From ed77e4e57beee0c9c8b0c4c75626c41ebfc5b0c4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 9 Nov 2006 00:33:43 +0000 Subject: [PATCH] r19644: Merge up to current lorikeet-heimdal, incling adding gsskrb5_set_default_realm(), which should fix mimir's issues. Andrew Bartlett (This used to be commit 8117e76d2adee163925a29df872015ff5021a1d3) --- source4/auth/gensec/gensec_gssapi.c | 18 ++++ source4/heimdal/lib/asn1/der_put.c | 3 - .../heimdal/lib/gssapi/gssapi/gssapi_krb5.h | 6 +- source4/heimdal/lib/gssapi/krb5/copy_ccache.c | 5 +- source4/heimdal/lib/gssapi/krb5/external.c | 9 +- .../lib/gssapi/krb5/set_sec_context_option.c | 23 ++++- source4/heimdal/lib/gssapi/mech/gss_krb5.c | 79 +++++++++++++---- source4/heimdal/lib/krb5/context.c | 6 +- source4/heimdal/lib/krb5/get_for_creds.c | 88 ++++++++++--------- source4/heimdal/lib/krb5/mk_req.c | 2 - source4/heimdal/lib/krb5/store_mem.c | 33 ++++++- 11 files changed, 199 insertions(+), 73 deletions(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 9f796dc9d12..8e40973e4a1 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -198,13 +198,31 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) ret = gsskrb5_set_send_to_kdc(&send_to_kdc); if (ret) { DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n")); + talloc_free(gensec_gssapi_state); return NT_STATUS_INTERNAL_ERROR; } + if (lp_realm() && *lp_realm()) { + char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm()); + if (!upper_realm) { + DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm())); + talloc_free(gensec_gssapi_state); + return NT_STATUS_NO_MEMORY; + } + ret = gsskrb5_set_default_realm(upper_realm); + talloc_free(upper_realm); + if (ret) { + DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n")); + talloc_free(gensec_gssapi_state); + return NT_STATUS_INTERNAL_ERROR; + } + } + ret = smb_krb5_init_context(gensec_gssapi_state, &gensec_gssapi_state->smb_krb5_context); if (ret) { DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", error_message(ret))); + talloc_free(gensec_gssapi_state); return NT_STATUS_INTERNAL_ERROR; } return NT_STATUS_OK; diff --git a/source4/heimdal/lib/asn1/der_put.c b/source4/heimdal/lib/asn1/der_put.c index 2fe90df9a93..b006f233ca6 100644 --- a/source4/heimdal/lib/asn1/der_put.c +++ b/source4/heimdal/lib/asn1/der_put.c @@ -335,9 +335,6 @@ der_put_utctime (unsigned char *p, size_t len, return 0; } -/* This API is not what you might expect. p is a pointer to the *end* - * (last byte) of the buffer, of length len */ - int der_put_oid (unsigned char *p, size_t len, const heim_oid *data, size_t *size) diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h index 67a9a12bfe5..f06a9940084 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_krb5.h,v 1.12 2006/11/05 00:06:09 lha Exp $ */ +/* $Id: gssapi_krb5.h,v 1.14 2006/11/08 23:01:01 lha Exp $ */ #ifndef GSSAPI_KRB5_H_ #define GSSAPI_KRB5_H_ @@ -64,6 +64,7 @@ extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X; extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X; extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X; extern gss_OID GSS_KRB5_SEND_TO_KDC_X; +extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X; /* Extensions inquire context */ extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X; extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X; @@ -129,6 +130,9 @@ struct gsskrb5_send_to_kdc { OM_uint32 gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *); +OM_uint32 +gsskrb5_set_default_realm(const char *); + OM_uint32 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *); diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c index 99aa2ccb434..91d21a1aec4 100644 --- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: copy_ccache.c,v 1.15 2006/10/07 22:14:22 lha Exp $"); +RCSID("$Id: copy_ccache.c,v 1.16 2006/11/08 02:42:50 lha Exp $"); #if 0 OM_uint32 @@ -188,4 +188,3 @@ out: *minor_status = kret; return GSS_S_FAILURE; } - diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index ece03ddf57c..0681bd40386 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -34,7 +34,7 @@ #include "krb5/gsskrb5_locl.h" #include -RCSID("$Id: external.c,v 1.21 2006/11/07 21:05:03 lha Exp $"); +RCSID("$Id: external.c,v 1.22 2006/11/08 23:00:20 lha Exp $"); /* * The implementation must reserve static storage for a @@ -352,6 +352,13 @@ static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc; +/* 1.2.752.43.13.15 */ +static gss_OID_desc gss_krb5_set_default_realm_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")}; + +gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc; + + /* 1.2.752.43.14.1 */ static gss_OID_desc gss_sasl_digest_md5_mechanism_desc = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index fb098679b24..dc1495efc1b 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -36,7 +36,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: set_sec_context_option.c,v 1.7 2006/11/04 03:01:14 lha Exp $"); +RCSID("$Id: set_sec_context_option.c,v 1.8 2006/11/08 23:06:42 lha Exp $"); static OM_uint32 get_bool(OM_uint32 *minor_status, @@ -120,6 +120,27 @@ _gsskrb5_set_sec_context_option *minor_status = 0; return GSS_S_COMPLETE; + } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) { + char *str; + + if (value == NULL || value->length == 0) { + *minor_status = 0; + return GSS_S_CALL_INACCESSIBLE_READ; + } + str = malloc(value->length + 1); + if (str) { + *minor_status = 0; + return GSS_S_UNAVAILABLE; + } + memcpy(str, value->value, value->length); + str[value->length] = '\0'; + + krb5_set_default_realm(_gsskrb5_context, str); + free(str); + + *minor_status = 0; + return GSS_S_COMPLETE; + } else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) { if (value == NULL || value->length == 0) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index fd66fb04f5b..34cdbeb3c1b 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,11 +27,11 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c,v 1.16 2006/11/07 14:41:35 lha Exp $"); +RCSID("$Id: gss_krb5.c,v 1.20 2006/11/08 23:11:03 lha Exp $"); #include #include -#include "krb5/gsskrb5_locl.h" + OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, @@ -416,6 +416,24 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) return GSS_S_COMPLETE; } +/* + * + */ + +OM_uint32 +gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, + gss_cred_id_t cred, + OM_uint32 num_enctypes, + krb5_enctype *enctypes) +{ + *minor_status = 0; + return GSS_S_COMPLETE; +} + +/* + * + */ + OM_uint32 gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) { @@ -443,6 +461,10 @@ gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) return (GSS_S_COMPLETE); } +/* + * + */ + OM_uint32 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -450,11 +472,8 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, { gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; OM_uint32 maj_stat; - krb5_error_code ret; - OM_uint32 time32; if (context_handle == GSS_C_NO_CONTEXT) { - _gsskrb5_set_status("no context handle"); *minor_status = EINVAL; return GSS_S_FAILURE; } @@ -468,14 +487,12 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, return maj_stat; if (data_set == GSS_C_NO_BUFFER_SET) { - _gsskrb5_set_status("no buffers returned"); gss_release_buffer_set(minor_status, &data_set); *minor_status = EINVAL; return GSS_S_FAILURE; } if (data_set->count != 1) { - _gsskrb5_set_status("%d != 1 buffers returned", data_set->count); gss_release_buffer_set(minor_status, &data_set); *minor_status = EINVAL; return GSS_S_FAILURE; @@ -483,26 +500,26 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, if (data_set->elements[0].length != 4) { gss_release_buffer_set(minor_status, &data_set); - _gsskrb5_set_status("Error extracting authtime from security context: only got %d < 4 bytes", - data_set->elements[0].length); *minor_status = EINVAL; return GSS_S_FAILURE; } - ret = _gsskrb5_decode_om_uint32(data_set->elements[0].value, &time32); - if (ret) { - gss_release_buffer_set(minor_status, &data_set); - *minor_status = ret; - return GSS_S_FAILURE; + { + unsigned char *buf = data_set->elements[0].value; + *authtime = (buf[3] <<24) | (buf[2] << 16) | + (buf[1] << 8) | (buf[0] << 0); } - *authtime = time32; gss_release_buffer_set(minor_status, &data_set); - + *minor_status = 0; return GSS_S_COMPLETE; } +/* + * + */ + OM_uint32 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -598,6 +615,10 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, return GSS_S_COMPLETE; } +/* + * + */ + static OM_uint32 gsskrb5_extract_key(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -668,6 +689,10 @@ out: return GSS_S_COMPLETE; } +/* + * + */ + OM_uint32 gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -700,3 +725,25 @@ gsskrb5_get_subkey(OM_uint32 *minor_status, GSS_KRB5_GET_SUBKEY_X, keyblock); } + +OM_uint32 +gsskrb5_set_default_realm(const char *realm) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + + _gss_load_mech(); + + buffer.value = rk_UNCONST(realm); + buffer.length = strlen(realm); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_SET_DEFAULT_REALM_X, &buffer); + } + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c index a25bb807864..f3b0fad347a 100644 --- a/source4/heimdal/lib/krb5/context.c +++ b/source4/heimdal/lib/krb5/context.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include -RCSID("$Id: context.c,v 1.110 2006/11/04 03:27:47 lha Exp $"); +RCSID("$Id: context.c,v 1.111 2006/11/08 02:55:46 lha Exp $"); #define INIT_FIELD(C, T, E, D, F) \ (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ @@ -707,13 +707,13 @@ krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) } time_t KRB5_LIB_FUNCTION -krb5_get_time_wrap (krb5_context context) +krb5_get_max_time_skew (krb5_context context) { return context->max_skew; } void KRB5_LIB_FUNCTION -krb5_set_time_wrap (krb5_context context, time_t t) +krb5_set_max_time_skew (krb5_context context, time_t t) { context->max_skew = t; } diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index 661d05663b7..6eebf1fa802 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -162,8 +162,7 @@ krb5_get_forwarded_creds (krb5_context context, { krb5_error_code ret; krb5_creds *out_creds; - krb5_addresses *paddrs = NULL; - krb5_addresses addrs; + krb5_addresses addrs, *paddrs; KRB_CRED cred; KrbCredInfo *krb_cred_info; EncKrbCredPart enc_krb_cred_part; @@ -172,53 +171,58 @@ krb5_get_forwarded_creds (krb5_context context, size_t buf_size; krb5_kdc_flags kdc_flags; krb5_crypto crypto; + struct addrinfo *ai; int save_errno; krb5_creds *ticket; char *realm; - krb5_boolean noaddr_ever; - - addrs.len = 0; - addrs.val = NULL; realm = in_creds->client->realm; - krb5_appdefault_boolean(context, NULL, realm, "no-addresses-ever", - TRUE, &noaddr_ever); - if (!noaddr_ever) { - struct addrinfo *ai; - paddrs = &addrs; - - /* - * If tickets are address-less, forward address-less tickets. - */ - - ret = _krb5_get_krbtgt (context, - ccache, - realm, - &ticket); - if(ret == 0) { - if (ticket->addresses.len == 0) - paddrs = NULL; - krb5_free_creds (context, ticket); - } - - if (paddrs != NULL) { - - ret = getaddrinfo (hostname, NULL, NULL, &ai); - if (ret) { - save_errno = errno; - krb5_set_error_string(context, "resolving %s: %s", - hostname, gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); - } - - ret = add_addrs (context, &addrs, ai); - freeaddrinfo (ai); - if (ret) - return ret; - } + addrs.len = 0; + addrs.val = NULL; + paddrs = &addrs; + + { + krb5_boolean noaddr; + krb5_appdefault_boolean(context, NULL, realm, + "no-addresses", KRB5_ADDRESSLESS_DEFAULT, + &noaddr); + if (noaddr) + paddrs = NULL; } + + /* + * If tickets are address-less, forward address-less tickets. + */ + + if (paddrs) { + ret = _krb5_get_krbtgt (context, + ccache, + realm, + &ticket); + if(ret == 0) { + if (ticket->addresses.len == 0) + paddrs = NULL; + krb5_free_creds (context, ticket); + } + } + + if (paddrs != NULL) { + ret = getaddrinfo (hostname, NULL, NULL, &ai); + if (ret) { + save_errno = errno; + krb5_set_error_string(context, "resolving %s: %s", + hostname, gai_strerror(ret)); + return krb5_eai_to_heim_errno(ret, save_errno); + } + + ret = add_addrs (context, &addrs, ai); + freeaddrinfo (ai); + if (ret) + return ret; + } + kdc_flags.b = int2KDCOptions(flags); ret = krb5_get_kdc_cred (context, diff --git a/source4/heimdal/lib/krb5/mk_req.c b/source4/heimdal/lib/krb5/mk_req.c index 44e5d9c2225..adc077e13fa 100644 --- a/source4/heimdal/lib/krb5/mk_req.c +++ b/source4/heimdal/lib/krb5/mk_req.c @@ -64,9 +64,7 @@ krb5_mk_req_exact(krb5_context context, if (auth_context && *auth_context && (*auth_context)->keytype) this_cred.session.keytype = (*auth_context)->keytype; - /* This is the network contact with the KDC */ ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred); - krb5_free_cred_contents(context, &this_cred); if (ret) return ret; diff --git a/source4/heimdal/lib/krb5/store_mem.c b/source4/heimdal/lib/krb5/store_mem.c index decf74adce0..d2b6d182522 100644 --- a/source4/heimdal/lib/krb5/store_mem.c +++ b/source4/heimdal/lib/krb5/store_mem.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store_mem.c,v 1.12 2004/05/25 21:44:17 lha Exp $"); +RCSID("$Id: store_mem.c,v 1.13 2006/11/07 23:02:53 lha Exp $"); typedef struct mem_storage{ unsigned char *base; @@ -64,6 +64,12 @@ mem_store(krb5_storage *sp, const void *data, size_t size) return size; } +static ssize_t +mem_no_store(krb5_storage *sp, const void *data, size_t size) +{ + return -1; +} + static off_t mem_seek(krb5_storage *sp, off_t offset, int whence) { @@ -117,3 +123,28 @@ krb5_storage_from_data(krb5_data *data) { return krb5_storage_from_mem(data->data, data->length); } + +krb5_storage * KRB5_LIB_FUNCTION +krb5_storage_from_readonly_mem(const void *buf, size_t len) +{ + krb5_storage *sp = malloc(sizeof(krb5_storage)); + mem_storage *s; + if(sp == NULL) + return NULL; + s = malloc(sizeof(*s)); + if(s == NULL) { + free(sp); + return NULL; + } + sp->data = s; + sp->flags = 0; + sp->eof_code = HEIM_ERR_EOF; + s->base = rk_UNCONST(buf); + s->size = len; + s->ptr = rk_UNCONST(buf); + sp->fetch = mem_fetch; + sp->store = mem_no_store; + sp->seek = mem_seek; + sp->free = NULL; + return sp; +} -- 2.34.1