sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

r19644: Merge up to current lorikeet-heimdal, incling adding

Browse Source 
gsskrb5_set_default_realm(), which should fix mimir's issues.

Andrew Bartlett
(This used to be commit 8117e76d2a)
This commit is contained in:
Andrew Bartlett 2006-11-09 00:33:43 +00:00 committed by Gerald (Jerry) Carter
parent a779d288a8
commit ed77e4e57b
11 changed files with 200 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
source4/auth/gensec/gensec_gssapi.c
View File

@ -198,13 +198,31 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
if (ret) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
if (lp_realm() && *lp_realm()) {
char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm());
if (!upper_realm) {
DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
talloc_free(gensec_gssapi_state);
return NT_STATUS_NO_MEMORY;
}
ret = gsskrb5_set_default_realm(upper_realm);
talloc_free(upper_realm);
if (ret) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
}
ret = smb_krb5_init_context(gensec_gssapi_state,
&gensec_gssapi_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
error_message(ret)));
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
return NT_STATUS_OK;

3
source4/heimdal/lib/asn1/der_put.c
View File

@ -335,9 +335,6 @@ der_put_utctime (unsigned char *p, size_t len,
return 0;
}
/* This API is not what you might expect. p is a pointer to the *end*
* (last byte) of the buffer, of length len */
int
der_put_oid (unsigned char *p, size_t len,
const heim_oid *data, size_t *size)

6
source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi_krb5.h,v 1.12 2006/11/05 00:06:09 lha Exp $ */
/* $Id: gssapi_krb5.h,v 1.14 2006/11/08 23:01:01 lha Exp $ */
#ifndef GSSAPI_KRB5_H_
#define GSSAPI_KRB5_H_
@ -64,6 +64,7 @@ extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
extern gss_OID GSS_KRB5_SEND_TO_KDC_X;
extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
/* Extensions inquire context */
extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
@ -129,6 +130,9 @@ struct gsskrb5_send_to_kdc {
OM_uint32
gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *);
OM_uint32
gsskrb5_set_default_realm(const char *);
OM_uint32
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *);

5
source4/heimdal/lib/gssapi/krb5/copy_ccache.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
* Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: copy_ccache.c,v 1.15 2006/10/07 22:14:22 lha Exp $");
RCSID("$Id: copy_ccache.c,v 1.16 2006/11/08 02:42:50 lha Exp $");
#if 0
OM_uint32
@ -188,4 +188,3 @@ out:
*minor_status = kret;
return GSS_S_FAILURE;
}

9
source4/heimdal/lib/gssapi/krb5/external.c
View File

@ -34,7 +34,7 @@
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
RCSID("$Id: external.c,v 1.21 2006/11/07 21:05:03 lha Exp $");
RCSID("$Id: external.c,v 1.22 2006/11/08 23:00:20 lha Exp $");
/*
* The implementation must reserve static storage for a
@ -352,6 +352,13 @@ static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
/* 1.2.752.43.13.15 */
static gss_OID_desc gss_krb5_set_default_realm_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")};
gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc;
/* 1.2.752.43.14.1 */
static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };

23
source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
View File

@ -36,7 +36,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: set_sec_context_option.c,v 1.7 2006/11/04 03:01:14 lha Exp $");
RCSID("$Id: set_sec_context_option.c,v 1.8 2006/11/08 23:06:42 lha Exp $");
static OM_uint32
get_bool(OM_uint32 *minor_status,
@ -120,6 +120,27 @@ _gsskrb5_set_sec_context_option
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;
if (value == NULL || value->length == 0) {
*minor_status = 0;
return GSS_S_CALL_INACCESSIBLE_READ;
}
str = malloc(value->length + 1);
if (str) {
*minor_status = 0;
return GSS_S_UNAVAILABLE;
}
memcpy(str, value->value, value->length);
str[value->length] = '\0';
krb5_set_default_realm(_gsskrb5_context, str);
free(str);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
if (value == NULL || value->length == 0) {

79
source4/heimdal/lib/gssapi/mech/gss_krb5.c
View File

@ -27,11 +27,11 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_krb5.c,v 1.16 2006/11/07 14:41:35 lha Exp $");
RCSID("$Id: gss_krb5.c,v 1.20 2006/11/08 23:11:03 lha Exp $");
#include <krb5.h>
#include <roken.h>
#include "krb5/gsskrb5_locl.h"
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
@ -416,6 +416,24 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c)
return GSS_S_COMPLETE;
}
/*
*
*/
OM_uint32
gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
gss_cred_id_t cred,
OM_uint32 num_enctypes,
krb5_enctype *enctypes)
{
*minor_status = 0;
return GSS_S_COMPLETE;
}
/*
*
*/
OM_uint32
gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
{
@ -443,6 +461,10 @@ gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
return (GSS_S_COMPLETE);
}
/*
*
*/
OM_uint32
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
@ -450,11 +472,8 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
{
gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
OM_uint32 maj_stat;
krb5_error_code ret;
OM_uint32 time32;
if (context_handle == GSS_C_NO_CONTEXT) {
_gsskrb5_set_status("no context handle");
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
@ -468,14 +487,12 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
return maj_stat;
if (data_set == GSS_C_NO_BUFFER_SET) {
_gsskrb5_set_status("no buffers returned");
gss_release_buffer_set(minor_status, &data_set);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
if (data_set->count != 1) {
_gsskrb5_set_status("%d != 1 buffers returned", data_set->count);
gss_release_buffer_set(minor_status, &data_set);
*minor_status = EINVAL;
return GSS_S_FAILURE;
@ -483,26 +500,26 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
if (data_set->elements[0].length != 4) {
gss_release_buffer_set(minor_status, &data_set);
_gsskrb5_set_status("Error extracting authtime from security context: only got %d < 4 bytes",
data_set->elements[0].length);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = _gsskrb5_decode_om_uint32(data_set->elements[0].value, &time32);
if (ret) {
gss_release_buffer_set(minor_status, &data_set);
*minor_status = ret;
return GSS_S_FAILURE;
{
unsigned char *buf = data_set->elements[0].value;
*authtime = (buf[3] <<24) | (buf[2] << 16) |
(buf[1] << 8) | (buf[0] << 0);
}
*authtime = time32;
gss_release_buffer_set(minor_status, &data_set);
*minor_status = 0;
return GSS_S_COMPLETE;
}
/*
*
*/
OM_uint32
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
@ -598,6 +615,10 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
/*
*
*/
static OM_uint32
gsskrb5_extract_key(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
@ -668,6 +689,10 @@ out:
return GSS_S_COMPLETE;
}
/*
*
*/
OM_uint32
gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
@ -700,3 +725,25 @@ gsskrb5_get_subkey(OM_uint32 *minor_status,
GSS_KRB5_GET_SUBKEY_X,
keyblock);
}
OM_uint32
gsskrb5_set_default_realm(const char *realm)
{
struct _gss_mech_switch *m;
gss_buffer_desc buffer;
OM_uint32 junk;
_gss_load_mech();
buffer.value = rk_UNCONST(realm);
buffer.length = strlen(realm);
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_mech.gm_set_sec_context_option == NULL)
continue;
m->gm_mech.gm_set_sec_context_option(&junk, NULL,
GSS_KRB5_SET_DEFAULT_REALM_X, &buffer);
}
return (GSS_S_COMPLETE);
}

6
source4/heimdal/lib/krb5/context.c
View File

@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include <com_err.h>
RCSID("$Id: context.c,v 1.110 2006/11/04 03:27:47 lha Exp $");
RCSID("$Id: context.c,v 1.111 2006/11/08 02:55:46 lha Exp $");
#define INIT_FIELD(C, T, E, D, F) \
(C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
@ -707,13 +707,13 @@ krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
}
time_t KRB5_LIB_FUNCTION
krb5_get_time_wrap (krb5_context context)
krb5_get_max_time_skew (krb5_context context)
{
return context->max_skew;
}
void KRB5_LIB_FUNCTION
krb5_set_time_wrap (krb5_context context, time_t t)
krb5_set_max_time_skew (krb5_context context, time_t t)
{
context->max_skew = t;
}

90
source4/heimdal/lib/krb5/get_for_creds.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -162,8 +162,7 @@ krb5_get_forwarded_creds (krb5_context context,
{
krb5_error_code ret;
krb5_creds *out_creds;
krb5_addresses *paddrs = NULL;
krb5_addresses addrs;
krb5_addresses addrs, *paddrs;
KRB_CRED cred;
KrbCredInfo *krb_cred_info;
EncKrbCredPart enc_krb_cred_part;
@ -172,53 +171,58 @@ krb5_get_forwarded_creds (krb5_context context,
size_t buf_size;
krb5_kdc_flags kdc_flags;
krb5_crypto crypto;
struct addrinfo *ai;
int save_errno;
krb5_creds *ticket;
char *realm;
krb5_boolean noaddr_ever;
addrs.len = 0;
addrs.val = NULL;
realm = in_creds->client->realm;
krb5_appdefault_boolean(context, NULL, realm, "no-addresses-ever",
TRUE, &noaddr_ever);
if (!noaddr_ever) {
struct addrinfo *ai;
paddrs = &addrs;
/*
* If tickets are address-less, forward address-less tickets.
*/
ret = _krb5_get_krbtgt (context,
ccache,
realm,
&ticket);
if(ret == 0) {
if (ticket->addresses.len == 0)
paddrs = NULL;
krb5_free_creds (context, ticket);
}
if (paddrs != NULL) {
ret = getaddrinfo (hostname, NULL, NULL, &ai);
if (ret) {
save_errno = errno;
krb5_set_error_string(context, "resolving %s: %s",
hostname, gai_strerror(ret));
return krb5_eai_to_heim_errno(ret, save_errno);
}
ret = add_addrs (context, &addrs, ai);
freeaddrinfo (ai);
if (ret)
return ret;
}
}
addrs.len = 0;
addrs.val = NULL;
paddrs = &addrs;
{
krb5_boolean noaddr;
krb5_appdefault_boolean(context, NULL, realm,
"no-addresses", KRB5_ADDRESSLESS_DEFAULT,
&noaddr);
if (noaddr)
paddrs = NULL;
}
/*
* If tickets are address-less, forward address-less tickets.
*/
if (paddrs) {
ret = _krb5_get_krbtgt (context,
ccache,
realm,
&ticket);
if(ret == 0) {
if (ticket->addresses.len == 0)
paddrs = NULL;
krb5_free_creds (context, ticket);
}
}
if (paddrs != NULL) {
ret = getaddrinfo (hostname, NULL, NULL, &ai);
if (ret) {
save_errno = errno;
krb5_set_error_string(context, "resolving %s: %s",
hostname, gai_strerror(ret));
return krb5_eai_to_heim_errno(ret, save_errno);
}
ret = add_addrs (context, &addrs, ai);
freeaddrinfo (ai);
if (ret)
return ret;
}
kdc_flags.b = int2KDCOptions(flags);
ret = krb5_get_kdc_cred (context,

2
source4/heimdal/lib/krb5/mk_req.c
View File

@ -64,9 +64,7 @@ krb5_mk_req_exact(krb5_context context,
if (auth_context && *auth_context && (*auth_context)->keytype)
this_cred.session.keytype = (*auth_context)->keytype;
/* This is the network contact with the KDC */
ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred);
krb5_free_cred_contents(context, &this_cred);
if (ret)
return ret;

33
source4/heimdal/lib/krb5/store_mem.c
View File

@ -34,7 +34,7 @@
#include "krb5_locl.h"
#include "store-int.h"
RCSID("$Id: store_mem.c,v 1.12 2004/05/25 21:44:17 lha Exp $");
RCSID("$Id: store_mem.c,v 1.13 2006/11/07 23:02:53 lha Exp $");
typedef struct mem_storage{
unsigned char *base;
@ -64,6 +64,12 @@ mem_store(krb5_storage *sp, const void *data, size_t size)
return size;
}
static ssize_t
mem_no_store(krb5_storage *sp, const void *data, size_t size)
{
return -1;
}
static off_t
mem_seek(krb5_storage *sp, off_t offset, int whence)
{
@ -117,3 +123,28 @@ krb5_storage_from_data(krb5_data *data)
{
return krb5_storage_from_mem(data->data, data->length);
}
krb5_storage * KRB5_LIB_FUNCTION
krb5_storage_from_readonly_mem(const void *buf, size_t len)
{
krb5_storage *sp = malloc(sizeof(krb5_storage));
mem_storage *s;
if(sp == NULL)
return NULL;
s = malloc(sizeof(*s));
if(s == NULL) {
free(sp);
return NULL;
}
sp->data = s;
sp->flags = 0;
sp->eof_code = HEIM_ERR_EOF;
s->base = rk_UNCONST(buf);
s->size = len;
s->ptr = rk_UNCONST(buf);
sp->fetch = mem_fetch;
sp->store = mem_no_store;
sp->seek = mem_seek;
sp->free = NULL;
return sp;
}