINCIPAL_GET_REALM +void sss_krb5_princ_realm(krb5_context context, krb5_const_principal princ, + const char **realm, int *len) +{ + *realm = krb5_principal_get_realm(context, princ); + *len = strlen(*realm); +} +#else +void sss_krb5_princ_realm(krb5_context context, krb5_const_principal princ, + const char **realm, int *len) +{ + const krb5_data *data; + + data = krb5_princ_realm(context, princ); + if (data) { + *realm = data->data; + *len = data->length; + } +} +#endif + +#ifdef HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS +krb5_error_code +sss_krb5_free_keytab_entry_contents(krb5_context context, + krb5_keytab_entry *entry) +{ + return krb5_free_keytab_entry_contents(context, entry); +} +#else +krb5_error_code +sss_krb5_free_keytab_entry_contents(krb5_context context, + krb5_keytab_entry *entry) +{ + return krb5_kt_free_entry(context, entry); +} +#endif diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h index 039b79af..52e6c5d4 100644 --- a/src/util/sss_krb5.h +++ b/src/util/sss_krb5.h @@ -115,4 +115,19 @@ sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts, int canonicalize); +/* === Compatibility routines for the Heimdal Kerberos implementation === */ + +void sss_krb5_princ_realm(krb5_context context, krb5_const_principal princ, + const char **realm, int *len); + +krb5_error_code +sss_krb5_free_keytab_entry_contents(krb5_context context, + krb5_keytab_entry *entry); + +#ifdef HAVE_KRB5_TICKET_TIMES +typedef krb5_ticket_times sss_krb5_ticket_times; +#elif HAVE_KRB5_TIMES +typedef krb5_times sss_krb5_ticket_times; +#endif + #endif /* __SSS_KRB5_H__ */ |