From 82c8cd1732ebf89ec144e28b9ff26d8a2260a3e4 Mon Sep 17 00:00:00 2001 From: Benjamin Franzke Date: Wed, 16 Oct 2013 15:25:27 +0200 Subject: heimdal: Fix sss_krb5_get_init_creds_opt_set_canonicalize Heimdal and MIT Kerberos have a different number of arguments for that function. Add a configure compile check and use the appropriate form. --- src/external/krb5.m4 | 18 ++++++++++++++++++ src/providers/krb5/krb5_child.c | 11 ++++++----- src/providers/ldap/ldap_child.c | 3 ++- src/util/sss_krb5.c | 13 +++++++------ src/util/sss_krb5.h | 3 ++- 5 files changed, 35 insertions(+), 13 deletions(-) diff --git a/src/external/krb5.m4 b/src/external/krb5.m4 index a29056d3..54c5883e 100644 --- a/src/external/krb5.m4 +++ b/src/external/krb5.m4 @@ -69,6 +69,24 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \ krb5_cc_get_full_name \ krb5_free_string \ krb5_xfree]) + +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + ]], + [[ krb5_get_init_creds_opt_set_canonicalize(NULL, 0); ]])], + [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [2], [number of arguments])]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + ]], + [[ krb5_get_init_creds_opt_set_canonicalize(NULL, NULL, 0); ]])], + [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [3], [number of arguments])]) + CFLAGS=$SAVE_CFLAGS LIBS=$SAVE_LIBS diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 2593cab0..fe0e1d6c 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -77,7 +77,7 @@ static krb5_error_code get_changepw_options(krb5_context ctx, return kerr; } - sss_krb5_get_init_creds_opt_set_canonicalize(options, 0); + sss_krb5_get_init_creds_opt_set_canonicalize(ctx, options, 0); krb5_get_init_creds_opt_set_forwardable(options, 0); krb5_get_init_creds_opt_set_proxiable(options, 0); krb5_get_init_creds_opt_set_renew_life(options, 0); @@ -844,7 +844,8 @@ done: } -static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts) +static void krb5_set_canonicalize(krb5_context ctx, + krb5_get_init_creds_opt *opts) { int canonicalize = 0; char *tmp_str; @@ -855,7 +856,7 @@ static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts) } DEBUG(SSSDBG_CONF_SETTINGS, ("%s is set to [%s]\n", SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set")); - sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); + sss_krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize); } static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, @@ -873,7 +874,7 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, krb5_get_init_creds_opt_set_address_list(&options, NULL); krb5_get_init_creds_opt_set_forwardable(&options, 0); krb5_get_init_creds_opt_set_proxiable(&options, 0); - krb5_set_canonicalize(&options); + krb5_set_canonicalize(ctx, &options); kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL, &options); @@ -1901,7 +1902,7 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) } if (!offline) { - krb5_set_canonicalize(kr->options); + krb5_set_canonicalize(kr->ctx, kr->options); use_fast_str = getenv(SSSD_KRB5_USE_FAST); if (use_fast_str == NULL || strcasecmp(use_fast_str, "never") == 0) { diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index d6435b93..16f724bc 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -310,7 +310,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, DEBUG(SSSDBG_CONF_SETTINGS, ("Will canonicalize principals\n")); canonicalize = 1; } - sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); + sss_krb5_get_init_creds_opt_set_canonicalize(context, + &options, canonicalize); krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, keytab, 0, NULL, &options); diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index 5f3177a9..a954d10a 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -811,15 +811,16 @@ cleanup: #endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */ } -void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts, +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx, + krb5_get_init_creds_opt *opts, int canonicalize) { - /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal - * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of - * arguments. We should use a better configure check in the future. - */ -#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES) +#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \ + KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 2 krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); +#elif defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \ + KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 3 + (void) krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize); #else DEBUG(SSSDBG_OP_FAILURE, ("Kerberos principal canonicalization is not available!\n")); #endif diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h index 2481dc12..c7b9a69f 100644 --- a/src/util/sss_krb5.h +++ b/src/util/sss_krb5.h @@ -138,7 +138,8 @@ krb5_error_code sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, int flags, char **name); -void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts, +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx, + krb5_get_init_creds_opt *opts, int canonicalize); enum sss_krb5_cc_type { -- cgit