svn rev #22875: trunk/src/ clients/klist/ include/ include/krb5/ kdc/ lib/crypto/krb/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Fri Oct 9 14:29:36 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22875
Commit By: ghudson
Log Message:
ticket: 6572
subject: Implement GSS naming extensions and authdata verification
Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming
extensions and verification of authorization data.
Changed Files:
U trunk/src/clients/klist/klist.c
U trunk/src/configure.in
U trunk/src/include/k5-int.h
U trunk/src/include/kdb_ext.h
U trunk/src/include/krb5/authdata_plugin.h
U trunk/src/include/krb5/krb5.hin
U trunk/src/kdc/do_tgs_req.c
U trunk/src/kdc/kdc_authdata.c
U trunk/src/kdc/kdc_util.c
U trunk/src/kdc/kdc_util.h
A trunk/src/lib/crypto/krb/enc_provider/
A trunk/src/lib/crypto/krb/hash_provider/
U trunk/src/lib/crypto/openssl/sha1/shs.c
U trunk/src/lib/crypto/openssl/sha1/shs.h
U trunk/src/lib/gssapi/generic/gssapi_ext.h
U trunk/src/lib/gssapi/krb5/Makefile.in
U trunk/src/lib/gssapi/krb5/accept_sec_context.c
U trunk/src/lib/gssapi/krb5/acquire_cred.c
U trunk/src/lib/gssapi/krb5/add_cred.c
U trunk/src/lib/gssapi/krb5/compare_name.c
U trunk/src/lib/gssapi/krb5/delete_sec_context.c
U trunk/src/lib/gssapi/krb5/disp_name.c
U trunk/src/lib/gssapi/krb5/duplicate_name.c
U trunk/src/lib/gssapi/krb5/export_name.c
U trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
U trunk/src/lib/gssapi/krb5/gssapi_krb5.c
U trunk/src/lib/gssapi/krb5/import_name.c
U trunk/src/lib/gssapi/krb5/init_sec_context.c
U trunk/src/lib/gssapi/krb5/inq_context.c
U trunk/src/lib/gssapi/krb5/inq_cred.c
A trunk/src/lib/gssapi/krb5/naming_exts.c
U trunk/src/lib/gssapi/krb5/rel_cred.c
U trunk/src/lib/gssapi/krb5/rel_name.c
U trunk/src/lib/gssapi/krb5/s4u_gss_glue.c
U trunk/src/lib/gssapi/krb5/ser_sctx.c
U trunk/src/lib/gssapi/krb5/val_cred.c
U trunk/src/lib/gssapi/libgssapi_krb5.exports
U trunk/src/lib/gssapi/mechglue/Makefile.in
A trunk/src/lib/gssapi/mechglue/g_del_name_attr.c
U trunk/src/lib/gssapi/mechglue/g_dsp_name.c
A trunk/src/lib/gssapi/mechglue/g_dsp_name_ext.c
A trunk/src/lib/gssapi/mechglue/g_export_name_comp.c
A trunk/src/lib/gssapi/mechglue/g_get_name_attr.c
U trunk/src/lib/gssapi/mechglue/g_glue.c
U trunk/src/lib/gssapi/mechglue/g_imp_name.c
U trunk/src/lib/gssapi/mechglue/g_initialize.c
U trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c
U trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c
A trunk/src/lib/gssapi/mechglue/g_inq_name.c
A trunk/src/lib/gssapi/mechglue/g_map_name_to_any.c
A trunk/src/lib/gssapi/mechglue/g_rel_name_mapping.c
U trunk/src/lib/gssapi/mechglue/g_set_context_option.c
U trunk/src/lib/gssapi/mechglue/g_set_cred_option.c
A trunk/src/lib/gssapi/mechglue/g_set_name_attr.c
U trunk/src/lib/gssapi/mechglue/mglueP.h
U trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
U trunk/src/lib/gssapi/spnego/spnego_mech.c
U trunk/src/lib/krb5/asn.1/asn1_k_decode.c
U trunk/src/lib/krb5/asn.1/asn1_k_decode.h
U trunk/src/lib/krb5/asn.1/asn1_k_encode.c
U trunk/src/lib/krb5/asn.1/krb5_decode.c
U trunk/src/lib/krb5/ccache/cc_file.c
U trunk/src/lib/krb5/ccache/ccfns.c
U trunk/src/lib/krb5/error_tables/kv5m_err.et
U trunk/src/lib/krb5/krb/Makefile.in
U trunk/src/lib/krb5/krb/auth_con.c
U trunk/src/lib/krb5/krb/auth_con.h
A trunk/src/lib/krb5/krb/authdata.c
A trunk/src/lib/krb5/krb/authdata.h
U trunk/src/lib/krb5/krb/copy_auth.c
U trunk/src/lib/krb5/krb/gc_frm_kdc.c
U trunk/src/lib/krb5/krb/int-proto.h
U trunk/src/lib/krb5/krb/kfree.c
U trunk/src/lib/krb5/krb/mk_req_ext.c
U trunk/src/lib/krb5/krb/pac.c
U trunk/src/lib/krb5/krb/rd_req.c
U trunk/src/lib/krb5/krb/rd_req_dec.c
U trunk/src/lib/krb5/krb/s4u_creds.c
U trunk/src/lib/krb5/krb/ser_actx.c
U trunk/src/lib/krb5/krb/t_authdata.c
U trunk/src/lib/krb5/libkrb5.exports
A trunk/src/plugins/authdata/greet_client/
A trunk/src/plugins/authdata/greet_server/
U trunk/src/tests/asn.1/krb5_decode_leak.c
U trunk/src/tests/asn.1/krb5_decode_test.c
U trunk/src/tests/asn.1/krb5_encode_test.c
U trunk/src/tests/asn.1/ktest.c
U trunk/src/tests/asn.1/ktest.h
U trunk/src/tests/asn.1/ktest_equal.c
U trunk/src/tests/asn.1/ktest_equal.h
U trunk/src/tests/asn.1/reference_encode.out
U trunk/src/tests/asn.1/trval_reference.out
U trunk/src/tests/gssapi/Makefile.in
A trunk/src/tests/gssapi/t_namingexts.c
U trunk/src/tests/gssapi/t_s4u.c
Modified: trunk/src/clients/klist/klist.c
===================================================================
--- trunk/src/clients/klist/klist.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/clients/klist/klist.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -57,6 +57,7 @@
int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0;
+int show_adtype = 0;
char *defname;
char *progname;
krb5_int32 now;
@@ -81,7 +82,7 @@
{
#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
- fprintf(stderr, "Usage: %s [-e] [-V] [[-c] [-f] [-s] [-a [-n]]] %s",
+ fprintf(stderr, "Usage: %s [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] %s",
progname, "[-k [-t] [-K]] [name]\n");
fprintf(stderr, "\t-c specifies credentials cache\n");
fprintf(stderr, "\t-k specifies keytab\n");
@@ -89,6 +90,7 @@
fprintf(stderr, "\t-e shows the encryption type\n");
fprintf(stderr, "\t-V shows the Kerberos version and exits\n");
fprintf(stderr, "\toptions for credential caches:\n");
+ fprintf(stderr, "\t\t-d shows the submitted authorization data types\n");
fprintf(stderr, "\t\t-f shows credentials flags\n");
fprintf(stderr, "\t\t-s sets exit status based on valid tgt existence\n");
fprintf(stderr, "\t\t-a displays the address list\n");
@@ -113,8 +115,11 @@
name = NULL;
mode = DEFAULT;
/* V=version so v can be used for verbose later if desired. */
- while ((c = getopt(argc, argv, "fetKsnack45V")) != -1) {
+ while ((c = getopt(argc, argv, "dfetKsnack45V")) != -1) {
switch (c) {
+ case 'd':
+ show_adtype = 1;
+ break;
case 'f':
show_flags = 1;
break;
@@ -570,6 +575,24 @@
krb5_free_ticket(kcontext, tkt);
}
+ if (show_adtype) {
+ int i;
+
+ if (cred->authdata != NULL) {
+ if (!extra_field)
+ fputs("\t",stdout);
+ else
+ fputs(", ",stdout);
+ printf("AD types: ");
+ for (i = 0; cred->authdata[i] != NULL; i++) {
+ if (i)
+ printf(", ");
+ printf("%d", cred->authdata[i]->ad_type);
+ }
+ extra_field++;
+ }
+ }
+
/* if any additional info was printed, extra_field is non-zero */
if (extra_field)
putchar('\n');
Modified: trunk/src/configure.in
===================================================================
--- trunk/src/configure.in 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/configure.in 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1098,6 +1098,8 @@
plugins/preauth/cksum_body plugins/preauth/encrypted_challenge
plugins/preauth/wpse
plugins/authdata/greet
+ plugins/authdata/greet_client
+ plugins/authdata/greet_server
clients clients/klist clients/kinit clients/kvno
clients/kdestroy clients/kpasswd clients/ksu
Modified: trunk/src/include/k5-int.h
===================================================================
--- trunk/src/include/k5-int.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/include/k5-int.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1035,6 +1035,11 @@
krb5_int32 nonce;
} krb5_fast_response;
+typedef struct _krb5_ad_kdcissued {
+ krb5_checksum ad_checksum;
+ krb5_principal i_principal;
+ krb5_authdata **elements;
+} krb5_ad_kdcissued;
typedef krb5_error_code (*krb5_preauth_obtain_proc)
(krb5_context,
@@ -1345,11 +1350,111 @@
(krb5_context, krb5_fast_finished *);
void KRB5_CALLCONV krb5_free_fast_response
(krb5_context, krb5_fast_response *);
+void KRB5_CALLCONV krb5_free_ad_kdcissued
+(krb5_context, krb5_ad_kdcissued *);
/* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
#include "com_err.h"
#include "k5-plugin.h"
+#include <krb5/authdata_plugin.h>
+
+struct _krb5_authdata_context {
+ krb5_magic magic;
+ int n_modules;
+ struct _krb5_authdata_context_module {
+ krb5_authdatatype ad_type;
+ void *plugin_context;
+ authdata_client_plugin_fini_proc client_fini;
+ krb5_flags flags;
+ krb5plugin_authdata_client_ftable_v0 *ftable;
+ authdata_client_request_init_proc client_req_init;
+ authdata_client_request_fini_proc client_req_fini;
+ const char *name;
+ void *request_context;
+ void **request_context_pp;
+ } *modules;
+ struct plugin_dir_handle plugins;
+};
+
+typedef struct _krb5_authdata_context *krb5_authdata_context;
+
+void KRB5_CALLCONV krb5int_free_data_list
+(krb5_context context, krb5_data *data);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_init
+(krb5_context kcontext, krb5_authdata_context *pcontext);
+
+void KRB5_CALLCONV
+krb5_authdata_context_free
+(krb5_context kcontext, krb5_authdata_context context);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_authdata
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_authdata ***pauthdata);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_get_attribute_types
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_data **attrs);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_get_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute,
+ krb5_boolean *authenticated,
+ krb5_boolean *complete,
+ krb5_data *value,
+ krb5_data *display_value,
+ int *more);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_set_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean complete,
+ const krb5_data *attribute,
+ const krb5_data *value);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_delete_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_import_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ const krb5_data *attributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_data **pattributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean restrict_authenticated,
+ const char *module,
+ void **ptr);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_copy
+(krb5_context kcontext,
+ krb5_authdata_context src,
+ krb5_authdata_context *dst);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_free_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const char *module,
+ void *ptr);
+
+
struct _kdb5_dal_handle; /* private, in kdb5.h */
typedef struct _kdb5_dal_handle kdb5_dal_handle;
struct _kdb_log_context;
@@ -1669,6 +1774,9 @@
krb5_error_code encode_krb5_fast_response
(const krb5_fast_response *, krb5_data **);
+krb5_error_code encode_krb5_ad_kdcissued
+(const krb5_ad_kdcissued *, krb5_data **);
+
/*************************************************************************
* End of prototypes for krb5_encode.c
*************************************************************************/
@@ -1844,6 +1952,9 @@
krb5_error_code decode_krb5_fast_response
(const krb5_data *, krb5_fast_response **);
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *, krb5_ad_kdcissued **);
+
struct _krb5_key_data; /* kdb.h */
struct ldap_seqof_key_data {
@@ -2686,6 +2797,7 @@
krb5_keytab,
krb5_flags *,
krb5_ticket **);
+
krb5_error_code KRB5_CALLCONV krb5_cc_register
(krb5_context,
const krb5_cc_ops *,
@@ -2730,6 +2842,18 @@
krb5_auth_context,
krb5_enctype *);
+krb5_error_code
+krb5_auth_con_get_authdata_context
+ (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context *ad_context);
+
+krb5_error_code
+krb5_auth_con_set_authdata_context
+ (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context ad_context);
+
krb5_error_code KRB5_CALLCONV
krb5int_server_decrypt_ticket_keyblock
(krb5_context context,
Modified: trunk/src/include/kdb_ext.h
===================================================================
--- trunk/src/include/kdb_ext.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/include/kdb_ext.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -97,6 +97,7 @@
krb5_keyblock *server_key; /* Key used to generate server signature */
krb5_timestamp authtime; /* Authtime of TGT */
krb5_authdata **auth_data; /* Authorization data from TGT */
+ krb5_keyblock *session_key; /* Reply session key */
} kdb_sign_auth_data_req;
typedef struct _kdb_sign_auth_data_rep {
Modified: trunk/src/include/krb5/authdata_plugin.h
===================================================================
--- trunk/src/include/krb5/authdata_plugin.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/include/krb5/authdata_plugin.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -7,7 +7,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -21,7 +21,7 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* AuthorizationData plugin definitions for Kerberos 5.
*/
@@ -68,7 +68,7 @@
* functions.
*/
/* extern krb5plugin_authdata_ftable_v0 authdata_server_0; */
-typedef struct krb5plugin_authdata_ftable_v0 {
+typedef struct krb5plugin_authdata_server_ftable_v0 {
/* Not-usually-visible name. */
char *name;
@@ -107,9 +107,11 @@
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v0;
+} krb5plugin_server_authdata_ftable_v0;
-typedef struct krb5plugin_authdata_ftable_v1 {
+typedef krb5plugin_server_authdata_ftable_v0 krb5plugin_authdata_ftable_v0;
+
+typedef struct krb5plugin_authdata_server_ftable_v1 {
/* Not-usually-visible name. */
char *name;
@@ -155,6 +157,173 @@
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v1;
+} krb5plugin_authdata_server_ftable_v1;
+typedef krb5plugin_authdata_server_ftable_v1 krb5plugin_authdata_ftable_v1;
+
+typedef krb5_error_code
+(*authdata_client_plugin_init_proc)(krb5_context context,
+ void **plugin_context);
+
+#define AD_USAGE_AS_REQ 0x01
+#define AD_USAGE_TGS_REQ 0x02
+#define AD_USAGE_AP_REQ 0x04
+#define AD_USAGE_KDC_ISSUED 0x08
+#define AD_USAGE_MASK 0x0F
+#define AD_INFORMATIONAL 0x10
+
+struct _krb5_authdata_context;
+
+typedef void
+(*authdata_client_plugin_flags_proc)(krb5_context kcontext,
+ void *plugin_context,
+ krb5_authdatatype ad_type,
+ krb5_flags *flags);
+
+typedef void
+(*authdata_client_plugin_fini_proc)(krb5_context kcontext,
+ void *plugin_context);
+
+typedef krb5_error_code
+(*authdata_client_request_init_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void **request_context);
+
+typedef void
+(*authdata_client_request_fini_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context);
+
+typedef krb5_error_code
+(*authdata_client_import_authdata_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ krb5_authdata **authdata,
+ krb5_boolean kdc_issued_flag,
+ krb5_const_principal issuer);
+
+typedef krb5_error_code
+(*authdata_client_export_authdata_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ krb5_flags usage,
+ krb5_authdata ***authdata);
+
+typedef krb5_error_code
+(*authdata_client_get_attribute_types_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ krb5_data **attrs);
+
+typedef krb5_error_code
+(*authdata_client_get_attribute_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ const krb5_data *attribute,
+ krb5_boolean *authenticated,
+ krb5_boolean *complete,
+ krb5_data *value,
+ krb5_data *display_value,
+ int *more);
+
+typedef krb5_error_code
+(*authdata_client_set_attribute_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ krb5_boolean complete,
+ const krb5_data *attribute,
+ const krb5_data *value);
+
+typedef krb5_error_code
+(*authdata_client_delete_attribute_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ const krb5_data *attribute);
+
+typedef krb5_error_code
+(*authdata_client_export_internal_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ krb5_boolean restrict_authenticated,
+ void **ptr);
+
+typedef void
+(*authdata_client_free_internal_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ void *ptr);
+
+typedef krb5_error_code
+(*authdata_client_verify_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ const krb5_auth_context *auth_context,
+ const krb5_keyblock *key,
+ const krb5_ap_req *req);
+
+typedef krb5_error_code
+(*authdata_client_size_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ size_t *sizep);
+
+typedef krb5_error_code
+(*authdata_client_externalize_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ krb5_octet **buffer,
+ size_t *lenremain);
+
+typedef krb5_error_code
+(*authdata_client_internalize_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ krb5_octet **buffer,
+ size_t *lenremain);
+
+typedef krb5_error_code
+(*authdata_client_copy_proc)(krb5_context kcontext,
+ struct _krb5_authdata_context *context,
+ void *plugin_context,
+ void *request_context,
+ void *dst_plugin_context,
+ void *dst_request_context);
+
+typedef struct krb5plugin_authdata_client_ftable_v0 {
+ char *name;
+ krb5_authdatatype *ad_type_list;
+ authdata_client_plugin_init_proc init;
+ authdata_client_plugin_fini_proc fini;
+ authdata_client_plugin_flags_proc flags;
+ authdata_client_request_init_proc request_init;
+ authdata_client_request_fini_proc request_fini;
+ authdata_client_get_attribute_types_proc get_attribute_types;
+ authdata_client_get_attribute_proc get_attribute;
+ authdata_client_set_attribute_proc set_attribute;
+ authdata_client_delete_attribute_proc delete_attribute;
+ authdata_client_export_authdata_proc export_authdata;
+ authdata_client_import_authdata_proc import_authdata;
+ authdata_client_export_internal_proc export_internal;
+ authdata_client_free_internal_proc free_internal;
+ authdata_client_verify_proc verify;
+ authdata_client_size_proc size;
+ authdata_client_externalize_proc externalize;
+ authdata_client_internalize_proc internalize;
+ authdata_client_copy_proc copy; /* optional */
+} krb5plugin_authdata_client_ftable_v0;
+
#endif /* KRB5_AUTHDATA_PLUGIN_H_INCLUDED */
Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/include/krb5/krb5.hin 2009-10-09 18:29:34 UTC (rev 22875)
@@ -2575,6 +2575,22 @@
krb5_authdata ***container);
/*
+ * AD-KDCIssued
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_make_authdata_kdc_issued(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_const_principal issuer,
+ krb5_authdata *const *authdata,
+ krb5_authdata ***ad_kdcissued);
+krb5_error_code KRB5_CALLCONV
+krb5_verify_authdata_kdc_issued(krb5_context context,
+ const krb5_keyblock *key,
+ const krb5_authdata *ad_kdcissued,
+ krb5_principal *issuer,
+ krb5_authdata ***authdata);
+
+/*
* Windows PAC
*/
struct krb5_pac_data;
Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/kdc/do_tgs_req.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -699,6 +699,10 @@
else
enc_tkt_reply.client = header_enc_tkt->client;
+ enc_tkt_reply.session = &session_key;
+ enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
+ enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
+
errcode = handle_authdata(kdc_context,
c_flags,
(c_nprincs != 0) ? &client : NULL,
@@ -728,10 +732,6 @@
}
}
- enc_tkt_reply.session = &session_key;
- enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
- enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
-
/*
* Only add the realm of the presented tgt to the transited list if
* it is different than the local realm (cross-realm) and it is different
Modified: trunk/src/kdc/kdc_authdata.c
===================================================================
--- trunk/src/kdc/kdc_authdata.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/kdc/kdc_authdata.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -158,11 +158,10 @@
}
/* Count the valid modules. */
- module_count = sizeof(static_authdata_systems)
- / sizeof(static_authdata_systems[0]);
+ module_count = 0;
if (authdata_plugins_ftables_v1 != NULL) {
- struct krb5plugin_authdata_ftable_v1 *ftable;
+ struct krb5plugin_authdata_server_ftable_v1 *ftable;
for (i = 0; authdata_plugins_ftables_v1[i] != NULL; i++) {
ftable = authdata_plugins_ftables_v1[i];
@@ -172,7 +171,7 @@
}
if (authdata_plugins_ftables_v0 != NULL) {
- struct krb5plugin_authdata_ftable_v0 *ftable;
+ struct krb5plugin_authdata_server_ftable_v0 *ftable;
for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) {
ftable = authdata_plugins_ftables_v0[i];
@@ -181,6 +180,9 @@
}
}
+ module_count += sizeof(static_authdata_systems)
+ / sizeof(static_authdata_systems[0]);
+
/* Build the complete list of supported authdata options, and
* leave room for a terminator entry. */
authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems));
@@ -189,25 +191,11 @@
goto cleanup;
}
- /* Add the locally-supplied mechanisms to the dynamic list first. */
- for (i = 0, k = 0;
- i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]);
- i++) {
- authdata_systems[k] = static_authdata_systems[i];
- /* Try to initialize the authdata system. If it fails, we'll remove it
- * from the list of systems we'll be using. */
- server_init_proc = static_authdata_systems[i].init;
- if ((server_init_proc != NULL) &&
- ((*server_init_proc)(context, &authdata_systems[k].plugin_context) != 0)) {
- memset(&authdata_systems[k], 0, sizeof(authdata_systems[k]));
- continue;
- }
- k++;
- }
+ k = 0;
/* Add dynamically loaded V1 plugins */
if (authdata_plugins_ftables_v1 != NULL) {
- struct krb5plugin_authdata_ftable_v1 *ftable;
+ struct krb5plugin_authdata_server_ftable_v1 *ftable;
for (i = 0; authdata_plugins_ftables_v1[i] != NULL; i++) {
krb5_error_code initerr;
@@ -245,7 +233,7 @@
/* Add dynamically loaded V0 plugins */
if (authdata_plugins_ftables_v0 != NULL) {
- struct krb5plugin_authdata_ftable_v0 *ftable;
+ struct krb5plugin_authdata_server_ftable_v0 *ftable;
for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) {
krb5_error_code initerr;
@@ -281,6 +269,22 @@
}
}
+ /* Add the locally-supplied mechanisms to the dynamic list first. */
+ for (i = 0;
+ i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]);
+ i++) {
+ authdata_systems[k] = static_authdata_systems[i];
+ /* Try to initialize the authdata system. If it fails, we'll remove it
+ * from the list of systems we'll be using. */
+ server_init_proc = static_authdata_systems[i].init;
+ if ((server_init_proc != NULL) &&
+ ((*server_init_proc)(context, &authdata_systems[k].plugin_context) != 0)) {
+ memset(&authdata_systems[k], 0, sizeof(authdata_systems[k]));
+ continue;
+ }
+ k++;
+ }
+
n_authdata_systems = k;
/* Add the end-of-list marker. */
authdata_systems[k].name = "[end]";
@@ -526,6 +530,7 @@
server_key, /* U2U or server key */
enc_tkt_reply->times.authtime,
tgs_req ? enc_tkt_request->authorization_data : NULL,
+ enc_tkt_reply->session,
&db_authdata,
&ad_entry,
&ad_nprincs);
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/kdc/kdc_util.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1739,6 +1739,7 @@
krb5_keyblock *server_key,
krb5_timestamp authtime,
krb5_authdata **tgs_authdata,
+ krb5_keyblock *session_key,
krb5_authdata ***ret_authdata,
krb5_db_entry *ad_entry,
int *ad_nprincs)
@@ -1765,6 +1766,7 @@
req.server_key = server_key;
req.authtime = authtime;
req.auth_data = tgs_authdata;
+ req.session_key = session_key;
rep.entry = ad_entry;
rep.nprincs = 0;
Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/kdc/kdc_util.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -238,6 +238,7 @@
krb5_keyblock *server_key,
krb5_timestamp authtime,
krb5_authdata **tgs_authdata,
+ krb5_keyblock *session_key,
krb5_authdata ***ret_authdata,
krb5_db_entry *ad_entry,
int *ad_nprincs);
Copied: trunk/src/lib/crypto/krb/enc_provider (from rev 22872, users/lhoward/authdata/src/lib/crypto/krb/enc_provider)
Copied: trunk/src/lib/crypto/krb/hash_provider (from rev 22872, users/lhoward/authdata/src/lib/crypto/krb/hash_provider)
Modified: trunk/src/lib/crypto/openssl/sha1/shs.c
===================================================================
--- trunk/src/lib/crypto/openssl/sha1/shs.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/crypto/openssl/sha1/shs.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -29,7 +29,7 @@
void shsFinal(SHS_INFO *shsInfo)
{
- EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx ,(unsigned char *)shsInfo->digestBuf , &shsInfo->digestLen);
+ EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx ,(unsigned char *)shsInfo->digestBuf , &shsInfo->digestLen);
EVP_MD_CTX_cleanup(&shsInfo->ossl_sha1_ctx );
}
Modified: trunk/src/lib/crypto/openssl/sha1/shs.h
===================================================================
--- trunk/src/lib/crypto/openssl/sha1/shs.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/crypto/openssl/sha1/shs.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -22,7 +22,7 @@
/* The structure for storing SHS info */
typedef struct {
- EVP_MD_CTX ossl_sha1_ctx;
+ EVP_MD_CTX ossl_sha1_ctx;
unsigned char digestBuf[SHS_DIGESTSIZE]; /* output */
unsigned int digestLen; /* output */
} SHS_INFO;
Modified: trunk/src/lib/gssapi/generic/gssapi_ext.h
===================================================================
--- trunk/src/lib/gssapi/generic/gssapi_ext.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/generic/gssapi_ext.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -254,7 +254,6 @@
gss_iov_buffer_desc *, /* iov */
int); /* iov_count */
-
/*
* Protocol transition
*/
@@ -285,6 +284,80 @@
OM_uint32 *, /* initiator_time_rec */
OM_uint32 *); /* acceptor_time_rec */
+/*
+ * Naming extensions
+ */
+OM_uint32 KRB5_CALLCONV gss_display_name_ext
+(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_OID, /* display_as_name_type */
+ gss_buffer_t /* display_name */
+);
+
+OM_uint32 KRB5_CALLCONV gss_inquire_name
+(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ int *, /* name_is_MN */
+ gss_OID *, /* MN_mech */
+ gss_buffer_set_t * /* attrs */
+);
+
+OM_uint32 KRB5_CALLCONV gss_get_name_attribute
+(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_buffer_t, /* attr */
+ int *, /* authenticated */
+ int *, /* complete */
+ gss_buffer_t, /* value */
+ gss_buffer_t, /* display_value */
+ int * /* more */
+);
+
+OM_uint32 KRB5_CALLCONV gss_set_name_attribute
+(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ int, /* complete */
+ gss_buffer_t, /* attr */
+ gss_buffer_t /* value */
+);
+
+OM_uint32 KRB5_CALLCONV gss_delete_name_attribute
+(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_buffer_t /* attr */
+);
+
+OM_uint32 KRB5_CALLCONV gss_export_name_composite
+(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_buffer_t /* exp_composite_name */
+);
+
+typedef struct gss_any *gss_any_t;
+
+OM_uint32 KRB5_CALLCONV gss_map_name_to_any
+(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ int, /* authenticated */
+ gss_buffer_t, /* type_id */
+ gss_any_t * /* output */
+);
+
+OM_uint32 KRB5_CALLCONV gss_release_any_name_mapping
+(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_buffer_t, /* type_id */
+ gss_any_t * /* input */
+);
+
#ifdef __cplusplus
}
#endif
Modified: trunk/src/lib/gssapi/krb5/Makefile.in
===================================================================
--- trunk/src/lib/gssapi/krb5/Makefile.in 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/Makefile.in 2009-10-09 18:29:34 UTC (rev 22875)
@@ -69,6 +69,7 @@
$(srcdir)/k5unsealiov.c \
$(srcdir)/krb5_gss_glue.c \
$(srcdir)/lucid_context.c \
+ $(srcdir)/naming_exts.c \
$(srcdir)/process_context_token.c \
$(srcdir)/rel_cred.c \
$(srcdir)/rel_oid.c \
@@ -120,6 +121,7 @@
$(OUTPRE)k5unsealiov.$(OBJEXT) \
$(OUTPRE)krb5_gss_glue.$(OBJEXT) \
$(OUTPRE)lucid_context.$(OBJEXT) \
+ $(OUTPRE)naming_exts.$(OBJEXT) \
$(OUTPRE)process_context_token.$(OBJEXT) \
$(OUTPRE)rel_cred.$(OBJEXT) \
$(OUTPRE)rel_oid.$(OBJEXT) \
@@ -174,6 +176,7 @@
k5unsealiov.o \
krb5_gss_glue.o \
lucid_context.o \
+ naming_exts.o \
process_context_token.o \
rel_cred.o \
rel_oid.o \
Modified: trunk/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/accept_sec_context.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/accept_sec_context.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -243,7 +243,7 @@
/* copy the client principle into it... */
if ((retval =
- krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) {
+ kg_init_name(context, creds[0]->client, NULL, 0, &cred->name))) {
k5_mutex_destroy(&cred->lock);
retval = ENOMEM; /* out of memory? */
xfree(cred); /* clean up memory on failure */
@@ -252,7 +252,7 @@
}
cred->usage = GSS_C_INITIATE; /* we can't accept with this */
- /* cred->princ already set */
+ /* cred->name already set */
cred->prerfc_mech = 1; /* this cred will work with all three mechs */
cred->rfc_mech = 1;
cred->keytab = NULL; /* no keytab associated with this... */
@@ -307,7 +307,7 @@
krb5_error_code code;
krb5_gss_ctx_id_rec *ctx = 0;
krb5_timestamp now;
- krb5_principal name = NULL;
+ krb5_gss_name_t name = NULL;
krb5_ui_4 nonce = 0;
krb5_data ap_rep;
OM_uint32 major_status = GSS_S_FAILURE;
@@ -350,16 +350,11 @@
ctx->established = 1;
if (src_name) {
- if ((code = krb5_copy_principal(ctx->k5_context, ctx->there, &name))) {
+ if ((code = kg_duplicate_name(ctx->k5_context, ctx->there,
+ KG_INIT_NAME_INTERN, &name))) {
major_status = GSS_S_FAILURE;
goto fail;
}
- /* intern the src_name */
- if (! kg_save_name((gss_name_t) name)) {
- code = G_VALIDATE_FAILED;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
*src_name = (gss_name_t) name;
}
@@ -420,7 +415,7 @@
krb5_address addr, *paddr;
krb5_authenticator *authdat = 0;
krb5_checksum reqcksum;
- krb5_principal name = NULL;
+ krb5_gss_name_t name = NULL;
krb5_ui_4 gss_flags = 0;
int decode_req_message = 0;
krb5_gss_ctx_id_rec *ctx = NULL;
@@ -442,6 +437,7 @@
int no_encap = 0;
krb5_flags ap_req_options = 0;
krb5_enctype negotiated_etype;
+ krb5_authdata_context ad_context = NULL;
code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
if (code) {
@@ -587,8 +583,11 @@
goto fail;
}
- if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
- cred->keytab, &ap_req_options, &ticket))) {
+ if ((code = krb5_rd_req(context, &auth_context, &ap_req,
+ cred->name ? cred->name->princ : NULL,
+ cred->keytab,
+ &ap_req_options,
+ &ticket))) {
major_status = GSS_S_FAILURE;
goto fail;
}
@@ -865,15 +864,23 @@
major_status = GSS_S_FAILURE;
goto fail;
}
- if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) {
+ if ((code = kg_init_name(context, ticket->server, NULL, 0, &ctx->here))) {
major_status = GSS_S_FAILURE;
goto fail;
}
-
- if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) {
+ if ((code = krb5_auth_con_get_authdata_context(context, auth_context,
+ &ad_context))) {
major_status = GSS_S_FAILURE;
goto fail;
}
+ if ((code = kg_init_name(context, authdat->client,
+ ad_context, KG_INIT_NAME_NO_COPY, &ctx->there))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ /* Now owned by ctx->there */
+ authdat->client = NULL;
+ krb5_auth_con_set_authdata_context(context, auth_context, NULL);
if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
&ctx->subkey))) {
@@ -1092,16 +1099,11 @@
/* set the return arguments */
if (src_name) {
- if ((code = krb5_copy_principal(context, ctx->there, &name))) {
+ if ((code = kg_duplicate_name(context, ctx->there,
+ KG_INIT_NAME_INTERN, &name))) {
major_status = GSS_S_FAILURE;
goto fail;
}
- /* intern the src_name */
- if (! kg_save_name((gss_name_t) name)) {
- code = G_VALIDATE_FAILED;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
}
if (mech_type)
@@ -1163,15 +1165,14 @@
if (deleg_cred) { /* free memory associated with the deleg credential */
if (deleg_cred->ccache)
(void)krb5_cc_close(context, deleg_cred->ccache);
- if (deleg_cred->princ)
- krb5_free_principal(context, deleg_cred->princ);
+ if (deleg_cred->name)
+ kg_release_name(context, 0, &deleg_cred->name);
xfree(deleg_cred);
}
if (token.value)
xfree(token.value);
if (name) {
- (void) kg_delete_name((gss_name_t) name);
- krb5_free_principal(context, name);
+ (void) kg_release_name(context, 0, &name);
}
*minor_status = code;
@@ -1212,7 +1213,7 @@
krb_error_data.error = code;
(void) krb5_us_timeofday(context, &krb_error_data.stime,
&krb_error_data.susec);
- krb_error_data.server = cred->princ;
+ krb_error_data.server = cred->name ? cred->name->princ : NULL;
code = krb5_mk_error(context, &krb_error_data, &scratch);
if (code)
Modified: trunk/src/lib/gssapi/krb5/acquire_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/acquire_cred.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/acquire_cred.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -131,18 +131,18 @@
}
/* get credentials corresponding to a key in the krb5 keytab.
- If the default name is requested, return the name in output_princ.
- If output_princ is non-NULL, the caller will use or free it, regardless
+ If the default name is requested, return the name in output_name.
+ If output_name is non-NULL, the caller will use or free it, regardless
of the return value.
If successful, set the keytab-specific fields in cred
*/
static OM_uint32
-acquire_accept_cred(context, minor_status, desired_name, output_princ, cred)
+acquire_accept_cred(context, minor_status, desired_name, output_name, cred)
krb5_context context;
OM_uint32 *minor_status;
- gss_name_t desired_name;
- krb5_principal *output_princ;
+ krb5_gss_name_t desired_name;
+ krb5_gss_name_t *output_name;
krb5_gss_cred_id_rec *cred;
{
krb5_error_code code;
@@ -150,7 +150,7 @@
krb5_keytab kt;
krb5_keytab_entry entry;
- *output_princ = NULL;
+ *output_name = NULL;
cred->keytab = NULL;
/* open the default keytab */
@@ -178,8 +178,8 @@
return(GSS_S_CRED_UNAVAIL);
}
- if (desired_name != GSS_C_NO_NAME) {
- princ = (krb5_principal) desired_name;
+ if (desired_name != NULL) {
+ princ = desired_name->princ;
if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
(void) krb5_kt_close(context, kt);
if (code == KRB5_KT_NOTFOUND) {
@@ -212,18 +212,18 @@
#endif /* LEAN_CLIENT */
/* get credentials corresponding to the default credential cache.
- If the default name is requested, return the name in output_princ.
- If output_princ is non-NULL, the caller will use or free it, regardless
+ If the default name is requested, return the name in output_name.
+ If output_name is non-NULL, the caller will use or free it, regardless
of the return value.
If successful, set the ccache-specific fields in cred.
*/
static OM_uint32
-acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
+acquire_init_cred(context, minor_status, desired_name, output_name, cred)
krb5_context context;
OM_uint32 *minor_status;
- gss_name_t desired_name;
- krb5_principal *output_princ;
+ krb5_gss_name_t desired_name;
+ krb5_gss_name_t *output_name;
krb5_gss_cred_id_rec *cred;
{
krb5_error_code code;
@@ -255,11 +255,10 @@
kim_ccache kimccache = NULL;
kim_identity identity = NULL;
kim_credential_state state;
- krb5_principal desired_princ = (krb5_principal) desired_name;
err = kim_identity_create_from_krb5_principal (&identity,
context,
- desired_princ);
+ desired_name->princ);
if (!err) {
err = kim_ccache_create_from_client_identity (&kimccache, identity);
@@ -307,7 +306,7 @@
if ( pLeash_AcquireInitialTicketsIfNeeded ) {
char ccname[256]="";
- pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname));
+ pLeash_AcquireInitialTicketsIfNeeded(context, desired_name->princ, ccname, sizeof(ccname));
if (!ccname[0]) {
*minor_status = KRB5_CC_NOTFOUND;
return(GSS_S_CRED_UNAVAIL);
@@ -354,17 +353,24 @@
return(GSS_S_FAILURE);
}
- if (desired_name != (gss_name_t) NULL) {
- if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) {
+ if (desired_name != (krb5_gss_name_t)NULL) {
+ if (! krb5_principal_compare(context, princ, desired_name->princ)) {
(void)krb5_free_principal(context, princ);
(void)krb5_cc_close(context, ccache);
*minor_status = KG_CCACHE_NOMATCH;
return(GSS_S_CRED_UNAVAIL);
}
(void)krb5_free_principal(context, princ);
- princ = (krb5_principal) desired_name;
+ princ = desired_name->princ;
} else {
- *output_princ = princ;
+ if ((code = kg_init_name(context, princ, NULL,
+ KG_INIT_NAME_NO_COPY | KG_INIT_NAME_INTERN,
+ output_name))) {
+ (void)krb5_free_principal(context, princ);
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
}
/* iterate over the ccache, find the tgt */
@@ -489,7 +495,7 @@
/* validate the name */
/*SUPPRESS 29*/
- if ((desired_name != (gss_name_t) NULL) &&
+ if ((desired_name != GSS_C_NO_NAME) &&
(! kg_validate_name(desired_name))) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
krb5_free_context(context);
@@ -531,7 +537,7 @@
memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
cred->usage = cred_usage;
- cred->princ = NULL;
+ cred->name = NULL;
cred->prerfc_mech = (req_old != 0);
cred->rfc_mech = (req_new != 0);
@@ -561,15 +567,15 @@
}
/* if requested, acquire credentials for accepting */
- /* this will fill in cred->princ if the desired_name is not specified */
+ /* this will fill in cred->name if the desired_name is not specified */
#ifndef LEAN_CLIENT
if ((cred_usage == GSS_C_ACCEPT) ||
(cred_usage == GSS_C_BOTH))
if ((ret = acquire_accept_cred(context, minor_status, desired_name,
- &(cred->princ), cred))
+ &(cred->name), cred))
!= GSS_S_COMPLETE) {
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
+ if (cred->name)
+ kg_release_name(context, 0, &cred->name);
k5_mutex_destroy(&cred->lock);
xfree(cred);
/* minor_status set by acquire_accept_cred() */
@@ -580,22 +586,22 @@
#endif /* LEAN_CLIENT */
/* if requested, acquire credentials for initiation */
- /* this will fill in cred->princ if it wasn't set above, and
+ /* this will fill in cred->name if it wasn't set above, and
the desired_name is not specified */
if ((cred_usage == GSS_C_INITIATE) ||
(cred_usage == GSS_C_BOTH))
if ((ret =
acquire_init_cred(context, minor_status,
- cred->princ?(gss_name_t)cred->princ:desired_name,
- &(cred->princ), cred))
+ cred->name?cred->name:(krb5_gss_name_t)desired_name,
+ &cred->name, cred))
!= GSS_S_COMPLETE) {
#ifndef LEAN_CLIENT
if (cred->keytab)
krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
+ if (cred->name)
+ kg_release_name(context, 0, &cred->name);
k5_mutex_destroy(&cred->lock);
xfree(cred);
/* minor_status set by acquire_init_cred() */
@@ -606,9 +612,10 @@
/* if the princ wasn't filled in already, fill it in now */
- if (!cred->princ && (desired_name != GSS_C_NO_NAME))
- if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
- &(cred->princ)))) {
+ if (!cred->name && (desired_name != GSS_C_NO_NAME))
+ if ((code = kg_duplicate_name(context,
+ (krb5_gss_name_t)desired_name,
+ 0, &cred->name))) {
if (cred->ccache)
(void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
@@ -640,8 +647,8 @@
if (cred->keytab)
(void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
+ if (cred->name)
+ kg_release_name(context, 0, &cred->name);
k5_mutex_destroy(&cred->lock);
xfree(cred);
*minor_status = code;
@@ -673,8 +680,8 @@
if (cred->keytab)
(void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
+ if (cred->name)
+ kg_release_name(context, 0, &cred->name);
k5_mutex_destroy(&cred->lock);
xfree(cred);
/* *minor_status set above */
@@ -694,8 +701,8 @@
if (cred->keytab)
(void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
+ if (cred->name)
+ kg_release_name(context, 0, &cred->name);
k5_mutex_destroy(&cred->lock);
xfree(cred);
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
Modified: trunk/src/lib/gssapi/krb5/add_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/add_cred.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/add_cred.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -170,8 +170,7 @@
/* make sure the desired_name is the same as the existing one */
if (desired_name &&
- !krb5_principal_compare(context, (krb5_principal) desired_name,
- cred->princ)) {
+ !kg_compare_name(context, (krb5_gss_name_t)desired_name, cred->name)) {
*minor_status = 0;
krb5_free_context(context);
return(GSS_S_BAD_NAME);
@@ -200,8 +199,8 @@
new_cred->rfc_mech = cred->rfc_mech;
new_cred->tgt_expire = cred->tgt_expire;
- if (cred->princ)
- code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
+ if (cred->name)
+ code = kg_duplicate_name(context, cred->name, 0, &new_cred->name);
if (code) {
xfree(new_cred);
@@ -214,8 +213,8 @@
if (cred->keytab) {
kttype = krb5_kt_get_type(context, cred->keytab);
if ((strlen(kttype)+2) > sizeof(ktboth)) {
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->name)
+ kg_release_name(context, 0, &new_cred->name);
xfree(new_cred);
*minor_status = ENOMEM;
@@ -231,8 +230,8 @@
ktboth+strlen(ktboth),
sizeof(ktboth)-strlen(ktboth));
if (code) {
- if(new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
+ if(new_cred->name)
+ kg_release_name(context, 0, &new_cred->name);
xfree(new_cred);
*minor_status = code;
@@ -243,8 +242,8 @@
code = krb5_kt_resolve(context, ktboth, &new_cred->keytab);
if (code) {
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->name)
+ kg_release_name(context, 0, &new_cred->name);
xfree(new_cred);
*minor_status = code;
@@ -261,15 +260,17 @@
if (cred->rcache) {
/* Open the replay cache for this principal. */
+ assert(cred->name->princ != NULL);
+
if ((code = krb5_get_server_rcache(context,
- krb5_princ_component(context, cred->princ, 0),
+ krb5_princ_component(context, cred->name->princ, 0),
&new_cred->rcache))) {
#ifndef LEAN_CLIENT
if (new_cred->keytab)
krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->name)
+ kg_release_name(context, 0, &new_cred->name);
xfree(new_cred);
*minor_status = code;
@@ -292,8 +293,8 @@
if (new_cred->keytab)
krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->name)
+ kg_release_name(context, 0, &new_cred->name);
xfree(new_cred);
krb5_free_context(context);
@@ -314,8 +315,8 @@
if (new_cred->keytab)
krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->name)
+ kg_release_name(context, 0, &new_cred->name);
xfree(new_cred);
*minor_status = code;
@@ -338,8 +339,8 @@
if (new_cred->keytab)
krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->name)
+ kg_release_name(context, 0, &new_cred->name);
xfree(new_cred);
krb5_free_context(context);
Modified: trunk/src/lib/gssapi/krb5/compare_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/compare_name.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/compare_name.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -54,8 +54,9 @@
}
*minor_status = 0;
- *name_equal = krb5_principal_compare(context, (krb5_principal) name1,
- (krb5_principal) name2);
+ *name_equal = kg_compare_name(context,
+ (krb5_gss_name_t)name1,
+ (krb5_gss_name_t)name2);
krb5_free_context(context);
return(GSS_S_COMPLETE);
}
Modified: trunk/src/lib/gssapi/krb5/delete_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/delete_sec_context.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/delete_sec_context.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -88,9 +88,9 @@
krb5_free_keyblock(context, ctx->seq);
if (ctx->here)
- krb5_free_principal(context, ctx->here);
+ kg_release_name(context, 0, &ctx->here);
if (ctx->there)
- krb5_free_principal(context, ctx->there);
+ kg_release_name(context, 0, &ctx->there);
if (ctx->subkey)
krb5_free_keyblock(context, ctx->subkey);
if (ctx->acceptor_subkey)
Modified: trunk/src/lib/gssapi/krb5/disp_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/disp_name.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/disp_name.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -51,7 +51,8 @@
}
if ((code = krb5_unparse_name(context,
- (krb5_principal) input_name, &str))) {
+ ((krb5_gss_name_t) input_name)->princ,
+ &str))) {
*minor_status = code;
save_error_info(*minor_status, context);
krb5_free_context(context);
Modified: trunk/src/lib/gssapi/krb5/duplicate_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/duplicate_name.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/duplicate_name.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -34,7 +34,7 @@
{
krb5_context context;
krb5_error_code code;
- krb5_principal princ, outprinc;
+ krb5_gss_name_t princ, outprinc;
if (minor_status)
*minor_status = 0;
@@ -53,23 +53,16 @@
return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
}
- princ = (krb5_principal)input_name;
- if ((code = krb5_copy_principal(context, princ, &outprinc))) {
+ princ = (krb5_gss_name_t)input_name;
+ if ((code = kg_duplicate_name(context, princ, KG_INIT_NAME_INTERN, &outprinc))) {
*minor_status = code;
save_error_info(*minor_status, context);
krb5_free_context(context);
return(GSS_S_FAILURE);
}
-
- if (! kg_save_name((gss_name_t) outprinc)) {
- krb5_free_principal(context, outprinc);
- krb5_free_context(context);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
-
krb5_free_context(context);
*dest_name = (gss_name_t) outprinc;
+ assert(kg_validate_name(*dest_name));
return(GSS_S_COMPLETE);
}
Modified: trunk/src/lib/gssapi/krb5/export_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/export_name.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/export_name.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -58,7 +58,7 @@
return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
}
- if ((code = krb5_unparse_name(context, (krb5_principal) input_name,
+ if ((code = krb5_unparse_name(context, ((krb5_gss_name_t) input_name)->princ,
&str))) {
if (minor_status)
*minor_status = code;
Modified: trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -153,7 +153,11 @@
/** internal types **/
-typedef krb5_principal krb5_gss_name_t;
+typedef struct _krb5_gss_name_rec {
+ krb5_principal princ; /* immutable */
+ k5_mutex_t lock; /* protects ad_context only for now */
+ krb5_authdata_context ad_context;
+} krb5_gss_name_rec, *krb5_gss_name_t;
typedef struct _krb5_gss_cred_id_rec {
/* protect against simultaneous accesses */
@@ -161,7 +165,7 @@
/* name/type of credential */
gss_cred_usage_t usage;
- krb5_principal princ; /* this is not interned as a gss_name_t */
+ krb5_gss_name_t name;
unsigned int prerfc_mech : 1;
unsigned int rfc_mech : 1;
unsigned int proxy_cred : 1;
@@ -184,8 +188,8 @@
unsigned int seed_init : 1; /* XXX tested but never actually set */
OM_uint32 gss_flags;
unsigned char seed[16];
- krb5_principal here;
- krb5_principal there;
+ krb5_gss_name_t here;
+ krb5_gss_name_t there;
krb5_keyblock *subkey; /*One of two potential keys to use with RFC
* 4121 packets; this key must always be set.*/
int signalg;
@@ -825,6 +829,86 @@
int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc);
+/* naming_exts.c */
+#define KG_INIT_NAME_INTERN 0x1
+#define KG_INIT_NAME_NO_COPY 0x2
+
+krb5_error_code
+kg_init_name(krb5_context context,
+ krb5_principal principal,
+ krb5_authdata_context ad_context,
+ krb5_flags flags,
+ krb5_gss_name_t *name);
+
+krb5_error_code
+kg_release_name(krb5_context context,
+ krb5_flags flags,
+ krb5_gss_name_t *name);
+
+krb5_error_code
+kg_duplicate_name(krb5_context context,
+ const krb5_gss_name_t src,
+ krb5_flags flags,
+ krb5_gss_name_t *dst);
+
+krb5_boolean
+kg_compare_name(krb5_context context,
+ krb5_gss_name_t name1,
+ krb5_gss_name_t name2);
+
+OM_uint32
+krb5_gss_display_name_ext(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_OID display_as_name_type,
+ gss_buffer_t display_name);
+
+OM_uint32
+krb5_gss_inquire_name(OM_uint32 *minor_status,
+ gss_name_t name,
+ int *name_is_MN,
+ gss_OID *MN_mech,
+ gss_buffer_set_t *attrs);
+
+OM_uint32
+krb5_gss_get_name_attribute(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value,
+ int *more);
+
+OM_uint32
+krb5_gss_set_name_attribute(OM_uint32 *minor_status,
+ gss_name_t name,
+ int complete,
+ gss_buffer_t attr,
+ gss_buffer_t value);
+
+OM_uint32
+krb5_gss_delete_name_attribute(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t attr);
+
+OM_uint32
+krb5_gss_export_name_composite(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t exp_composite_name);
+
+OM_uint32
+krb5_gss_map_name_to_any(OM_uint32 *minor_status,
+ gss_name_t name,
+ int authenticated,
+ gss_buffer_t type_id,
+ gss_any_t *output);
+
+OM_uint32
+krb5_gss_release_any_name_mapping(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t type_id,
+ gss_any_t *input);
+
/* s4u_gss_glue.c */
OM_uint32
kg_compose_deleg_cred(OM_uint32 *minor_status,
@@ -837,7 +921,6 @@
OM_uint32 *time_rec,
krb5_context context);
-
/*
* These take unglued krb5-mech-specific contexts.
*/
Modified: trunk/src/lib/gssapi/krb5/gssapi_krb5.c
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapi_krb5.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/gssapi_krb5.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -681,6 +681,14 @@
NULL, /* complete_auth_token */
krb5_gss_acquire_cred_impersonate_name,
NULL, /* krb5_gss_add_cred_impersonate_name */
+ NULL, /* display_name_ext */
+ krb5_gss_inquire_name,
+ krb5_gss_get_name_attribute,
+ krb5_gss_set_name_attribute,
+ krb5_gss_delete_name_attribute,
+ krb5_gss_export_name_composite,
+ krb5_gss_map_name_to_any,
+ krb5_gss_release_any_name_mapping,
};
Modified: trunk/src/lib/gssapi/krb5/import_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/import_name.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/import_name.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -45,6 +45,39 @@
* GSS_S_FAILURE if memory allocation fails
*/
+/*
+ * Import serialized authdata context
+ */
+static krb5_error_code
+import_name_composite(krb5_context context,
+ unsigned char *enc_data, size_t enc_length,
+ krb5_authdata_context *pad_context)
+{
+ krb5_authdata_context ad_context;
+ krb5_error_code code;
+ krb5_data data;
+
+ code = krb5_authdata_context_init(context, &ad_context);
+ if (code != 0)
+ return code;
+
+ data.data = (char *)enc_data;
+ data.length = enc_length;
+
+ code = krb5_authdata_import_attributes(context,
+ ad_context,
+ AD_USAGE_MASK,
+ &data);
+ if (code != 0) {
+ krb5_authdata_context_free(context, ad_context);
+ return code;
+ }
+
+ *pad_context = ad_context;
+
+ return 0;
+}
+
OM_uint32
krb5_gss_import_name(minor_status, input_name_buffer,
input_name_type, output_name)
@@ -54,13 +87,16 @@
gss_name_t *output_name;
{
krb5_context context;
- krb5_principal princ;
+ krb5_principal princ = NULL;
krb5_error_code code;
- char *stringrep, *tmp, *tmp2, *cp;
- OM_uint32 length;
+ unsigned char *cp, *end;
+ char *tmp, *stringrep, *tmp2;
+ ssize_t length;
#ifndef NO_PASSWORD
struct passwd *pw;
#endif
+ int has_ad = 0;
+ krb5_authdata_context ad_context = NULL;
code = krb5_gss_init_context(&context);
if (code) {
@@ -81,7 +117,7 @@
char *service, *host;
if ((tmp =
- (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
+ xmalloc(input_name_buffer->length + 1)) == NULL) {
*minor_status = ENOMEM;
krb5_free_context(context);
return(GSS_S_FAILURE);
@@ -155,28 +191,49 @@
goto do_getpwuid;
#endif
} else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
- cp = tmp;
+#define BOUNDS_CHECK(cp, end, n) do { if ((end) - (cp) < (n)) goto fail_name; } while (0)
+ cp = (unsigned char *)tmp;
+ end = cp + input_name_buffer->length;
+
+ BOUNDS_CHECK(cp, end, 2);
if (*cp++ != 0x04)
goto fail_name;
- if (*cp++ != 0x01)
+ switch (*cp++) {
+ case 0x01:
+ break;
+ case 0x02:
+ has_ad++;
+ break;
+ default:
goto fail_name;
+ }
+
+ BOUNDS_CHECK(cp, end, 2);
if (*cp++ != 0x00)
goto fail_name;
length = *cp++;
- if (length != gss_mech_krb5->length+2)
+ if (length != (ssize_t)gss_mech_krb5->length+2)
goto fail_name;
+
+ BOUNDS_CHECK(cp, end, 2);
if (*cp++ != 0x06)
goto fail_name;
length = *cp++;
- if (length != gss_mech_krb5->length)
+ if (length != (ssize_t)gss_mech_krb5->length)
goto fail_name;
+
+ BOUNDS_CHECK(cp, end, length);
if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
goto fail_name;
cp += length;
+
+ BOUNDS_CHECK(cp, end, 4);
length = *cp++;
length = (length << 8) | *cp++;
length = (length << 8) | *cp++;
length = (length << 8) | *cp++;
+
+ BOUNDS_CHECK(cp, end, length);
tmp2 = malloc(length+1);
if (tmp2 == NULL) {
xfree(tmp);
@@ -184,10 +241,27 @@
krb5_free_context(context);
return GSS_S_FAILURE;
}
- strncpy(tmp2, cp, length);
+ strncpy(tmp2, (char *)cp, length);
tmp2[length] = 0;
+ stringrep = tmp2;
+ cp += length;
- stringrep = tmp2;
+ if (has_ad) {
+ BOUNDS_CHECK(cp, end, 4);
+ length = *cp++;
+ length = (length << 8) | *cp++;
+ length = (length << 8) | *cp++;
+ length = (length << 8) | *cp++;
+
+ BOUNDS_CHECK(cp, end, length);
+ code = import_name_composite(context,
+ cp, length,
+ &ad_context);
+ if (code != 0)
+ goto fail_name;
+ cp += length;
+ }
+ assert(cp == end);
} else {
xfree(tmp);
krb5_free_context(context);
@@ -218,16 +292,21 @@
if (code) {
*minor_status = (OM_uint32) code;
save_error_info(*minor_status, context);
+ krb5_authdata_context_free(context, ad_context);
krb5_free_context(context);
return(GSS_S_BAD_NAME);
}
/* save the name in the validation database */
-
- if (! kg_save_name((gss_name_t) princ)) {
+ code = kg_init_name(context, princ, ad_context,
+ KG_INIT_NAME_INTERN | KG_INIT_NAME_NO_COPY,
+ (krb5_gss_name_t *)output_name);
+ if (code != 0) {
+ *minor_status = (OM_uint32) code;
+ save_error_info(*minor_status, context);
krb5_free_principal(context, princ);
+ krb5_authdata_context_free(context, ad_context);
krb5_free_context(context);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
return(GSS_S_FAILURE);
}
@@ -235,6 +314,5 @@
/* return it */
- *output_name = (gss_name_t) princ;
return(GSS_S_COMPLETE);
}
Modified: trunk/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/init_sec_context.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/init_sec_context.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -122,7 +122,7 @@
endtime, out_creds)
krb5_context context;
krb5_gss_cred_id_t cred;
- krb5_principal server;
+ krb5_gss_name_t server;
krb5_timestamp now;
krb5_timestamp endtime;
krb5_creds **out_creds;
@@ -137,6 +137,8 @@
memset(&evidence_creds, 0, sizeof(krb5_creds));
in_creds.client = in_creds.server = NULL;
+ assert(cred->name != NULL);
+
if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
goto cleanup;
@@ -146,7 +148,7 @@
* we can just use the S4U2Self or evidence ticket directly).
*/
if (cred->proxy_cred &&
- !krb5_principal_compare(context, cc_princ, server)) {
+ !krb5_principal_compare(context, cc_princ, server->princ)) {
krb5_creds mcreds;
flags |= KRB5_GC_CANONICALIZE |
@@ -158,10 +160,11 @@
mcreds.magic = KV5M_CREDS;
mcreds.times.endtime = cred->tgt_expire;
mcreds.server = cc_princ;
- mcreds.client = cred->princ;
+ mcreds.client = cred->name->princ;
code = krb5_cc_retrieve_cred(context, cred->ccache,
- KRB5_TC_MATCH_TIMES, &mcreds,
+ KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
+ &mcreds,
&evidence_creds);
if (code)
goto cleanup;
@@ -171,19 +174,34 @@
in_creds.client = cc_princ;
in_creds.second_ticket = evidence_creds.ticket;
} else {
- in_creds.client = cred->princ;
+ in_creds.client = cred->name->princ;
}
- in_creds.server = server;
+ in_creds.server = server->princ;
in_creds.times.endtime = endtime;
+ in_creds.authdata = NULL;
+ in_creds.keyblock.enctype = 0;
+ /*
+ * cred->name is immutable, so there is no need to acquire
+ * cred->name->lock.
+ */
+ if (cred->name->ad_context != NULL) {
+ code = krb5_authdata_export_authdata(context,
+ cred->name->ad_context,
+ AD_USAGE_TGS_REQ,
+ &in_creds.authdata);
+ if (code != 0)
+ goto cleanup;
+ }
+
code = krb5_get_credentials(context, flags, cred->ccache,
&in_creds, out_creds);
if (code)
goto cleanup;
if (flags & KRB5_GC_CONSTRAINED_DELEGATION) {
- if (!krb5_principal_compare(context, cred->princ,
+ if (!krb5_principal_compare(context, cred->name->princ,
(*out_creds)->client)) {
/* server did not support constrained delegation */
code = KRB5_KDCREP_MODIFIED;
@@ -203,8 +221,8 @@
}
cleanup:
- if (cc_princ)
- krb5_free_principal(context, cc_princ);
+ krb5_free_authdata(context, in_creds.authdata);
+ krb5_free_principal(context, cc_princ);
krb5_free_cred_contents(context, &evidence_creds);
return code;
@@ -242,8 +260,10 @@
krb5_auth_con_setflags(context, auth_context,
con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
+ assert(data->cred->name != NULL);
+
code = krb5_fwd_tgt_creds(context, auth_context, 0,
- data->cred->princ, data->ctx->there,
+ data->cred->name->princ, data->ctx->there->princ,
data->cred->ccache, 1,
&credmsg);
@@ -318,11 +338,13 @@
}
static krb5_error_code
-make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token)
+make_ap_req_v1(context, ctx, cred, k_cred, ad_context,
+ chan_bindings, mech_type, token)
krb5_context context;
krb5_gss_ctx_id_rec *ctx;
krb5_gss_cred_id_t cred;
krb5_creds *k_cred;
+ krb5_authdata_context ad_context;
gss_channel_bindings_t chan_bindings;
gss_OID mech_type;
gss_buffer_t token;
@@ -375,8 +397,10 @@
if (ctx->gss_flags & GSS_C_MUTUAL_FLAG)
mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_ETYPE_NEGOTIATION;
+ krb5_auth_con_set_authdata_context(context, ctx->auth_context, ad_context);
code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags,
checksum_data, k_cred, &ap_req);
+ krb5_auth_con_set_authdata_context(context, ctx->auth_context, NULL);
krb5_free_data_contents(context, &cksum_struct.checksum_data);
if (code)
goto cleanup;
@@ -526,11 +550,10 @@
ctx->krb_times.endtime = now + time_req;
}
- if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
+ if ((code = kg_duplicate_name(context, cred->name, 0, &ctx->here)))
goto fail;
- if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
- &ctx->there)))
+ if ((code = kg_duplicate_name(context, (krb5_gss_name_t)target_name, 0, &ctx->there)))
goto fail;
code = get_credentials(context, cred, ctx->there, now,
@@ -566,7 +589,8 @@
/* gsskrb5 v1 */
krb5_int32 seq_temp;
if ((code = make_ap_req_v1(context, ctx,
- cred, k_cred, input_chan_bindings,
+ cred, k_cred, ctx->here->ad_context,
+ input_chan_bindings,
mech_type, &token))) {
if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
(code == KG_EMPTY_CCACHE))
@@ -640,9 +664,9 @@
if (ctx_free->auth_context)
krb5_auth_con_free(context, ctx_free->auth_context);
if (ctx_free->here)
- krb5_free_principal(context, ctx_free->here);
+ kg_release_name(context, 0, &ctx_free->here);
if (ctx_free->there)
- krb5_free_principal(context, ctx_free->there);
+ kg_release_name(context, 0, &ctx_free->there);
if (ctx_free->subkey)
krb5_free_keyblock(context, ctx_free->subkey);
xfree(ctx_free);
@@ -709,8 +733,7 @@
goto fail;
}
- if (! krb5_principal_compare(context, ctx->there,
- (krb5_principal) target_name)) {
+ if (! kg_compare_name(context, ctx->there, (krb5_gss_name_t)target_name)) {
(void)krb5_gss_delete_sec_context(minor_status,
context_handle, NULL);
code = 0;
Modified: trunk/src/lib/gssapi/krb5/inq_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/inq_context.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/inq_context.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -94,7 +94,7 @@
krb5_context context;
krb5_error_code code;
krb5_gss_ctx_id_rec *ctx;
- krb5_principal initiator, acceptor;
+ krb5_gss_name_t initiator, acceptor;
krb5_timestamp now;
krb5_deltat lifetime;
@@ -130,38 +130,28 @@
lifetime = 0;
if (initiator_name) {
- if ((code = krb5_copy_principal(context,
- ctx->initiate?ctx->here:ctx->there,
- &initiator))) {
+ if ((code = kg_duplicate_name(context,
+ ctx->initiate?ctx->here:ctx->there,
+ KG_INIT_NAME_INTERN,
+ &initiator))) {
*minor_status = code;
save_error_info(*minor_status, context);
return(GSS_S_FAILURE);
}
- if (! kg_save_name((gss_name_t) initiator)) {
- krb5_free_principal(context, initiator);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
}
if (acceptor_name) {
- if ((code = krb5_copy_principal(context,
- ctx->initiate?ctx->there:ctx->here,
- &acceptor))) {
- if (initiator) krb5_free_principal(context, initiator);
+ if ((code = kg_duplicate_name(context,
+ ctx->initiate?ctx->there:ctx->here,
+ KG_INIT_NAME_INTERN,
+ &acceptor))) {
+ if (initiator)
+ kg_release_name(context, KG_INIT_NAME_INTERN,
+ &initiator);
*minor_status = code;
save_error_info(*minor_status, context);
return(GSS_S_FAILURE);
}
- if (! kg_save_name((gss_name_t) acceptor)) {
- krb5_free_principal(context, acceptor);
- if (initiator) {
- kg_delete_name((gss_name_t) initiator);
- krb5_free_principal(context, initiator);
- }
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
}
if (initiator_name)
Modified: trunk/src/lib/gssapi/krb5/inq_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/inq_cred.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/inq_cred.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -88,7 +88,7 @@
krb5_error_code code;
krb5_timestamp now;
krb5_deltat lifetime;
- krb5_principal ret_name;
+ krb5_gss_name_t ret_name;
gss_OID_set mechs;
OM_uint32 ret;
@@ -145,8 +145,9 @@
lifetime = GSS_C_INDEFINITE;
if (name) {
- if (cred->princ &&
- (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
+ if (cred->name &&
+ (code = kg_duplicate_name(context, cred->name,
+ KG_INIT_NAME_INTERN, &ret_name))) {
k5_mutex_unlock(&cred->lock);
*minor_status = code;
save_error_info(*minor_status, context);
@@ -168,24 +169,13 @@
&mechs)))) {
k5_mutex_unlock(&cred->lock);
if (ret_name)
- krb5_free_principal(context, ret_name);
+ kg_release_name(context, KG_INIT_NAME_INTERN, &ret_name);
/* *minor_status set above */
goto fail;
}
}
if (name) {
- if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
- k5_mutex_unlock(&cred->lock);
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
-
- (void) generic_gss_release_oid_set(minor_status, &mechs);
- krb5_free_principal(context, ret_name);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
if (ret_name != NULL)
*name = (gss_name_t) ret_name;
else
Copied: trunk/src/lib/gssapi/krb5/naming_exts.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/krb5/naming_exts.c)
Modified: trunk/src/lib/gssapi/krb5/rel_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/rel_cred.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/rel_cred.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -71,8 +71,8 @@
code3 = krb5_rc_close(context, cred->rcache);
else
code3 = 0;
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
+ if (cred->name)
+ kg_release_name(context, 0, &cred->name);
if (cred->req_enctypes)
free(cred->req_enctypes);
Modified: trunk/src/lib/gssapi/krb5/rel_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/rel_name.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/rel_name.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -43,9 +43,8 @@
return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
}
- (void)kg_delete_name(*input_name);
-
- krb5_free_principal(context, (krb5_principal) *input_name);
+ kg_release_name(context, KG_INIT_NAME_INTERN,
+ (krb5_gss_name_t *)input_name);
krb5_free_context(context);
*input_name = (gss_name_t) NULL;
Modified: trunk/src/lib/gssapi/krb5/s4u_gss_glue.c
===================================================================
--- trunk/src/lib/gssapi/krb5/s4u_gss_glue.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/s4u_gss_glue.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -109,7 +109,7 @@
static OM_uint32
kg_impersonate_name(OM_uint32 *minor_status,
const krb5_gss_cred_id_t impersonator_cred,
- const krb5_principal user,
+ const krb5_gss_name_t user,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
krb5_gss_cred_id_t *output_cred,
@@ -124,18 +124,39 @@
memset(&in_creds, 0, sizeof(in_creds));
memset(&out_creds, 0, sizeof(out_creds));
- in_creds.client = user;
- in_creds.server = impersonator_cred->princ;
+ in_creds.client = user->princ;
+ in_creds.server = impersonator_cred->name->princ;
if (impersonator_cred->req_enctypes != NULL)
in_creds.keyblock.enctype = impersonator_cred->req_enctypes[0];
+ code = k5_mutex_lock(&user->lock);
+ if (code != 0) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ if (user->ad_context != NULL) {
+ code = krb5_authdata_export_authdata(context,
+ user->ad_context,
+ AD_USAGE_TGS_REQ,
+ &in_creds.authdata);
+ if (code != 0) {
+ k5_mutex_unlock(&user->lock);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ }
+
+ k5_mutex_unlock(&user->lock);
+
code = krb5_get_credentials_for_user(context,
KRB5_GC_CANONICALIZE | KRB5_GC_NO_STORE,
impersonator_cred->ccache,
&in_creds,
NULL, &out_creds);
if (code != 0) {
+ krb5_free_authdata(context, in_creds.authdata);
*minor_status = code;
return GSS_S_FAILURE;
}
@@ -150,6 +171,7 @@
time_rec,
context);
+ krb5_free_authdata(context, in_creds.authdata);
krb5_free_creds(context, out_creds);
return major_status;
@@ -207,7 +229,7 @@
major_status = kg_impersonate_name(minor_status,
(krb5_gss_cred_id_t)impersonator_cred_handle,
- (krb5_principal)desired_name,
+ (krb5_gss_name_t)desired_name,
time_req,
desired_mechs,
&cred,
@@ -242,12 +264,14 @@
k5_mutex_assert_locked(&impersonator_cred->lock);
if (!kg_is_initiator_cred(impersonator_cred) ||
- impersonator_cred->princ == NULL ||
+ impersonator_cred->name == NULL ||
impersonator_cred->proxy_cred) {
code = G_BAD_USAGE;
goto cleanup;
}
+ assert(impersonator_cred->name->princ != NULL);
+
assert(subject_creds != NULL);
assert(subject_creds->client != NULL);
@@ -277,7 +301,7 @@
cred->tgt_expire = impersonator_cred->tgt_expire;
- code = krb5_copy_principal(context, subject_creds->client, &cred->princ);
+ code = kg_init_name(context, subject_creds->client, NULL, 0, &cred->name);
if (code != 0)
goto cleanup;
@@ -286,8 +310,8 @@
goto cleanup;
code = krb5_cc_initialize(context, cred->ccache,
- cred->proxy_cred ? impersonator_cred->princ :
- (krb5_principal)subject_creds->client);
+ cred->proxy_cred ? impersonator_cred->name->princ :
+ subject_creds->client);
if (code != 0)
goto cleanup;
@@ -334,10 +358,8 @@
if (GSS_ERROR(major_status) && cred != NULL) {
k5_mutex_destroy(&cred->lock);
- if (cred->ccache != NULL)
- krb5_cc_destroy(context, cred->ccache);
- if (cred->princ != NULL)
- krb5_free_principal(context, cred->princ);
+ krb5_cc_destroy(context, cred->ccache);
+ kg_release_name(context, 0, &cred->name);
xfree(cred);
}
Modified: trunk/src/lib/gssapi/krb5/ser_sctx.c
===================================================================
--- trunk/src/lib/gssapi/krb5/ser_sctx.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/ser_sctx.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -292,13 +292,13 @@
if (!kret && ctx->here)
kret = krb5_size_opaque(kcontext,
KV5M_PRINCIPAL,
- (krb5_pointer) ctx->here,
+ (krb5_pointer) ctx->here->princ,
&required);
if (!kret && ctx->there)
kret = krb5_size_opaque(kcontext,
KV5M_PRINCIPAL,
- (krb5_pointer) ctx->there,
+ (krb5_pointer) ctx->there->princ,
&required);
if (!kret && ctx->subkey)
@@ -352,7 +352,18 @@
&required);
}
}
- if (!kret)
+ if (!kret) {
+ krb5_gss_name_t initiator_name;
+
+ initiator_name = ctx->initiate ? ctx->here : ctx->there;
+
+ if (initiator_name) {
+ kret = krb5_size_opaque(kcontext,
+ KV5M_AUTHDATA_CONTEXT,
+ initiator_name->ad_context,
+ &required);
+ }
+ }
*sizep += required;
}
return(kret);
@@ -437,13 +448,13 @@
if (!kret && ctx->here)
kret = krb5_externalize_opaque(kcontext,
KV5M_PRINCIPAL,
- (krb5_pointer) ctx->here,
+ (krb5_pointer) ctx->here->princ,
&bp, &remain);
if (!kret && ctx->there)
kret = krb5_externalize_opaque(kcontext,
KV5M_PRINCIPAL,
- (krb5_pointer) ctx->there,
+ (krb5_pointer) ctx->there->princ,
&bp, &remain);
if (!kret && ctx->subkey)
@@ -517,6 +528,20 @@
&remain);
}
}
+ /* authdata context */
+ if (!kret) {
+ krb5_gss_name_t initiator_name;
+
+ initiator_name = ctx->initiate ? ctx->here : ctx->there;
+
+ if (initiator_name) {
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_AUTHDATA_CONTEXT,
+ initiator_name->ad_context,
+ &bp,
+ &remain);
+ }
+ }
/* trailer */
if (!kret)
kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
@@ -545,6 +570,7 @@
krb5_octet *bp;
size_t remain;
krb5int_access kaccess;
+ krb5_principal princ;
kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
if (kret)
@@ -553,6 +579,7 @@
bp = *buffer;
remain = *lenremain;
kret = EINVAL;
+ princ = NULL;
/* Read our magic number */
if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
ibuf = 0;
@@ -618,23 +645,32 @@
kret = 0;
}
/* Now get substructure data */
- if ((kret = krb5_internalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer *) &ctx->here,
- &bp, &remain))) {
- if (kret == EINVAL)
+ kret = krb5_internalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer *) &princ,
+ &bp, &remain);
+ if (kret == 0) {
+ kret = kg_init_name(kcontext, princ, NULL,
+ KG_INIT_NAME_NO_COPY, &ctx->here);
+ if (kret)
+ krb5_free_principal(kcontext, princ);
+ } else if (kret == EINVAL)
+ kret = 0;
+ if (!kret) {
+ kret = krb5_internalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer *) &princ,
+ &bp, &remain);
+ if (kret == 0) {
+ kret = kg_init_name(kcontext, princ, NULL,
+ KG_INIT_NAME_NO_COPY, &ctx->there);
+ if (kret)
+ krb5_free_principal(kcontext, princ);
+ } else if (kret == EINVAL)
kret = 0;
}
if (!kret &&
(kret = krb5_internalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer *) &ctx->there,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer *) &ctx->subkey,
&bp, &remain))) {
@@ -718,6 +754,21 @@
}
}
}
+ /* authdata context */
+ if (!kret) {
+ krb5_gss_name_t initiator_name;
+
+ initiator_name = ctx->initiate ? ctx->here : ctx->there;
+ if (initiator_name == NULL) {
+ kret = EINVAL;
+ } else {
+ kret = krb5_internalize_opaque(kcontext,
+ KV5M_AUTHDATA_CONTEXT,
+ (krb5_pointer *)&initiator_name->ad_context,
+ &bp,
+ &remain);
+ }
+ }
/* Get trailer */
if (!kret)
kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
@@ -736,9 +787,9 @@
if (ctx->subkey)
krb5_free_keyblock(kcontext, ctx->subkey);
if (ctx->there)
- krb5_free_principal(kcontext, ctx->there);
+ kg_release_name(kcontext, 0, &ctx->there);
if (ctx->here)
- krb5_free_principal(kcontext, ctx->here);
+ kg_release_name(kcontext, 0, &ctx->here);
xfree(ctx);
}
}
Modified: trunk/src/lib/gssapi/krb5/val_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/val_cred.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/val_cred.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -59,7 +59,7 @@
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
if (!cred->proxy_cred &&
- !krb5_principal_compare(context, princ, cred->princ)) {
+ !krb5_principal_compare(context, princ, cred->name->princ)) {
k5_mutex_unlock(&cred->lock);
*minor_status = KG_CCACHE_NOMATCH;
return(GSS_S_DEFECTIVE_CREDENTIAL);
Modified: trunk/src/lib/gssapi/libgssapi_krb5.exports
===================================================================
--- trunk/src/lib/gssapi/libgssapi_krb5.exports 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/libgssapi_krb5.exports 2009-10-09 18:29:34 UTC (rev 22875)
@@ -20,13 +20,17 @@
gss_context_time
gss_create_empty_buffer_set
gss_create_empty_oid_set
+gss_delete_name_attribute
gss_delete_sec_context
gss_display_name
+gss_display_name_ext
gss_display_status
gss_duplicate_name
gss_export_name
+gss_export_name_composite
gss_export_sec_context
gss_get_mic
+gss_get_name_attribute
gss_import_name
gss_import_sec_context
gss_indicate_mechs
@@ -49,6 +53,7 @@
gss_krb5int_unseal_token_v3
gsskrb5_extract_authtime_from_sec_context
gsskrb5_extract_authz_data_from_sec_context
+gss_map_name_to_any
gss_mech_krb5
gss_mech_krb5_old
gss_mech_set_krb5
@@ -64,6 +69,7 @@
gss_nt_user_name
gss_oid_to_str
gss_process_context_token
+gss_release_any_name_mapping
gss_release_buffer_set
gss_release_buffer
gss_release_cred
@@ -72,6 +78,7 @@
gss_release_oid
gss_release_oid_set
gss_seal
+gss_set_name_attribute
gss_set_sec_context_option
gss_sign
gss_str_to_oid
@@ -92,3 +99,4 @@
krb5_gss_dbg_client_expcreds
krb5_gss_register_acceptor_identity
krb5_gss_use_kdc_context
+gss_inquire_name
Modified: trunk/src/lib/gssapi/mechglue/Makefile.in
===================================================================
--- trunk/src/lib/gssapi/mechglue/Makefile.in 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/Makefile.in 2009-10-09 18:29:34 UTC (rev 22875)
@@ -21,11 +21,15 @@
$(srcdir)/g_complete_auth_token.c \
$(srcdir)/g_context_time.c \
$(srcdir)/g_delete_sec_context.c \
+ $(srcdir)/g_del_name_attr.c \
$(srcdir)/g_dsp_name.c \
+ $(srcdir)/g_dsp_name_ext.c \
$(srcdir)/g_dsp_status.c \
$(srcdir)/g_dup_name.c \
$(srcdir)/g_exp_sec_context.c \
$(srcdir)/g_export_name.c \
+ $(srcdir)/g_export_name_comp.c \
+ $(srcdir)/g_get_name_attr.c \
$(srcdir)/g_glue.c \
$(srcdir)/g_imp_name.c \
$(srcdir)/g_imp_sec_context.c \
@@ -35,7 +39,9 @@
$(srcdir)/g_inq_context_oid.c \
$(srcdir)/g_inq_cred.c \
$(srcdir)/g_inq_cred_oid.c \
+ $(srcdir)/g_inq_name.c \
$(srcdir)/g_inq_names.c \
+ $(srcdir)/g_map_name_to_any.c \
$(srcdir)/g_mech_invoke.c \
$(srcdir)/g_mechname.c \
$(srcdir)/g_oid_ops.c \
@@ -43,10 +49,12 @@
$(srcdir)/g_rel_buffer.c \
$(srcdir)/g_rel_cred.c \
$(srcdir)/g_rel_name.c \
+ $(srcdir)/g_rel_name_mapping.c \
$(srcdir)/g_rel_oid_set.c \
$(srcdir)/g_seal.c \
$(srcdir)/g_set_context_option.c \
$(srcdir)/g_set_cred_option.c \
+ $(srcdir)/g_set_name_attr.c \
$(srcdir)/g_sign.c \
$(srcdir)/g_store_cred.c \
$(srcdir)/g_unseal.c \
@@ -66,11 +74,15 @@
$(OUTPRE)g_complete_auth_token.$(OBJEXT) \
$(OUTPRE)g_context_time.$(OBJEXT) \
$(OUTPRE)g_delete_sec_context.$(OBJEXT) \
+ $(OUTPRE)g_del_name_attr.$(OBJEXT) \
$(OUTPRE)g_dsp_name.$(OBJEXT) \
+ $(OUTPRE)g_dsp_name_ext.$(OBJEXT) \
$(OUTPRE)g_dsp_status.$(OBJEXT) \
$(OUTPRE)g_dup_name.$(OBJEXT) \
$(OUTPRE)g_exp_sec_context.$(OBJEXT) \
$(OUTPRE)g_export_name.$(OBJEXT) \
+ $(OUTPRE)g_export_name_comp.$(OBJEXT) \
+ $(OUTPRE)g_get_name_attr.$(OBJEXT) \
$(OUTPRE)g_glue.$(OBJEXT) \
$(OUTPRE)g_imp_name.$(OBJEXT) \
$(OUTPRE)g_imp_sec_context.$(OBJEXT) \
@@ -80,7 +92,9 @@
$(OUTPRE)g_inq_context_oid.$(OBJEXT) \
$(OUTPRE)g_inq_cred.$(OBJEXT) \
$(OUTPRE)g_inq_cred_oid.$(OBJEXT) \
+ $(OUTPRE)g_inq_name.$(OBJEXT) \
$(OUTPRE)g_inq_names.$(OBJEXT) \
+ $(OUTPRE)g_map_name_to_any.$(OBJEXT) \
$(OUTPRE)g_mech_invoke.$(OBJEXT) \
$(OUTPRE)g_mechname.$(OBJEXT) \
$(OUTPRE)g_oid_ops.$(OBJEXT) \
@@ -88,10 +102,12 @@
$(OUTPRE)g_rel_buffer.$(OBJEXT) \
$(OUTPRE)g_rel_cred.$(OBJEXT) \
$(OUTPRE)g_rel_name.$(OBJEXT) \
+ $(OUTPRE)g_rel_name_mapping.$(OBJEXT) \
$(OUTPRE)g_rel_oid_set.$(OBJEXT) \
$(OUTPRE)g_seal.$(OBJEXT) \
$(OUTPRE)g_set_context_option.$(OBJEXT) \
$(OUTPRE)g_set_cred_option.$(OBJEXT) \
+ $(OUTPRE)g_set_name_attr.$(OBJEXT) \
$(OUTPRE)g_sign.$(OBJEXT) \
$(OUTPRE)g_store_cred.$(OBJEXT) \
$(OUTPRE)g_unseal.$(OBJEXT) \
@@ -111,11 +127,15 @@
g_complete_auth_token.o \
g_context_time.o \
g_delete_sec_context.o \
+ g_del_name_attr.o \
g_dsp_name.o \
+ g_dsp_name_ext.o \
g_dsp_status.o \
g_dup_name.o \
g_exp_sec_context.o \
g_export_name.o \
+ g_export_name_comp.o \
+ g_get_name_attr.o \
g_glue.o \
g_imp_name.o \
g_imp_sec_context.o \
@@ -125,7 +145,9 @@
g_inq_context_oid.o \
g_inq_cred.o \
g_inq_cred_oid.o \
+ g_inq_name.o \
g_inq_names.o \
+ g_map_name_to_any.o \
g_mech_invoke.o \
g_mechname.o \
g_oid_ops.o \
@@ -133,10 +155,12 @@
g_rel_buffer.o \
g_rel_cred.o \
g_rel_name.o \
+ g_rel_name_mapping.o \
g_rel_oid_set.o \
g_seal.o \
g_set_context_option.o \
g_set_cred_option.o \
+ g_set_name_attr.o \
g_sign.o \
g_store_cred.o \
g_unseal.o \
Copied: trunk/src/lib/gssapi/mechglue/g_del_name_attr.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_del_name_attr.c)
Modified: trunk/src/lib/gssapi/mechglue/g_dsp_name.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_dsp_name.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_dsp_name.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1,8 +1,7 @@
/* #pragma ident "@(#)g_dsp_name.c 1.13 04/02/23 SMI" */
-
/*
* Copyright 1996 by Sun Microsystems, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -12,7 +11,7 @@
* without specific, written prior permission. Sun Microsystems makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -102,7 +101,7 @@
output_name_buffer,
output_name_type));
}
-
+
/*
* copy the value of the external_name component of the union
* name into the output_name_buffer and point the output_name_type
Copied: trunk/src/lib/gssapi/mechglue/g_dsp_name_ext.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_dsp_name_ext.c)
Copied: trunk/src/lib/gssapi/mechglue/g_export_name_comp.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_export_name_comp.c)
Copied: trunk/src/lib/gssapi/mechglue/g_get_name_attr.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_get_name_attr.c)
Modified: trunk/src/lib/gssapi/mechglue/g_glue.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_glue.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_glue.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -288,8 +288,47 @@
* Internal routines to get and release an internal mechanism name
*/
-#include "mglueP.h"
+#if 0
+static OM_uint32
+import_internal_name_composite(OM_uint32 *minor_status,
+ gss_mechanism mech,
+ gss_union_name_t union_name,
+ gss_name_t *internal_name)
+{
+ OM_uint32 status, tmp;
+ gss_mechanism name_mech;
+ gss_buffer_desc composite_name;
+ if (mech->gss_import_name == NULL)
+ return (GSS_S_UNAVAILABLE);
+
+ name_mech = gssint_get_mechanism(union_name->mech_type);
+ if (name_mech == NULL)
+ return (GSS_S_BAD_MECH);
+
+ if (name_mech->gss_export_name_composite == NULL)
+ return (GSS_S_UNAVAILABLE);
+
+ composite_name.length = 0;
+ composite_name.value = NULL;
+
+ status = (*name_mech->gss_export_name_composite)(minor_status,
+ union_name->mech_name,
+ &composite_name);
+ if (GSS_ERROR(status))
+ return (status);
+
+ status = (*mech->gss_import_name)(minor_status,
+ &composite_name,
+ gss_nt_exported_name,
+ internal_name);
+
+ gss_release_buffer(&tmp, &composite_name);
+
+ return (status);
+}
+#endif
+
OM_uint32 gssint_import_internal_name (minor_status, mech_type, union_name,
internal_name)
OM_uint32 *minor_status;
@@ -301,22 +340,32 @@
gss_mechanism mech;
mech = gssint_get_mechanism (mech_type);
- if (mech) {
- if (mech->gss_import_name) {
- status = mech->gss_import_name (
- minor_status,
- union_name->external_name,
- union_name->name_type,
- internal_name);
- if (status != GSS_S_COMPLETE)
- map_error(minor_status, mech);
- } else
- status = GSS_S_UNAVAILABLE;
+ if (mech == NULL)
+ return (GSS_S_BAD_MECH);
- return (status);
+#if 0
+ /* Try composite name, it will preserve any extended attributes */
+ if (union_name->mech_type && union_name->mech_name) {
+ status = import_internal_name_composite(minor_status,
+ mech,
+ union_name,
+ internal_name);
+ if (status == GSS_S_COMPLETE)
+ return (GSS_S_COMPLETE);
}
+#endif
- return (GSS_S_BAD_MECH);
+ if (mech->gss_import_name == NULL)
+ return (GSS_S_UNAVAILABLE);
+
+ status = mech->gss_import_name(minor_status,
+ union_name->external_name,
+ union_name->name_type,
+ internal_name);
+ if (status != GSS_S_COMPLETE)
+ map_error(minor_status, mech);
+
+ return (status);
}
OM_uint32 gssint_export_internal_name(minor_status, mech_type,
Modified: trunk/src/lib/gssapi/mechglue/g_imp_name.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_imp_name.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_imp_name.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -176,7 +176,6 @@
/*
* GSS export name constants
*/
-static const char *expNameTokId = "\x04\x01";
static const unsigned int expNameTokIdLen = 2;
static const unsigned int mechOidLenLen = 2;
static const unsigned int nameTypeLenLen = 2;
@@ -201,8 +200,10 @@
return (GSS_S_DEFECTIVE_TOKEN);
buf = (unsigned char *)expName.value;
- if (memcmp(expNameTokId, buf, expNameTokIdLen) != 0)
+ if (buf[0] != 0x04)
return (GSS_S_DEFECTIVE_TOKEN);
+ if (buf[1] != 0x01 && buf[1] != 0x02)
+ return (GSS_S_DEFECTIVE_TOKEN);
buf += expNameTokIdLen;
Modified: trunk/src/lib/gssapi/mechglue/g_initialize.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_initialize.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_initialize.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -761,9 +761,18 @@
GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_unwrap_iov);
GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap_iov_length);
GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_complete_auth_token);
- /* New for 1.8 */
+ /* Services4User (introduced in 1.8) */
GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_acquire_cred_impersonate_name);
GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_add_cred_impersonate_name);
+ /* Naming extensions (introduced in 1.8) */
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_display_name_ext);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_inquire_name);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_get_name_attribute);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_set_name_attribute);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_delete_name_attribute);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_export_name_composite);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_map_name_to_any);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_release_any_name_mapping);
assert(mech_type != GSS_C_NO_OID);
Modified: trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -62,11 +62,11 @@
if (status != GSS_S_COMPLETE)
map_error(minor_status, mech);
} else
- status = GSS_S_BAD_MECH;
+ status = GSS_S_UNAVAILABLE;
return status;
}
- return GSS_S_NO_CONTEXT;
+ return GSS_S_BAD_MECH;
}
Modified: trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -93,15 +93,19 @@
return status;
}
- status = GSS_S_BAD_MECH;
+ status = GSS_S_UNAVAILABLE;
for (i = 0; i < union_cred->count; i++) {
mech = gssint_get_mechanism(&union_cred->mechs_array[i]);
- if (mech == NULL)
- continue;
+ if (mech == NULL) {
+ status = GSS_S_BAD_MECH;
+ break;
+ }
- if (mech->gss_inquire_cred_by_oid == NULL)
+ if (mech->gss_inquire_cred_by_oid == NULL) {
+ status = GSS_S_UNAVAILABLE;
continue;
+ }
status = (mech->gss_inquire_cred_by_oid)(minor_status,
union_cred->cred_array[i],
Copied: trunk/src/lib/gssapi/mechglue/g_inq_name.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_inq_name.c)
Copied: trunk/src/lib/gssapi/mechglue/g_map_name_to_any.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_map_name_to_any.c)
Copied: trunk/src/lib/gssapi/mechglue/g_rel_name_mapping.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_rel_name_mapping.c)
Modified: trunk/src/lib/gssapi/mechglue/g_set_context_option.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_set_context_option.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_set_context_option.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -65,9 +65,10 @@
mech = gssint_get_mechanism (ctx->mech_type);
}
- if (mech == NULL || mech->gss_set_sec_context_option == NULL) {
+ if (mech == NULL)
return GSS_S_BAD_MECH;
- }
+ if (mech->gss_set_sec_context_option == NULL)
+ return GSS_S_UNAVAILABLE;
status = mech->gss_set_sec_context_option(minor_status,
ctx ? &ctx->internal_ctx_id :
Modified: trunk/src/lib/gssapi/mechglue/g_set_cred_option.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_set_cred_option.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_set_cred_option.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -56,15 +56,19 @@
union_cred = (gss_union_cred_t) cred_handle;
- status = GSS_S_BAD_MECH;
+ status = GSS_S_UNAVAILABLE;
for (i = 0; i < union_cred->count; i++) {
mech = gssint_get_mechanism(&union_cred->mechs_array[i]);
- if (mech == NULL)
- continue;
+ if (mech == NULL) {
+ status = GSS_S_BAD_MECH;
+ break;
+ }
- if (mech->gssspi_set_cred_option == NULL)
+ if (mech->gssspi_set_cred_option == NULL) {
+ status = GSS_S_UNAVAILABLE;
continue;
+ }
status = (mech->gssspi_set_cred_option)(minor_status,
union_cred->cred_array[i],
Copied: trunk/src/lib/gssapi/mechglue/g_set_name_attr.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_set_name_attr.c)
Modified: trunk/src/lib/gssapi/mechglue/mglueP.h
===================================================================
--- trunk/src/lib/gssapi/mechglue/mglueP.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/mglueP.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -504,6 +504,75 @@
OM_uint32 * /* acceptor_time_rec */
/* */);
+ OM_uint32 (*gss_display_name_ext)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_OID, /* display_as_name_type */
+ gss_buffer_t /* display_name */
+ /* */);
+
+ OM_uint32 (*gss_inquire_name)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ int *, /* name_is_MN */
+ gss_OID *, /* MN_mech */
+ gss_buffer_set_t * /* attrs */
+ /* */);
+
+ OM_uint32 (*gss_get_name_attribute)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_buffer_t, /* attr */
+ int *, /* authenticated */
+ int *, /* complete */
+ gss_buffer_t, /* value */
+ gss_buffer_t, /* display_value */
+ int * /* more */
+ /* */);
+
+ OM_uint32 (*gss_set_name_attribute)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ int, /* complete */
+ gss_buffer_t, /* attr */
+ gss_buffer_t /* value */
+ /* */);
+
+ OM_uint32 (*gss_delete_name_attribute)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_buffer_t /* attr */
+ /* */);
+
+ OM_uint32 (*gss_export_name_composite)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_buffer_t /* exp_composite_name */
+ /* */);
+
+ OM_uint32 (*gss_map_name_to_any)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ int, /* authenticated */
+ gss_buffer_t, /* type_id */
+ gss_any_t * /* output */
+ /* */);
+
+ OM_uint32 (*gss_release_any_name_mapping)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name */
+ gss_buffer_t, /* type_id */
+ gss_any_t * /* input */
+ /* */);
+
} *gss_mechanism;
/* This structure MUST NOT be used by any code outside libgss */
Modified: trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- trunk/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -442,6 +442,83 @@
gss_OID_set *, /* actual_mechs */
OM_uint32 *); /* time_rec */
+OM_uint32
+spnego_gss_display_name_ext
+(
+ OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_OID display_as_name_type,
+ gss_buffer_t display_name
+);
+
+OM_uint32
+spnego_gss_inquire_name
+(
+ OM_uint32 *minor_status,
+ gss_name_t name,
+ int *name_is_MN,
+ gss_OID *MN_mech,
+ gss_buffer_set_t *attrs
+);
+
+OM_uint32
+spnego_gss_get_name_attribute
+(
+ OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value,
+ int *more
+);
+
+OM_uint32
+spnego_gss_set_name_attribute
+(
+ OM_uint32 *minor_status,
+ gss_name_t name,
+ int complete,
+ gss_buffer_t attr,
+ gss_buffer_t value
+);
+
+OM_uint32
+spnego_gss_delete_name_attribute
+(
+ OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t attr
+);
+
+OM_uint32
+spnego_gss_export_name_composite
+(
+ OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t exp_composite_name
+);
+
+OM_uint32
+spnego_gss_map_name_to_any
+(
+ OM_uint32 *minor_status,
+ gss_name_t name,
+ int authenticated,
+ gss_buffer_t type_id,
+ gss_any_t *output
+);
+
+OM_uint32
+spnego_gss_release_any_name_mapping
+(
+ OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t type_id,
+ gss_any_t *input
+);
+
#ifdef __cplusplus
}
#endif
Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -260,6 +260,14 @@
spnego_gss_complete_auth_token,
spnego_gss_acquire_cred_impersonate_name,
NULL, /* gss_add_cred_impersonate_name */
+ spnego_gss_display_name_ext,
+ spnego_gss_inquire_name,
+ spnego_gss_get_name_attribute,
+ spnego_gss_set_name_attribute,
+ spnego_gss_delete_name_attribute,
+ spnego_gss_export_name_composite,
+ spnego_gss_map_name_to_any,
+ spnego_gss_release_any_name_mapping,
};
#ifdef _GSS_STATIC_LINK
@@ -2354,6 +2362,129 @@
return (status);
}
+OM_uint32
+spnego_gss_display_name_ext(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_OID display_as_name_type,
+ gss_buffer_t display_name)
+{
+ OM_uint32 ret;
+ ret = gss_display_name_ext(minor_status,
+ name,
+ display_as_name_type,
+ display_name);
+ return (ret);
+}
+
+
+OM_uint32
+spnego_gss_inquire_name(OM_uint32 *minor_status,
+ gss_name_t name,
+ int *name_is_MN,
+ gss_OID *MN_mech,
+ gss_buffer_set_t *attrs)
+{
+ OM_uint32 ret;
+ ret = gss_inquire_name(minor_status,
+ name,
+ name_is_MN,
+ MN_mech,
+ attrs);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_get_name_attribute(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value,
+ int *more)
+{
+ OM_uint32 ret;
+ ret = gss_get_name_attribute(minor_status,
+ name,
+ attr,
+ authenticated,
+ complete,
+ value,
+ display_value,
+ more);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_set_name_attribute(OM_uint32 *minor_status,
+ gss_name_t name,
+ int complete,
+ gss_buffer_t attr,
+ gss_buffer_t value)
+{
+ OM_uint32 ret;
+ ret = gss_set_name_attribute(minor_status,
+ name,
+ complete,
+ attr,
+ value);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_delete_name_attribute(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t attr)
+{
+ OM_uint32 ret;
+ ret = gss_delete_name_attribute(minor_status,
+ name,
+ attr);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_export_name_composite(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t exp_composite_name)
+{
+ OM_uint32 ret;
+ ret = gss_export_name_composite(minor_status,
+ name,
+ exp_composite_name);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_map_name_to_any(OM_uint32 *minor_status,
+ gss_name_t name,
+ int authenticated,
+ gss_buffer_t type_id,
+ gss_any_t *output)
+{
+ OM_uint32 ret;
+ ret = gss_map_name_to_any(minor_status,
+ name,
+ authenticated,
+ type_id,
+ output);
+ return (ret);
+}
+
+OM_uint32
+spnego_gss_release_any_name_mapping(OM_uint32 *minor_status,
+ gss_name_t name,
+ gss_buffer_t type_id,
+ gss_any_t *input)
+{
+ OM_uint32 ret;
+ ret = gss_release_any_name_mapping(minor_status,
+ name,
+ type_id,
+ input);
+ return (ret);
+}
+
/*
* We will release everything but the ctx_handle so that it
* can be passed back to init/accept context. This routine should
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1720,7 +1720,31 @@
decode_ptr( krb5_fast_finished *, asn1_decode_fast_finished);
}
-
+asn1_error_code asn1_decode_ad_kdcissued
+(asn1buf *buf, krb5_ad_kdcissued *val)
+{
+ setup();
+ val->ad_checksum.contents = NULL;
+ val->i_principal = NULL;
+ val->elements = NULL;
+ {begin_structure();
+ get_field(val->ad_checksum, 0, asn1_decode_checksum);
+ if (tagnum == 1) {
+ alloc_principal(val->i_principal);
+ opt_field(val->i_principal, 1, asn1_decode_realm, 0);
+ opt_field(val->i_principal, 2, asn1_decode_principal_name, 0);
+ }
+ get_field(val->elements, 3, asn1_decode_authorization_data);
+ end_structure();
+ }
+ return 0;
+error_out:
+ krb5_free_checksum_contents(NULL, &val->ad_checksum);
+ krb5_free_principal(NULL, val->i_principal);
+ krb5_free_authdata(NULL, val->elements);
+ return retval;
+}
+
#ifndef DISABLE_PKINIT
/* PKINIT */
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.h
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -282,4 +282,10 @@
asn1_error_code asn1_decode_fast_finished_ptr
(asn1buf *buf, krb5_fast_finished **val);
+asn1_error_code asn1_decode_ad_kdcissued
+(asn1buf *buf, krb5_ad_kdcissued *val);
+
+asn1_error_code asn1_decode_ad_kdcissued_ptr
+(asn1buf *buf, krb5_ad_kdcissued **val);
+
#endif
Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1290,9 +1290,26 @@
DEFFIELDTYPE(pa_fx_fast_reply, krb5_enc_data,
FIELDOF_ENCODEAS(krb5_enc_data, fast_rep, 0));
+static const struct field_info ad_kdcissued_fields[] = {
+ FIELDOF_NORM(krb5_ad_kdcissued, checksum, ad_checksum, 0),
+ FIELDOF_OPT(krb5_ad_kdcissued, realm_of_principal, i_principal, 1, 1),
+ FIELDOF_OPT(krb5_ad_kdcissued, principal, i_principal, 2, 1),
+ FIELDOF_NORM(krb5_ad_kdcissued, auth_data_ptr, elements, 3),
+};
+static unsigned int ad_kdcissued_optional(const void *p)
+{
+ unsigned int optional = 0;
+ const krb5_ad_kdcissued *val = p;
+ if (val->i_principal)
+ optional |= (1u << 1);
+ return optional;
+}
+DEFSEQTYPE(ad_kdc_issued, krb5_ad_kdcissued, ad_kdcissued_fields, ad_kdcissued_optional);
+
+
/* Exported complete encoders -- these produce a krb5_data with
the encoding in the correct byte order. */
@@ -1366,11 +1383,11 @@
MAKE_FULL_ENCODER( encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply);
MAKE_FULL_ENCODER(encode_krb5_fast_response, fast_response);
+MAKE_FULL_ENCODER(encode_krb5_ad_kdcissued, ad_kdc_issued);
-
/*
* PKINIT
*/
Modified: trunk/src/lib/krb5/asn.1/krb5_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1180,6 +1180,17 @@
cleanup(free);
}
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *code, krb5_ad_kdcissued **repptr)
+{
+ setup_buf_only(krb5_ad_kdcissued *);
+ alloc_field(rep);
+
+ retval = asn1_decode_ad_kdcissued(&buf, rep);
+ if (retval) clean_return(retval);
+
+ cleanup(free);
+}
#ifndef DISABLE_PKINIT
krb5_error_code
Modified: trunk/src/lib/krb5/ccache/cc_file.c
===================================================================
--- trunk/src/lib/krb5/ccache/cc_file.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/ccache/cc_file.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -859,14 +859,14 @@
{
krb5_error_code kret;
krb5_int32 int32;
- krb5_ui_2 ui2;
+ krb5_int16 ui2; /* negative authorization data types are allowed */
k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock);
a->magic = KV5M_AUTHDATA;
a->contents = NULL;
- kret = krb5_fcc_read_ui_2(context, id, &ui2);
+ kret = krb5_fcc_read_ui_2(context, id, (krb5_ui_2 *)&ui2);
CHECK(kret);
a->ad_type = (krb5_authdatatype)ui2;
kret = krb5_fcc_read_int32(context, id, &int32);
Modified: trunk/src/lib/krb5/ccache/ccfns.c
===================================================================
--- trunk/src/lib/krb5/ccache/ccfns.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/ccache/ccfns.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -70,7 +70,7 @@
krb5_principal s1, s2;
/* remove any dups */
- krb5_cc_remove_cred(context, cache, 0, creds);
+ krb5_cc_remove_cred(context, cache, KRB5_TC_MATCH_AUTHDATA, creds);
ret = cache->ops->store(context, cache, creds);
if (ret) return ret;
@@ -87,7 +87,7 @@
if (!krb5_principal_compare(context, s1, s2)) {
creds->server = s2;
/* remove any dups */
- krb5_cc_remove_cred(context, cache, 0, creds);
+ krb5_cc_remove_cred(context, cache, KRB5_TC_MATCH_AUTHDATA, creds);
ret = cache->ops->store(context, cache, creds);
creds->server = s1;
}
Modified: trunk/src/lib/krb5/error_tables/kv5m_err.et
===================================================================
--- trunk/src/lib/krb5/error_tables/kv5m_err.et 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/error_tables/kv5m_err.et 2009-10-09 18:29:34 UTC (rev 22875)
@@ -89,4 +89,5 @@
error_code KV5M_FAST_ARMORED_REQ, "Bad magic number for fast armored request"
error_code KV5M_FAST_REQ, "Bad magic number for FAST request"
error_code KV5M_FAST_RESPONSE, "Bad magic number for FAST response"
+error_code KV5M_AUTHDATA_CONTEXT, "Bad magic number for krb5_authdata_context"
end
Modified: trunk/src/lib/krb5/krb/Makefile.in
===================================================================
--- trunk/src/lib/krb5/krb/Makefile.in 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/Makefile.in 2009-10-09 18:29:34 UTC (rev 22875)
@@ -18,6 +18,7 @@
addr_srch.o \
appdefault.o \
auth_con.o \
+ authdata.o \
bld_pr_ext.o \
bld_princ.o \
chk_trans.o \
@@ -107,6 +108,7 @@
$(OUTPRE)addr_srch.$(OBJEXT) \
$(OUTPRE)appdefault.$(OBJEXT) \
$(OUTPRE)auth_con.$(OBJEXT) \
+ $(OUTPRE)authdata.$(OBJEXT) \
$(OUTPRE)bld_pr_ext.$(OBJEXT) \
$(OUTPRE)bld_princ.$(OBJEXT) \
$(OUTPRE)chk_trans.$(OBJEXT) \
@@ -196,6 +198,7 @@
$(srcdir)/addr_srch.c \
$(srcdir)/appdefault.c \
$(srcdir)/auth_con.c \
+ $(srcdir)/authdata.c \
$(srcdir)/bld_pr_ext.c \
$(srcdir)/bld_princ.c \
$(srcdir)/brand.c \
@@ -312,11 +315,11 @@
T_KERB_OBJS= t_kerb.o conv_princ.o unparse.o set_realm.o str_conv.o
T_SER_OBJS= t_ser.o ser_actx.o ser_adata.o ser_addr.o ser_auth.o ser_cksum.o \
- ser_ctx.o ser_key.o ser_princ.o serialize.o
+ ser_ctx.o ser_key.o ser_princ.o serialize.o authdata.o pac.o copy_data.o
T_DELTAT_OBJS= t_deltat.o deltat.o
-T_PAC_OBJS= t_pac.o pac.o
+T_PAC_OBJS= t_pac.o pac.o copy_data.o
T_PRINC_OBJS= t_princ.o parse.o unparse.o
@@ -327,8 +330,8 @@
t_ad_fx_armor: t_ad_fx_armor.o
$(CC_LINK) -o $@ t_ad_fx_armor.o $(KRB5_BASE_LIBS)
-t_authdata: t_authdata.o copy_auth.o
- $(CC_LINK) -o $@ t_authdata.o copy_auth.o $(KRB5_BASE_LIBS)
+t_authdata: t_authdata.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ t_authdata.o $(KRB5_BASE_LIBS)
t_kerb: $(T_KERB_OBJS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_kerb $(T_KERB_OBJS) $(KRB5_BASE_LIBS)
Modified: trunk/src/lib/krb5/krb/auth_con.c
===================================================================
--- trunk/src/lib/krb5/krb/auth_con.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/auth_con.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -66,6 +66,8 @@
krb5_rc_close(context, auth_context->rcache);
if (auth_context->permitted_etypes)
free(auth_context->permitted_etypes);
+ if (auth_context->ad_context)
+ krb5_authdata_context_free(context, auth_context->ad_context);
free(auth_context);
return 0;
}
@@ -568,3 +570,21 @@
return 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_get_authdata_context(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context *ad_context)
+{
+ *ad_context = auth_context->ad_context;
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_set_authdata_context(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context ad_context)
+{
+ auth_context->ad_context = ad_context;
+ return 0;
+}
+
Modified: trunk/src/lib/krb5/krb/auth_con.h
===================================================================
--- trunk/src/lib/krb5/krb/auth_con.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/auth_con.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -24,6 +24,7 @@
krb5_mk_req_checksum_func checksum_func;
void *checksum_func_data;
krb5_enctype negotiated_etype;
+ krb5_authdata_context ad_context;
};
Copied: trunk/src/lib/krb5/krb/authdata.c (from rev 22872, users/lhoward/authdata/src/lib/krb5/krb/authdata.c)
Copied: trunk/src/lib/krb5/krb/authdata.h (from rev 22872, users/lhoward/authdata/src/lib/krb5/krb/authdata.h)
Modified: trunk/src/lib/krb5/krb/copy_auth.c
===================================================================
--- trunk/src/lib/krb5/krb/copy_auth.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/copy_auth.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -276,3 +276,126 @@
else krb5_free_authdata(context, fctx.out);
return retval;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_make_authdata_kdc_issued(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_const_principal issuer,
+ krb5_authdata *const *authdata,
+ krb5_authdata ***ad_kdcissued)
+{
+ krb5_error_code code;
+ krb5_ad_kdcissued ad_kdci;
+ krb5_data *data;
+ krb5_cksumtype cksumtype;
+ krb5_authdata ad_datum;
+ krb5_authdata *ad_data[2];
+
+ *ad_kdcissued = NULL;
+
+ ad_kdci.ad_checksum.contents = NULL;
+ ad_kdci.i_principal = (krb5_principal)issuer;
+ ad_kdci.elements = (krb5_authdata **)authdata;
+
+ code = krb5int_c_mandatory_cksumtype(context, key->enctype,
+ &cksumtype);
+ if (code != 0)
+ return code;
+
+ code = encode_krb5_authdata(ad_kdci.elements, &data);
+ if (code != 0)
+ return code;
+
+ code = krb5_c_make_checksum(context, cksumtype,
+ key, KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM,
+ data, &ad_kdci.ad_checksum);
+ if (code != 0) {
+ krb5_free_data(context, data);
+ return code;
+ }
+
+ krb5_free_data(context, data);
+
+ code = encode_krb5_ad_kdcissued(&ad_kdci, &data);
+ if (code != 0)
+ return code;
+
+ ad_datum.ad_type = KRB5_AUTHDATA_KDC_ISSUED;
+ ad_datum.length = data->length;
+ ad_datum.contents = (unsigned char *)data->data;
+
+ ad_data[0] = &ad_datum;
+ ad_data[1] = NULL;
+
+ code = krb5_copy_authdata(context, ad_data, ad_kdcissued);
+
+ krb5_free_data(context, data);
+ krb5_free_checksum_contents(context, &ad_kdci.ad_checksum);
+
+ return code;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_verify_authdata_kdc_issued(krb5_context context,
+ const krb5_keyblock *key,
+ const krb5_authdata *ad_kdcissued,
+ krb5_principal *issuer,
+ krb5_authdata ***authdata)
+{
+ krb5_error_code code;
+ krb5_ad_kdcissued *ad_kdci;
+ krb5_data data, *data2;
+ krb5_boolean valid = FALSE;
+
+ if ((ad_kdcissued->ad_type & AD_TYPE_FIELD_TYPE_MASK) !=
+ KRB5_AUTHDATA_KDC_ISSUED)
+ return EINVAL;
+
+ if (issuer != NULL)
+ *issuer = NULL;
+ if (authdata != NULL)
+ *authdata = NULL;
+
+ data.length = ad_kdcissued->length;
+ data.data = (char *)ad_kdcissued->contents;
+
+ code = decode_krb5_ad_kdcissued(&data, &ad_kdci);
+ if (code != 0)
+ return code;
+
+ code = encode_krb5_authdata(ad_kdci->elements, &data2);
+ if (code != 0) {
+ krb5_free_ad_kdcissued(context, ad_kdci);
+ return code;
+ }
+
+ code = krb5_c_verify_checksum(context, key,
+ KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM,
+ data2, &ad_kdci->ad_checksum, &valid);
+ if (code != 0) {
+ krb5_free_ad_kdcissued(context, ad_kdci);
+ krb5_free_data(context, data2);
+ }
+
+ krb5_free_data(context, data2);
+
+ if (valid == FALSE) {
+ krb5_free_ad_kdcissued(context, ad_kdci);
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
+
+ if (issuer != NULL) {
+ *issuer = ad_kdci->i_principal;
+ ad_kdci->i_principal = NULL;
+ }
+
+ if (authdata != NULL) {
+ *authdata = ad_kdci->elements;
+ ad_kdci->elements = NULL;
+ }
+
+ krb5_free_ad_kdcissued(context, ad_kdci);
+
+ return 0;
+}
+
Modified: trunk/src/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- trunk/src/lib/krb5/krb/gc_frm_kdc.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/gc_frm_kdc.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -934,6 +934,7 @@
krb5_boolean old_use_conf_ktypes;
char **hrealms;
unsigned int referral_count, i;
+ krb5_authdata **supplied_authdata, **out_supplied_authdata = NULL;
/*
* Set up client and server pointers. Make a fresh and modifyable
@@ -948,8 +949,18 @@
krb5_free_principal(context, server);
return retval;
}
+ if (in_cred->authdata != NULL) {
+ if ((retval = krb5_copy_authdata(context, in_cred->authdata,
+ &out_supplied_authdata)) != 0) {
+ krb5_free_principal(context, out_supplied_server);
+ krb5_free_principal(context, server);
+ return retval;
+ }
+ }
+
supplied_server = in_cred->server;
in_cred->server=server;
+ supplied_authdata = in_cred->authdata;
DUMP_PRINC("gc_from_kdc initial client", client);
DUMP_PRINC("gc_from_kdc initial server", server);
@@ -1139,6 +1150,15 @@
if (tgtptr == &cc_tgt)
krb5_free_cred_contents(context, tgtptr);
tgtptr=*out_cred;
+ /* Save requested auth data with TGT in case it ends up stored */
+ if (supplied_authdata != NULL) {
+ /* Ensure we note TGT contains authorization data */
+ retval = krb5_copy_authdata(context,
+ supplied_authdata,
+ &(*out_cred)->authdata);
+ if (retval)
+ goto cleanup;
+ }
/* Save pointer to tgt in referral_tgts. */
referral_tgts[referral_count]=*out_cred;
*out_cred = NULL;
@@ -1149,6 +1169,8 @@
&server->realm);
if (retval)
goto cleanup;
+ /* Don't ask for KDC to add auth data multiple times */
+ in_cred->authdata = NULL;
/*
* Future work: rewrite server principal per any
* supplied padata.
@@ -1252,7 +1274,6 @@
retval = KRB5_PROG_ETYPE_NOSUPP;
goto cleanup;
}
-
context->use_conf_ktypes = old_use_conf_ktypes;
retval = krb5_get_cred_via_tkt(context, tgtptr,
FLAGS2OPTS(tgtptr->ticket_flags) |
@@ -1272,10 +1293,13 @@
server);
krb5_free_principal(context, server);
in_cred->server = supplied_server;
+ in_cred->authdata = supplied_authdata;
if (*out_cred && !retval) {
/* Success: free server, swap supplied server back in. */
krb5_free_principal (context, (*out_cred)->server);
- (*out_cred)->server= out_supplied_server;
+ (*out_cred)->server = out_supplied_server;
+ assert((*out_cred)->authdata == NULL);
+ (*out_cred)->authdata = out_supplied_authdata;
}
else {
/*
@@ -1283,7 +1307,8 @@
* since it's either null or a referral TGT that we free below,
* and we may need it to return.
*/
- krb5_free_principal (context, out_supplied_server);
+ krb5_free_principal(context, out_supplied_server);
+ krb5_free_authdata(context, out_supplied_authdata);
}
DUMP_PRINC("gc_from_kdc: final server after reversion", in_cred->server);
/*
Modified: trunk/src/lib/krb5/krb/int-proto.h
===================================================================
--- trunk/src/lib/krb5/krb/int-proto.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/int-proto.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -47,6 +47,7 @@
krb5_error_code krb5_ser_checksum_init (krb5_context);
krb5_error_code krb5_ser_keyblock_init (krb5_context);
krb5_error_code krb5_ser_principal_init (krb5_context);
+krb5_error_code krb5_ser_authdata_context_init (krb5_context);
krb5_error_code
krb5_preauth_supply_preauth_data(krb5_context context,
Modified: trunk/src/lib/krb5/krb/kfree.c
===================================================================
--- trunk/src/lib/krb5/krb/kfree.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/kfree.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -534,7 +534,8 @@
void KRB5_CALLCONV
krb5_free_unparsed_name(krb5_context context, char *val)
{
- free(val);
+ if (val != NULL)
+ free(val);
}
void KRB5_CALLCONV
@@ -881,3 +882,30 @@
krb5_free_checksum_contents(context, &val->req_checksum);
free(val);
}
+
+void KRB5_CALLCONV
+krb5int_free_data_list(krb5_context context, krb5_data *data)
+{
+ int i;
+
+ if (data == NULL)
+ return;
+
+ for (i = 0; data[i].data != NULL; i++)
+ free(data[i].data);
+
+ free(data);
+}
+
+void KRB5_CALLCONV
+krb5_free_ad_kdcissued(krb5_context context, krb5_ad_kdcissued *val)
+{
+ if (val == NULL)
+ return;
+
+ krb5_free_checksum_contents(context, &val->ad_checksum);
+ krb5_free_principal(context, val->i_principal);
+ krb5_free_authdata(context, val->elements);
+ free(val);
+}
+
Modified: trunk/src/lib/krb5/krb/mk_req_ext.c
===================================================================
--- trunk/src/lib/krb5/krb/mk_req_ext.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/mk_req_ext.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -75,6 +75,7 @@
krb5_authenticator *, krb5_principal,
krb5_checksum *, krb5_keyblock *,
krb5_ui_4, krb5_authdata **,
+ krb5_authdata_context ad_context,
krb5_enctype *desired_etypes,
krb5_enctype tkt_enctype);
@@ -244,6 +245,7 @@
(*auth_context)->send_subkey,
(*auth_context)->local_seq_number,
in_creds->authdata,
+ (*auth_context)->ad_context,
desired_etypes,
in_creds->keyblock.enctype)))
goto cleanup_cksum;
@@ -253,12 +255,6 @@
&scratch)))
goto cleanup_cksum;
- /* Null out these fields, to prevent pointer sharing problems;
- * they were supplied by the caller
- */
- (*auth_context)->authentp->client = NULL;
- (*auth_context)->authentp->checksum = NULL;
-
/* call the encryption routine */
if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock,
KRB5_KEYUSAGE_AP_REQ_AUTH,
@@ -272,6 +268,13 @@
free(toutbuf);
cleanup_cksum:
+ /* Null out these fields, to prevent pointer sharing problems;
+ * they were supplied by the caller
+ */
+ if ((*auth_context)->authentp != NULL) {
+ (*auth_context)->authentp->client = NULL;
+ (*auth_context)->authentp->checksum = NULL;
+ }
if (checksump && checksump->checksum_type != 0x8003)
free(checksump->contents);
@@ -299,11 +302,13 @@
krb5_principal client, krb5_checksum *cksum,
krb5_keyblock *key, krb5_ui_4 seq_number,
krb5_authdata **authorization,
+ krb5_authdata_context ad_context,
krb5_enctype *desired_etypes,
krb5_enctype tkt_enctype)
{
krb5_error_code retval;
-
+ krb5_authdata **ext_authdata = NULL;
+
authent->client = client;
authent->checksum = cksum;
if (key) {
@@ -315,12 +320,27 @@
authent->seq_number = seq_number;
authent->authorization_data = NULL;
- if (authorization != NULL) {
- retval = krb5_copy_authdata(context, authorization,
- &authent->authorization_data);
+ if (ad_context != NULL) {
+ retval = krb5_authdata_export_authdata(context,
+ ad_context,
+ AD_USAGE_AP_REQ,
+ &ext_authdata);
if (retval)
return retval;
}
+
+ if (authorization != NULL || ext_authdata != NULL) {
+ retval = krb5_merge_authdata(context,
+ authorization,
+ ext_authdata,
+ &authent->authorization_data);
+ if (retval) {
+ krb5_free_authdata(context, ext_authdata);
+ return retval;
+ }
+ krb5_free_authdata(context, ext_authdata);
+ }
+
/* Only send EtypeList if we prefer another enctype to tkt_enctype */
if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) {
retval = make_etype_list(context, desired_etypes, tkt_enctype,
Modified: trunk/src/lib/krb5/krb/pac.c
===================================================================
--- trunk/src/lib/krb5/krb/pac.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/pac.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -8,7 +8,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -27,6 +27,7 @@
#include "k5-int.h"
#include "k5-utf8.h"
+#include "authdata.h"
/* draft-brezak-win2k-krb-authz-00 */
@@ -46,9 +47,12 @@
/* ulType */
#define PAC_LOGON_INFO 1
+#define PAC_CREDENTIALS_INFO 2
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_CLIENT_INFO 10
+#define PAC_DELEGATION_INFO 11
+#define PAC_UPN_DNS_INFO 12
typedef struct _PACTYPE {
krb5_ui_4 cBuffers;
@@ -66,6 +70,7 @@
struct krb5_pac_data {
PACTYPE *pac; /* PAC header + info buffer array */
krb5_data data; /* PAC data (including uninitialised header) */
+ krb5_boolean verified;
};
static krb5_error_code
@@ -93,7 +98,7 @@
/* Check there isn't already a buffer of this type */
if (k5_pac_locate_buffer(context, pac, type, NULL) == 0) {
- return EINVAL;
+ return EEXIST;
}
header = (PACTYPE *)realloc(pac->pac,
@@ -148,6 +153,8 @@
out_data->length = data->length;
}
+ pac->verified = FALSE;
+
return 0;
}
@@ -228,7 +235,7 @@
ret = k5_pac_locate_buffer(context, pac, type, &d);
if (ret != 0)
return ret;
-
+
data->data = malloc(d.length);
if (data->data == NULL)
return ENOMEM;
@@ -277,7 +284,7 @@
pac->pac = (PACTYPE *)malloc(sizeof(PACTYPE));
if (pac->pac == NULL) {
- free( pac);
+ free(pac);
return ENOMEM;
}
@@ -291,11 +298,54 @@
return ENOMEM;
}
+ pac->verified = FALSE;
+
*ppac = pac;
return 0;
}
+static krb5_error_code
+k5_pac_copy(krb5_context context,
+ krb5_pac src,
+ krb5_pac *dst)
+{
+ size_t header_len;
+ krb5_ui_4 cbuffers;
+ krb5_error_code code;
+ krb5_pac pac;
+
+ cbuffers = src->pac->cBuffers;
+ if (cbuffers != 0)
+ cbuffers--;
+
+ header_len = sizeof(PACTYPE) + cbuffers * sizeof(PAC_INFO_BUFFER);
+
+ pac = (krb5_pac)malloc(sizeof(*pac));
+ if (pac == NULL)
+ return ENOMEM;
+
+ pac->pac = (PACTYPE *)malloc(header_len);
+ if (pac->pac == NULL) {
+ free(pac);
+ return ENOMEM;
+ }
+
+ memcpy(pac->pac, src->pac, header_len);
+
+ code = krb5int_copy_data_contents(context, &src->data, &pac->data);
+ if (code != 0) {
+ free(pac->pac);
+ free(pac);
+ return ENOMEM;
+ }
+
+ pac->verified = src->verified;
+ *dst = pac;
+
+ return 0;
+}
+
/*
* Parse the supplied data into the PAC allocated by this function
*/
@@ -379,7 +429,8 @@
}
static krb5_error_code
-k5_time_to_seconds_since_1970(krb5_int64 ntTime, krb5_timestamp *elapsedSeconds)
+k5_time_to_seconds_since_1970(krb5_int64 ntTime,
+ krb5_timestamp *elapsedSeconds)
{
krb5_ui_8 abstime;
@@ -393,10 +444,11 @@
*elapsedSeconds = abstime;
return 0;
-}
+}
static krb5_error_code
-k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, krb5_ui_8 *ntTime)
+k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds,
+ krb5_ui_8 *ntTime)
{
*ntTime = elapsedSeconds;
@@ -404,7 +456,7 @@
*ntTime += NT_TIME_EPOCH;
*ntTime *= 10000000;
-
+
return 0;
}
@@ -441,10 +493,11 @@
return ret;
if (client_info.length < PAC_CLIENT_INFO_LENGTH + pac_princname_length ||
- pac_princname_length % 2)
+ pac_princname_length % 2)
return ERANGE;
- ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2, &pac_princname, NULL);
+ ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2,
+ &pac_princname, NULL);
if (ret != 0)
return ret;
@@ -457,7 +510,10 @@
free(pac_princname);
if (pac_authtime != authtime ||
- krb5_principal_compare(context, pac_principal, principal) == FALSE)
+ !krb5_principal_compare_flags(context,
+ pac_principal,
+ principal,
+ KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
ret = KRB5KRB_AP_WRONG_PRINC;
krb5_free_principal(context, pac_principal);
@@ -513,7 +569,8 @@
krb5_boolean valid;
krb5_octet *p;
- ret = k5_pac_locate_buffer(context, pac, PAC_SERVER_CHECKSUM, &checksum_data);
+ ret = k5_pac_locate_buffer(context, pac,
+ PAC_SERVER_CHECKSUM, &checksum_data);
if (ret != 0)
return ret;
@@ -533,19 +590,22 @@
memcpy(pac_data.data, pac->data.data, pac->data.length);
/* Zero out both checksum buffers */
- ret = k5_pac_zero_signature(context, pac, PAC_SERVER_CHECKSUM, &pac_data);
+ ret = k5_pac_zero_signature(context, pac,
+ PAC_SERVER_CHECKSUM, &pac_data);
if (ret != 0) {
free(pac_data.data);
return ret;
}
- ret = k5_pac_zero_signature(context, pac, PAC_PRIVSVR_CHECKSUM, &pac_data);
+ ret = k5_pac_zero_signature(context, pac,
+ PAC_PRIVSVR_CHECKSUM, &pac_data);
if (ret != 0) {
free(pac_data.data);
return ret;
}
- ret = krb5_c_verify_checksum(context, server, KRB5_KEYUSAGE_APP_DATA_CKSUM,
+ ret = krb5_c_verify_checksum(context, server,
+ KRB5_KEYUSAGE_APP_DATA_CKSUM,
&pac_data, &checksum, &valid);
free(pac_data.data);
@@ -571,14 +631,16 @@
krb5_boolean valid;
krb5_octet *p;
- ret = k5_pac_locate_buffer(context, pac, PAC_PRIVSVR_CHECKSUM, &privsvr_checksum);
+ ret = k5_pac_locate_buffer(context, pac,
+ PAC_PRIVSVR_CHECKSUM, &privsvr_checksum);
if (ret != 0)
return ret;
if (privsvr_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
return KRB5_BAD_MSIZE;
- ret = k5_pac_locate_buffer(context, pac, PAC_SERVER_CHECKSUM, &server_checksum);
+ ret = k5_pac_locate_buffer(context, pac,
+ PAC_SERVER_CHECKSUM, &server_checksum);
if (ret != 0)
return ret;
@@ -593,7 +655,8 @@
server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
- ret = krb5_c_verify_checksum(context, privsvr, KRB5_KEYUSAGE_APP_DATA_CKSUM,
+ ret = krb5_c_verify_checksum(context, privsvr,
+ KRB5_KEYUSAGE_APP_DATA_CKSUM,
&server_checksum, &checksum, &valid);
if (ret != 0)
return ret;
@@ -633,6 +696,8 @@
return ret;
}
+ pac->verified = TRUE;
+
return 0;
}
@@ -650,12 +715,14 @@
krb5_ui_8 nt_authtime;
/* If we already have a CLIENT_INFO buffer, then just validate it */
- if (k5_pac_locate_buffer(context, pac, PAC_CLIENT_INFO, &client_info) == 0) {
+ if (k5_pac_locate_buffer(context, pac,
+ PAC_CLIENT_INFO, &client_info) == 0) {
return k5_pac_validate_client(context, pac, authtime, principal);
}
ret = krb5_unparse_name_flags(context, principal,
- KRB5_PRINCIPAL_UNPARSE_NO_REALM, &princ_name_utf8);
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+ &princ_name_utf8);
if (ret != 0)
goto cleanup;
@@ -668,7 +735,8 @@
client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_ucs2_len;
client_info.data = NULL;
- ret = k5_pac_add_buffer(context, pac, PAC_CLIENT_INFO, &client_info, TRUE, &client_info);
+ ret = k5_pac_add_buffer(context, pac, PAC_CLIENT_INFO,
+ &client_info, TRUE, &client_info);
if (ret != 0)
goto cleanup;
@@ -685,12 +753,11 @@
/* copy in principal name */
memcpy(p, princ_name_ucs2, princ_name_ucs2_len);
-
+
cleanup:
- if (princ_name_utf8 != NULL)
- free(princ_name_utf8);
if (princ_name_ucs2 != NULL)
free(princ_name_ucs2);
+ krb5_free_unparsed_name(context, princ_name_utf8);
return ret;
}
@@ -716,7 +783,10 @@
ret = k5_pac_locate_buffer(context, pac, type, &cksumdata);
if (ret == 0) {
- /* If we're resigning PAC, make sure we can fit checksum into existing buffer */
+ /*
+ * If we're resigning PAC, make sure we can fit checksum
+ * into existing buffer
+ */
if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len)
return ERANGE;
@@ -726,7 +796,9 @@
cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len;
cksumdata.data = NULL;
- ret = k5_pac_add_buffer(context, pac, type, &cksumdata, TRUE, &cksumdata);
+ ret = k5_pac_add_buffer(context, pac,
+ type, &cksumdata,
+ TRUE, &cksumdata);
if (ret != 0)
return ret;
}
@@ -745,7 +817,8 @@
unsigned char *p;
size_t header_len;
- header_len = PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH);
+ header_len = PACTYPE_LENGTH +
+ (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH);
assert(pac->data.length >= header_len);
p = (unsigned char *)pac->data.data;
@@ -818,7 +891,8 @@
return ret;
/* Generate the server checksum over the entire PAC */
- ret = k5_pac_locate_buffer(context, pac, PAC_SERVER_CHECKSUM, &server_cksum);
+ ret = k5_pac_locate_buffer(context, pac,
+ PAC_SERVER_CHECKSUM, &server_cksum);
if (ret != 0)
return ret;
@@ -838,7 +912,8 @@
return ret;
/* Generate the privsvr checksum over the server checksum buffer */
- ret = k5_pac_locate_buffer(context, pac, PAC_PRIVSVR_CHECKSUM, &privsvr_cksum);
+ ret = k5_pac_locate_buffer(context, pac,
+ PAC_PRIVSVR_CHECKSUM, &privsvr_cksum);
if (ret != 0)
return ret;
@@ -865,8 +940,603 @@
data->length = pac->data.length;
memcpy(data->data, pac->data.data, pac->data.length);
- memset(pac->data.data, 0, PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH));
+ memset(pac->data.data, 0,
+ PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH));
return 0;
}
+/*
+ * PAC auth data attribute backend
+ */
+struct mspac_context {
+ krb5_pac pac;
+};
+
+static krb5_error_code
+mspac_init(krb5_context kcontext, void **plugin_context)
+{
+ *plugin_context = NULL;
+ return 0;
+}
+
+static void
+mspac_flags(krb5_context kcontext,
+ void *plugin_context,
+ krb5_authdatatype ad_type,
+ krb5_flags *flags)
+{
+ *flags = AD_USAGE_KDC_ISSUED;
+}
+
+static void
+mspac_fini(krb5_context kcontext, void *plugin_context)
+{
+ return;
+}
+
+static krb5_error_code
+mspac_request_init(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void **request_context)
+{
+ struct mspac_context *pacctx;
+
+ pacctx = (struct mspac_context *)malloc(sizeof(*pacctx));
+ if (pacctx == NULL)
+ return ENOMEM;
+
+ pacctx->pac = NULL;
+
+ *request_context = pacctx;
+
+ return 0;
+}
+
+static krb5_error_code
+mspac_import_authdata(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_authdata **authdata,
+ krb5_boolean kdc_issued,
+ krb5_const_principal kdc_issuer)
+{
+ krb5_error_code code;
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+
+ if (kdc_issued)
+ return EINVAL;
+
+ if (pacctx->pac != NULL) {
+ krb5_pac_free(kcontext, pacctx->pac);
+ pacctx->pac = NULL;
+ }
+
+ assert(authdata[0] != NULL);
+ assert((authdata[0]->ad_type & AD_TYPE_FIELD_TYPE_MASK) ==
+ KRB5_AUTHDATA_WIN2K_PAC);
+
+ code = krb5_pac_parse(kcontext, authdata[0]->contents,
+ authdata[0]->length, &pacctx->pac);
+
+ return code;
+}
+
+static krb5_error_code
+mspac_export_authdata(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_flags usage,
+ krb5_authdata ***out_authdata)
+{
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+ krb5_error_code code;
+ krb5_authdata **authdata;
+ krb5_data data;
+
+ if (pacctx->pac == NULL)
+ return 0;
+
+ authdata = calloc(2, sizeof(krb5_authdata *));
+ if (authdata == NULL)
+ return ENOMEM;
+
+ authdata[0] = calloc(1, sizeof(krb5_authdata));
+ if (authdata[0] == NULL) {
+ free(authdata);
+ return ENOMEM;
+ }
+ authdata[1] = NULL;
+
+ code = krb5int_copy_data_contents(kcontext, &pacctx->pac->data, &data);
+ if (code != 0) {
+ krb5_free_authdata(kcontext, authdata);
+ return code;
+ }
+
+ authdata[0]->magic = KV5M_AUTHDATA;
+ authdata[0]->ad_type = KRB5_AUTHDATA_WIN2K_PAC;
+ authdata[0]->length = data.length;
+ authdata[0]->contents = (krb5_octet *)data.data;
+
+ authdata[1] = NULL;
+
+ *out_authdata = authdata;
+
+ return 0;
+}
+
+static krb5_error_code
+mspac_verify(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ const krb5_auth_context *auth_context,
+ const krb5_keyblock *key,
+ const krb5_ap_req *req)
+{
+ krb5_error_code code;
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+
+ if (pacctx->pac == NULL)
+ return EINVAL;
+
+ code = krb5_pac_verify(kcontext,
+ pacctx->pac,
+ req->ticket->enc_part2->times.authtime,
+ req->ticket->enc_part2->client,
+ key,
+ NULL);
+
+#if 0
+ /*
+ * Now, we could return 0 and just set pac->verified to FALSE.
+ * Thoughts?
+ */
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+ assert(pacctx->pac->verified == FALSE);
+ code = 0;
+ }
+#endif
+
+ return code;
+}
+
+static void
+mspac_request_fini(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context)
+{
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+
+ if (pacctx != NULL) {
+ if (pacctx->pac != NULL)
+ krb5_pac_free(kcontext, pacctx->pac);
+
+ free(pacctx);
+ }
+}
+
+#define STRLENOF(x) (sizeof((x)) - 1)
+
+static struct {
+ krb5_ui_4 type;
+ krb5_data attribute;
+} mspac_attribute_types[] = {
+ { (krb5_ui_4)-1, { KV5M_DATA, STRLENOF("mspac:"), "mspac:" } },
+ { PAC_LOGON_INFO, { KV5M_DATA, STRLENOF("mspac:logon-info"), "mspac:logon-info" } },
+ { PAC_CREDENTIALS_INFO, { KV5M_DATA, STRLENOF("mspac:credentials-info"), "mspac:credentials-info" } },
+ { PAC_SERVER_CHECKSUM, { KV5M_DATA, STRLENOF("mspac:server-checksum"), "mspac:server-checksum" } },
+ { PAC_PRIVSVR_CHECKSUM, { KV5M_DATA, STRLENOF("mspac:privsvr-checksum"), "mspac:privsvr-checksum" } },
+ { PAC_CLIENT_INFO, { KV5M_DATA, STRLENOF("mspac:client-info"), "mspac:client-info" } },
+ { PAC_DELEGATION_INFO, { KV5M_DATA, STRLENOF("mspac:delegation-info"), "mspac:delegation-info" } },
+ { PAC_UPN_DNS_INFO, { KV5M_DATA, STRLENOF("mspac:upn-dns-info"), "mspac:upn-dns-info" } },
+};
+
+#define MSPAC_ATTRIBUTE_COUNT (sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0]))
+
+static krb5_error_code
+mspac_type2attr(krb5_ui_4 type, krb5_data *attr)
+{
+ unsigned int i;
+
+ for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) {
+ if (mspac_attribute_types[i].type == type) {
+ *attr = mspac_attribute_types[i].attribute;
+ return 0;
+ }
+ }
+
+ return ENOENT;
+}
+
+static krb5_error_code
+mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type)
+{
+ unsigned int i;
+
+ for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) {
+ if (attr->length == mspac_attribute_types[i].attribute.length &&
+ strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) {
+ *type = mspac_attribute_types[i].type;
+ return 0;
+ }
+ }
+
+ if (attr->length > STRLENOF("mspac:") &&
+ strncasecmp(attr->data, "mspac:", STRLENOF("mspac:")) == 0)
+ {
+ char *p = &attr->data[STRLENOF("mspac:")];
+ char *endptr;
+
+ *type = strtoul(p, &endptr, 10);
+ if (*type != 0 && *endptr == '\0')
+ return 0;
+ }
+
+ return ENOENT;
+}
+
+static krb5_error_code
+mspac_get_attribute_types(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_data **out_attrs)
+{
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+ unsigned int i, j;
+ krb5_data *attrs;
+ krb5_error_code code;
+
+ if (pacctx->pac == NULL)
+ return ENOENT;
+
+ attrs = calloc(1 + pacctx->pac->pac->cBuffers + 1, sizeof(krb5_data));
+ if (attrs == NULL)
+ return ENOMEM;
+
+ j = 0;
+
+ /* The entire PAC */
+ code = krb5int_copy_data_contents(kcontext,
+ &mspac_attribute_types[0].attribute,
+ &attrs[j++]);
+ if (code != 0) {
+ free(attrs);
+ return code;
+ }
+
+ /* PAC buffers */
+ for (i = 0; i < pacctx->pac->pac->cBuffers; i++) {
+ krb5_data attr;
+
+ code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr);
+ if (code == 0) {
+ code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]);
+ if (code != 0) {
+ krb5int_free_data_list(kcontext, attrs);
+ return code;
+ }
+ } else {
+ int length;
+
+ length = asprintf(&attrs[j].data, "mspac:%d",
+ pacctx->pac->pac->Buffers[i].ulType);
+ if (length < 0) {
+ krb5int_free_data_list(kcontext, attrs);
+ return ENOMEM;
+ }
+ attrs[j++].length = length;
+ }
+ }
+ attrs[j].data = NULL;
+ attrs[j].length = 0;
+
+ *out_attrs = attrs;
+
+ return 0;
+}
+
+static krb5_error_code
+mspac_get_attribute(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ const krb5_data *attribute,
+ krb5_boolean *authenticated,
+ krb5_boolean *complete,
+ krb5_data *value,
+ krb5_data *display_value,
+ int *more)
+{
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+ krb5_error_code code;
+ krb5_ui_4 type;
+
+ value->data = NULL;
+ value->length = 0;
+
+ if (display_value != NULL) {
+ display_value->data = NULL;
+ display_value->length = 0;
+ }
+
+ if (*more != -1 || pacctx->pac == NULL)
+ return ENOENT;
+
+ code = mspac_attr2type(attribute, &type);
+ if (code != 0)
+ return code;
+
+ /* -1 is a magic type that refers to the entire PAC */
+ if (type == (krb5_ui_4)-1) {
+ if (value != NULL)
+ code = krb5int_copy_data_contents(kcontext,
+ &pacctx->pac->data,
+ value);
+ else
+ code = 0;
+ } else {
+ if (value != NULL)
+ code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value);
+ else
+ code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL);
+ }
+ if (code == 0) {
+ *authenticated = pacctx->pac->verified;
+ *complete = TRUE;
+ }
+
+ *more = 0;
+
+ return code;
+}
+
+static krb5_error_code
+mspac_set_attribute(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_boolean complete,
+ const krb5_data *attribute,
+ const krb5_data *value)
+{
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+ krb5_error_code code;
+ krb5_ui_4 type;
+
+ if (pacctx->pac == NULL)
+ return ENOENT;
+
+ code = mspac_attr2type(attribute, &type);
+ if (code != 0)
+ return code;
+
+ /* -1 is a magic type that refers to the entire PAC */
+ if (type == (krb5_ui_4)-1) {
+ krb5_pac newpac;
+
+ code = krb5_pac_parse(kcontext, value->data, value->length, &newpac);
+ if (code != 0)
+ return code;
+
+ krb5_pac_free(kcontext, pacctx->pac);
+ pacctx->pac = newpac;
+ } else {
+ code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value);
+ }
+
+ return code;
+}
+
+static krb5_error_code
+mspac_export_internal(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_boolean restrict_authenticated,
+ void **ptr)
+{
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+ krb5_error_code code;
+ krb5_pac pac;
+
+ *ptr = NULL;
+
+ if (pacctx->pac == NULL)
+ return 0;
+
+ if (restrict_authenticated && (pacctx->pac->verified) == FALSE)
+ return 0;
+
+ code = krb5_pac_parse(kcontext, pacctx->pac->data.data,
+ pacctx->pac->data.length, &pac);
+ if (code == 0) {
+ pac->verified = pacctx->pac->verified;
+ *ptr = pac;
+ }
+
+ return code;
+}
+
+static void
+mspac_free_internal(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ void *ptr)
+{
+ if (ptr != NULL)
+ krb5_pac_free(kcontext, (krb5_pac)ptr);
+
+ return;
+}
+
+static krb5_error_code
+mspac_size(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ size_t *sizep)
+{
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+
+ *sizep += sizeof(krb5_int32);
+
+ if (pacctx->pac != NULL)
+ *sizep += pacctx->pac->data.length;
+
+ *sizep += sizeof(krb5_int32);
+
+ return 0;
+}
+
+static krb5_error_code
+mspac_externalize(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_octet **buffer,
+ size_t *lenremain)
+{
+ krb5_error_code code = 0;
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+ size_t required = 0;
+ krb5_octet *bp;
+ size_t remain;
+
+ bp = *buffer;
+ remain = *lenremain;
+
+ if (pacctx->pac != NULL) {
+ mspac_size(kcontext, context, plugin_context,
+ request_context, &required);
+
+ if (required <= remain) {
+ krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length,
+ &bp, &remain);
+ krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data,
+ (size_t)pacctx->pac->data.length,
+ &bp, &remain);
+ krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified,
+ &bp, &remain);
+ } else {
+ code = ENOMEM;
+ }
+ } else {
+ krb5_ser_pack_int32(0, &bp, &remain); /* length */
+ krb5_ser_pack_int32(0, &bp, &remain); /* verified */
+ }
+
+ *buffer = bp;
+ *lenremain = remain;
+
+ return code;
+}
+
+static krb5_error_code
+mspac_internalize(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_octet **buffer,
+ size_t *lenremain)
+{
+ struct mspac_context *pacctx = (struct mspac_context *)request_context;
+ krb5_error_code code;
+ krb5_int32 ibuf;
+ krb5_octet *bp;
+ size_t remain;
+ krb5_pac pac = NULL;
+
+ bp = *buffer;
+ remain = *lenremain;
+
+ /* length */
+ code = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ if (code != 0)
+ return code;
+
+ if (ibuf != 0) {
+ code = krb5_pac_parse(kcontext, bp, ibuf, &pac);
+ if (code != 0)
+ return code;
+
+ bp += ibuf;
+ remain -= ibuf;
+ }
+
+ /* verified */
+ code = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ if (code != 0) {
+ krb5_pac_free(kcontext, pac);
+ return code;
+ }
+
+ if (pac != NULL) {
+ pac->verified = (ibuf != 0);
+ }
+
+ if (pacctx->pac != NULL) {
+ krb5_pac_free(kcontext, pacctx->pac);
+ }
+
+ pacctx->pac = pac;
+
+ *buffer = bp;
+ *lenremain = remain;
+
+ return 0;
+}
+
+static krb5_error_code
+mspac_copy(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ void *dst_plugin_context,
+ void *dst_request_context)
+{
+ struct mspac_context *srcctx = (struct mspac_context *)request_context;
+ struct mspac_context *dstctx = (struct mspac_context *)dst_request_context;
+ krb5_error_code code = 0;
+
+ assert(dstctx != NULL);
+ assert(dstctx->pac == NULL);
+
+ if (srcctx->pac != NULL)
+ code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac);
+
+ return code;
+}
+
+static krb5_authdatatype mspac_ad_types[] = { KRB5_AUTHDATA_WIN2K_PAC, 0 };
+
+krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable = {
+ "mspac",
+ mspac_ad_types,
+ mspac_init,
+ mspac_fini,
+ mspac_flags,
+ mspac_request_init,
+ mspac_request_fini,
+ mspac_get_attribute_types,
+ mspac_get_attribute,
+ mspac_set_attribute,
+ NULL, /* delete_attribute_proc */
+ mspac_export_authdata,
+ mspac_import_authdata,
+ mspac_export_internal,
+ mspac_free_internal,
+ mspac_verify,
+ mspac_size,
+ mspac_externalize,
+ mspac_internalize,
+ mspac_copy
+};
+
Modified: trunk/src/lib/krb5/krb/rd_req.c
===================================================================
--- trunk/src/lib/krb5/krb/rd_req.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/rd_req.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -8,7 +8,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -22,8 +22,8 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
*
+ *
* krb5_rd_req()
*/
@@ -32,16 +32,16 @@
/*
* Parses a KRB_AP_REQ message, returning its contents.
- *
+ *
* server specifies the expected server's name for the ticket.
- *
+ *
* keyproc specifies a procedure to generate a decryption key for the
* ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result
* used as a decryption key. If keyproc is NULL, then fetchfrom is checked;
* if it is non-NULL, it specifies a parameter name from which to retrieve the
* decryption key. If fetchfrom is NULL, then the default key store is
* consulted.
- *
+ *
* returns system errors, encryption errors, replay errors
*/
@@ -58,14 +58,14 @@
if (!krb5_is_ap_req(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
-#ifndef LEAN_CLIENT
+#ifndef LEAN_CLIENT
if ((retval = decode_krb5_ap_req(inbuf, &request))) {
switch (retval) {
case KRB5_BADMSGTYPE:
- return KRB5KRB_AP_ERR_BADVERSION;
+ return KRB5KRB_AP_ERR_BADVERSION;
default:
return(retval);
- }
+ }
}
#endif /* LEAN_CLIENT */
@@ -78,7 +78,7 @@
}
-#ifndef LEAN_CLIENT
+#ifndef LEAN_CLIENT
/* Get a keytab if necessary. */
if (keytab == NULL) {
if ((retval = krb5_kt_default(context, &new_keytab)))
@@ -87,10 +87,10 @@
}
#endif /* LEAN_CLIENT */
- retval = krb5_rd_req_decoded(context, auth_context, request, server,
+ retval = krb5_rd_req_decoded(context, auth_context, request, server,
keytab, ap_req_options, ticket);
-#ifndef LEAN_CLIENT
+#ifndef LEAN_CLIENT
if (new_keytab != NULL)
(void) krb5_kt_close(context, new_keytab);
#endif /* LEAN_CLIENT */
Modified: trunk/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- trunk/src/lib/krb5/krb/rd_req_dec.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/rd_req_dec.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -31,6 +31,8 @@
#include "k5-int.h"
#include "auth_con.h"
+#include "authdata.h"
+#include "int-proto.h"
/*
* essentially the same as krb_rd_req, but uses a decoded AP_REQ as
@@ -92,7 +94,8 @@
static krb5_error_code
krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req,
- krb5_const_principal server, krb5_keytab keytab)
+ krb5_const_principal server, krb5_keytab keytab,
+ krb5_keyblock *key)
{
krb5_error_code retval;
krb5_keytab_entry ktent;
@@ -107,10 +110,12 @@
req->ticket->enc_part.enctype, &ktent);
if (retval == 0) {
retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
+ if (retval == 0 && key != NULL)
+ retval = krb5_copy_keyblock_contents(context, &ktent.key, key);
(void) krb5_free_keytab_entry_contents(context, &ktent);
}
- } else {
+ } else {
krb5_error_code code;
krb5_kt_cursor cursor;
@@ -142,6 +147,8 @@
* server as it appeared in the ticket.
*/
retval = krb5_copy_principal(context, ktent.principal, &tmp);
+ if (retval == 0 && key != NULL)
+ retval = krb5_copy_keyblock_contents(context, &ktent.key, key);
if (retval == 0) {
krb5_free_principal(context, req->ticket->server);
req->ticket->server = tmp;
@@ -204,11 +211,15 @@
{
krb5_error_code retval = 0;
krb5_principal_data princ_data;
- krb5_enctype *desired_etypes = NULL;
+ krb5_enctype *desired_etypes = NULL;
int desired_etypes_len = 0;
int rfc4537_etypes_len = 0;
- krb5_enctype *permitted_etypes = NULL;
+ krb5_enctype *permitted_etypes = NULL;
int permitted_etypes_len = 0;
+ krb5_keyblock decrypt_key;
+
+ decrypt_key.enctype = ENCTYPE_NULL;
+ decrypt_key.contents = NULL;
req->ticket->enc_part2 = NULL;
if (server && krb5_is_referral_realm(&server->realm)) {
@@ -231,14 +242,20 @@
if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
req->ticket)))
goto cleanup;
- krb5_free_keyblock(context, (*auth_context)->keyblock);
+ if (check_valid_flag) {
+ decrypt_key = *((*auth_context)->keyblock);
+ free((*auth_context)->keyblock);
+ } else
+ krb5_free_keyblock(context, (*auth_context)->keyblock);
(*auth_context)->keyblock = NULL;
} else {
- if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, server, keytab)))
+ if ((retval = krb5_rd_req_decrypt_tkt_part(context, req,
+ server, keytab,
+ check_valid_flag ? &decrypt_key : NULL)))
goto cleanup;
}
- /* XXX this is an evil hack. check_valid_flag is set iff the call
+ /* XXX this is an evil hack. check_valid_flag is set iff the call
is not from inside the kdc. we can use this to determine which
key usage to use */
#ifndef LEAN_CLIENT
@@ -284,7 +301,7 @@
/* If the transited list is empty, then we have at most one hop */
if (trans->tr_contents.data && trans->tr_contents.data[0])
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
}
#elif defined(_NO_CROSS_REALM)
@@ -325,7 +342,7 @@
/*
* If the transited list is not empty, then check that all realms
* transited are within the hierarchy between the client's realm
- * and the local realm.
+ * and the local realm.
*/
if (trans->tr_contents.data && trans->tr_contents.data[0]) {
retval = krb5_check_transited_list(context, &(trans->tr_contents),
@@ -344,7 +361,7 @@
if ((*auth_context)->rcache) {
krb5_donot_replay rep;
- krb5_tkt_authent tktauthent;
+ krb5_tkt_authent tktauthent;
tktauthent.ticket = req->ticket;
tktauthent.authenticator = (*auth_context)->authentp;
@@ -376,6 +393,17 @@
retval = KRB5KRB_AP_ERR_TKT_INVALID;
goto cleanup;
}
+
+ if ((retval = krb5_authdata_context_init(context,
+ &(*auth_context)->ad_context)))
+ goto cleanup;
+ if ((retval = krb5int_authdata_verify(context,
+ (*auth_context)->ad_context,
+ AD_USAGE_MASK,
+ auth_context,
+ &decrypt_key,
+ req)))
+ goto cleanup;
}
/* read RFC 4537 etype list from sender */
@@ -520,18 +548,21 @@
krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
req->ticket->enc_part2 = NULL;
}
+ if (check_valid_flag)
+ krb5_free_keyblock_contents(context, &decrypt_key);
+
return retval;
}
krb5_error_code
krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context,
- const krb5_ap_req *req, krb5_const_principal server,
- krb5_keytab keytab, krb5_flags *ap_req_options,
- krb5_ticket **ticket)
+ const krb5_ap_req *req, krb5_const_principal server,
+ krb5_keytab keytab, krb5_flags *ap_req_options,
+ krb5_ticket **ticket)
{
krb5_error_code retval;
retval = krb5_rd_req_decoded_opt(context, auth_context,
- req, server, keytab,
+ req, server, keytab,
ap_req_options, ticket,
1); /* check_valid_flag */
return retval;
@@ -539,14 +570,14 @@
krb5_error_code
krb5_rd_req_decoded_anyflag(krb5_context context,
- krb5_auth_context *auth_context,
- const krb5_ap_req *req,
- krb5_const_principal server, krb5_keytab keytab,
- krb5_flags *ap_req_options, krb5_ticket **ticket)
+ krb5_auth_context *auth_context,
+ const krb5_ap_req *req,
+ krb5_const_principal server, krb5_keytab keytab,
+ krb5_flags *ap_req_options, krb5_ticket **ticket)
{
krb5_error_code retval;
retval = krb5_rd_req_decoded_opt(context, auth_context,
- req, server, keytab,
+ req, server, keytab,
ap_req_options, ticket,
0); /* don't check_valid_flag */
return retval;
Modified: trunk/src/lib/krb5/krb/s4u_creds.c
===================================================================
--- trunk/src/lib/krb5/krb/s4u_creds.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/s4u_creds.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -115,7 +115,7 @@
client = &client_data;
}
- code = krb5_get_init_creds(context, &creds, in_creds->client,
+ code = krb5_get_init_creds(context, &creds, client,
NULL, NULL, 0, NULL, opte,
krb5_get_as_key_noop, &userid,
&use_master, NULL);
Modified: trunk/src/lib/krb5/krb/ser_actx.c
===================================================================
--- trunk/src/lib/krb5/krb/ser_actx.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/ser_actx.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -560,5 +560,7 @@
kret = krb5_ser_keyblock_init(kcontext);
if (!kret)
kret = krb5_ser_principal_init(kcontext);
+ if (!kret)
+ kret = krb5_ser_authdata_context_init(kcontext);
return(kret);
}
Modified: trunk/src/lib/krb5/krb/t_authdata.c
===================================================================
--- trunk/src/lib/krb5/krb/t_authdata.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/t_authdata.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -65,6 +65,13 @@
krb5_authdata *adseq2[] = {&ad3, NULL};
+krb5_keyblock key = {
+ KV5M_KEYBLOCK,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ 16,
+ (unsigned char *)"1234567890ABCDEF"
+};
+
static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) {
assert(adc1->ad_type == adc2->ad_type);
assert(adc1->length == adc2->length);
@@ -77,7 +84,7 @@
krb5_authdata **results;
krb5_authdata *container[2];
krb5_authdata **container_out;
-
+ krb5_authdata **kdci;
assert(krb5_init_context(&context) == 0);
assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0);
@@ -96,6 +103,13 @@
compare_authdata( results[1], &ad4);
compare_authdata( results[2], &ad3);
assert( results[3] == NULL);
+ krb5_free_authdata(context, container_out);
+ assert(krb5_make_authdata_kdc_issued(context, &key, NULL, results, &kdci) == 0);
+ assert(krb5_verify_authdata_kdc_issued(context, &key, kdci[0], NULL, &container_out) == 0);
+ compare_authdata(container_out[0], results[0]);
+ compare_authdata(container_out[1], results[1]);
+ compare_authdata(container_out[2], results[2]);
+ krb5_free_authdata(context, kdci);
krb5_free_authdata(context, results);
krb5_free_authdata(context, container_out);
krb5_free_context(context);
Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/libkrb5.exports 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1,4 +1,5 @@
_krb5_conf_boolean
+decode_krb5_ad_kdcissued
decode_krb5_alt_method
decode_krb5_ap_rep
decode_krb5_ap_rep_enc_part
@@ -40,6 +41,7 @@
decode_krb5_tgs_req
decode_krb5_ticket
decode_krb5_typed_data
+encode_krb5_ad_kdcissued
encode_krb5_alt_method
encode_krb5_ap_rep
encode_krb5_ap_rep_enc_part
@@ -108,6 +110,7 @@
krb5_auth_con_free
krb5_auth_con_genaddrs
krb5_auth_con_get_checksum_func
+krb5_auth_con_get_authdata_context
krb5_auth_con_getaddrs
krb5_auth_con_getauthenticator
krb5_auth_con_getflags
@@ -123,6 +126,7 @@
krb5_auth_con_getsendsubkey
krb5_auth_con_init
krb5_auth_con_initivector
+krb5_auth_con_set_authdata_context
krb5_auth_con_set_checksum_func
krb5_auth_con_set_req_cksumtype
krb5_auth_con_set_safe_cksumtype
@@ -136,6 +140,18 @@
krb5_auth_con_setsendsubkey
krb5_auth_con_setuseruserkey
krb5_auth_to_rep
+krb5_authdata_context_copy
+krb5_authdata_context_free
+krb5_authdata_context_init
+krb5_authdata_delete_attribute
+krb5_authdata_get_attribute_types
+krb5_authdata_get_attribute
+krb5_authdata_set_attribute
+krb5_authdata_export_attributes
+krb5_authdata_export_authdata
+krb5_authdata_export_internal
+krb5_authdata_free_internal
+krb5_authdata_import_attributes
krb5_build_principal
krb5_build_principal_alloc_va
krb5_build_principal_ext
@@ -203,6 +219,7 @@
krb5_externalize_opaque
krb5_fcc_ops
krb5_find_serializer
+krb5_free_ad_kdcissued
krb5_free_address
krb5_free_addresses
krb5_free_alt_method
@@ -364,6 +381,7 @@
krb5_libdefault_boolean
krb5_locate_kdc
krb5_lock_file
+krb5_make_authdata_kdc_issued
krb5_make_full_ipaddr
krb5_make_fulladdr
krb5_max_dgram_size
@@ -519,6 +537,7 @@
krb5_us_timeofday
krb5_use_natural_time
krb5_validate_times
+krb5_verify_authdata_kdc_issued
krb5_verify_init_creds
krb5_verify_init_creds_opt_init
krb5_verify_init_creds_opt_set_ap_req_nofail
@@ -534,6 +553,7 @@
krb5int_find_pa_data
krb5int_foreach_localaddr
krb5int_free_addrlist
+krb5int_free_data_list
krb5int_get_domain_realm_mapping
krb5int_init_context_kdc
krb5int_initialize_library
Copied: trunk/src/plugins/authdata/greet_client (from rev 22872, users/lhoward/authdata/src/plugins/authdata/greet_client)
Modified: trunk/src/tests/asn.1/krb5_decode_leak.c
===================================================================
--- trunk/src/tests/asn.1/krb5_decode_leak.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/krb5_decode_leak.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -662,7 +662,6 @@
/* encode_krb5_pa_s4u_x509_user */
{
krb5_pa_s4u_x509_user s4u, *tmp;
-
setup(s4u, "pa_s4u_x509_user",
ktest_make_sample_pa_s4u_x509_user);
leak_test(s4u, encode_krb5_pa_s4u_x509_user,
@@ -670,6 +669,17 @@
krb5_free_pa_s4u_x509_user);
ktest_empty_pa_s4u_x509_user(&s4u);
}
+ /****************************************************************/
+ /* encode_krb5_ad_kdcissued */
+ {
+ krb5_ad_kdcissued kdci, *tmp;
+ setup(kdci, "ad_kdcissued",
+ ktest_make_sample_ad_kdcissued);
+ leak_test(kdci, encode_krb5_ad_kdcissued,
+ decode_krb5_ad_kdcissued,
+ krb5_free_ad_kdcissued);
+ ktest_empty_ad_kdcissued(&kdci);
+ }
krb5_free_context(test_context);
return 0;
}
Modified: trunk/src/tests/asn.1/krb5_decode_test.c
===================================================================
--- trunk/src/tests/asn.1/krb5_decode_test.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/krb5_decode_test.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -891,12 +891,22 @@
ktest_empty_sam_response(&ref);
}
+ /****************************************************************/
+ /* decode_pa_s4u_x509_user */
{
setup(krb5_pa_s4u_x509_user,"krb5_pa_s4u_x509_user",ktest_make_sample_pa_s4u_x509_user);
decode_run("pa_s4u_x509_user","","30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_pa_s4u_x509_user,ktest_equal_pa_s4u_x509_user,krb5_free_pa_s4u_x509_user);
ktest_empty_pa_s4u_x509_user(&ref);
}
+ /****************************************************************/
+ /* decode_ad_kdcissued */
+ {
+ setup(krb5_ad_kdcissued,"krb5_ad_kdcissued",ktest_make_sample_ad_kdcissued);
+ decode_run("ad_kdcissued","","30 65 A0 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_ad_kdcissued,ktest_equal_ad_kdcissued,krb5_free_ad_kdcissued);
+ ktest_empty_ad_kdcissued(&ref);
+ }
+
#ifdef ENABLE_LDAP
/* ldap sequence_of_keys */
{
Modified: trunk/src/tests/asn.1/krb5_encode_test.c
===================================================================
--- trunk/src/tests/asn.1/krb5_encode_test.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/krb5_encode_test.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -706,7 +706,17 @@
encode_krb5_pa_s4u_x509_user);
ktest_empty_pa_s4u_x509_user(&s4u);
}
-
+ /****************************************************************/
+ /* encode_krb5_ad_kdcissued */
+ {
+ krb5_ad_kdcissued kdci;
+ setup(kdci,krb5_ad_kdcissued,"ad_kdcissued",
+ ktest_make_sample_ad_kdcissued);
+ encode_run(kdci,krb5_ad_kdcissued,
+ "ad_kdcissued","",
+ encode_krb5_ad_kdcissued);
+ ktest_empty_ad_kdcissued(&kdci);
+ }
#ifdef ENABLE_LDAP
{
ldap_seqof_key_data skd;
Modified: trunk/src/tests/asn.1/ktest.c
===================================================================
--- trunk/src/tests/asn.1/ktest.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/ktest.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -842,6 +842,19 @@
return 0;
}
+krb5_error_code ktest_make_sample_ad_kdcissued(p)
+ krb5_ad_kdcissued *p;
+{
+ krb5_error_code retval;
+ retval = ktest_make_sample_checksum(&p->ad_checksum);
+ if (retval) return retval;
+ retval = ktest_make_sample_principal(&p->i_principal);
+ if (retval) return retval;
+ retval = ktest_make_sample_authorization_data(&p->elements);
+ if (retval) return retval;
+ return retval;
+}
+
#ifdef ENABLE_LDAP
static krb5_error_code ktest_make_sample_key_data(krb5_key_data *p, int i)
{
@@ -1445,6 +1458,14 @@
if (p->cksum.contents) free(p->cksum.contents);
}
+void ktest_empty_ad_kdcissued(p)
+ krb5_ad_kdcissued *p;
+{
+ if (p->ad_checksum.contents) free(p->ad_checksum.contents);
+ ktest_destroy_principal(&p->i_principal);
+ ktest_destroy_authorization_data(&p->elements);
+}
+
#ifdef ENABLE_LDAP
void ktest_empty_ldap_seqof_key_data(ctx, p)
krb5_context ctx;
Modified: trunk/src/tests/asn.1/ktest.h
===================================================================
--- trunk/src/tests/asn.1/ktest.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/ktest.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -106,6 +106,7 @@
krb5_error_code ktest_make_sample_predicted_sam_response(krb5_predicted_sam_response *p);
krb5_error_code ktest_make_sample_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
krb5_error_code ktest_make_sample_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
+krb5_error_code ktest_make_sample_ad_kdcissued(krb5_ad_kdcissued *p);
#ifdef ENABLE_LDAP
krb5_error_code ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data * p);
@@ -215,6 +216,7 @@
void ktest_empty_sam_response_2(krb5_sam_response_2 *p);
void ktest_empty_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
void ktest_empty_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
+void ktest_empty_ad_kdcissued(krb5_ad_kdcissued *p);
#ifdef ENABLE_LDAP
void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p);
Modified: trunk/src/tests/asn.1/ktest_equal.c
===================================================================
--- trunk/src/tests/asn.1/ktest_equal.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/ktest_equal.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -556,6 +556,20 @@
p=p&&struct_equal(cksum,ktest_equal_checksum);
return p;
}
+
+int ktest_equal_ad_kdcissued(ref, var)
+ krb5_ad_kdcissued *ref;
+ krb5_ad_kdcissued *var;
+{
+ int p = TRUE;
+ if (ref == var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&struct_equal(ad_checksum,ktest_equal_checksum);
+ p=p&&ptr_equal(i_principal,ktest_equal_principal_data);
+ p=p&&ptr_equal(elements,ktest_equal_authorization_data);
+ return p;
+}
+
#ifdef ENABLE_LDAP
static int equal_key_data(ref, var)
krb5_key_data *ref;
Modified: trunk/src/tests/asn.1/ktest_equal.h
===================================================================
--- trunk/src/tests/asn.1/ktest_equal.h 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/ktest_equal.h 2009-10-09 18:29:34 UTC (rev 22875)
@@ -95,6 +95,10 @@
(krb5_pa_s4u_x509_user *ref,
krb5_pa_s4u_x509_user *var);
+int ktest_equal_ad_kdcissued
+ (krb5_ad_kdcissued *ref,
+ krb5_ad_kdcissued *var);
+
int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
ldap_seqof_key_data *var);
#endif
Modified: trunk/src/tests/asn.1/reference_encode.out
===================================================================
--- trunk/src/tests/asn.1/reference_encode.out 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/reference_encode.out 2009-10-09 18:29:34 UTC (rev 22875)
@@ -57,3 +57,4 @@
encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 01 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10
encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32
encode_krb5_pa_s4u_x509_user: 30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
+encode_krb5_ad_kdcissued: 30 65 A0 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72
Modified: trunk/src/tests/asn.1/trval_reference.out
===================================================================
--- trunk/src/tests/asn.1/trval_reference.out 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/trval_reference.out 2009-10-09 18:29:34 UTC (rev 22875)
@@ -1263,3 +1263,23 @@
. . [0] [Integer] 1
. . [1] [Octet String] "1234"
+encode_krb5_ad_kdcissued:
+
+[Sequence/Sequence Of]
+. [0] [Sequence/Sequence Of]
+. . [0] [Integer] 1
+. . [1] [Octet String] "1234"
+. [1] [General string] "ATHENA.MIT.EDU"
+. [2] [Sequence/Sequence Of]
+. . [0] [Integer] 1
+. . [1] [Sequence/Sequence Of]
+. . . [General string] "hftsai"
+. . . [General string] "extra"
+. [3] [Sequence/Sequence Of]
+. . [Sequence/Sequence Of]
+. . . [0] [Integer] 1
+. . . [1] [Octet String] "foobar"
+. . [Sequence/Sequence Of]
+. . . [0] [Integer] 1
+. . . [1] [Octet String] "foobar"
+
Modified: trunk/src/tests/gssapi/Makefile.in
===================================================================
--- trunk/src/tests/gssapi/Makefile.in 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/gssapi/Makefile.in 2009-10-09 18:29:34 UTC (rev 22875)
@@ -6,18 +6,19 @@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
-SRCS= $(srcdir)/t_imp_name.c $(srcdir)/t_s4u.c
+SRCS= $(srcdir)/t_imp_name.c $(srcdir)/t_s4u.c $(srcdir)/t_namingexts.c
-OBJS= t_imp_name.o t_s4u.o
+OBJS= t_imp_name.o t_s4u.o t_namingexts.o
-all:: t_imp_name t_s4u
+all:: t_imp_name t_s4u t_namingexts
t_imp_name: t_imp_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_imp_name t_imp_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
-
+t_namingexts: t_namingexts.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o t_namingexts t_namingexts.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
t_s4u: t_s4u.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_s4u t_s4u.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
clean::
- $(RM) t_imp_name t_s4u
+ $(RM) t_imp_name t_s4u t_namingexts
Copied: trunk/src/tests/gssapi/t_namingexts.c (from rev 22872, users/lhoward/authdata/src/tests/gssapi/t_namingexts.c)
Modified: trunk/src/tests/gssapi/t_s4u.c
===================================================================
--- trunk/src/tests/gssapi/t_s4u.c 2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/gssapi/t_s4u.c 2009-10-09 18:29:34 UTC (rev 22875)
@@ -59,7 +59,7 @@
static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" };
-int use_spnego = 0;
+static int use_spnego = 0;
static void displayStatus_1(m, code, type)
char *m;
@@ -140,7 +140,135 @@
return GSS_S_COMPLETE;
}
+static void
+dumpAttribute(OM_uint32 *minor,
+ gss_name_t name,
+ gss_buffer_t attribute,
+ int noisy)
+{
+ OM_uint32 major, tmp_minor;
+ gss_buffer_desc value;
+ gss_buffer_desc display_value;
+ int authenticated = 0;
+ int complete = 0;
+ int more = -1;
+ unsigned int i;
+
+ while (more != 0) {
+ value.value = NULL;
+ display_value.value = NULL;
+
+ major = gss_get_name_attribute(minor,
+ name,
+ attribute,
+ &authenticated,
+ &complete,
+ &value,
+ &display_value,
+ &more);
+ if (GSS_ERROR(major)) {
+ displayStatus("gss_get_name_attribute", major, *minor);
+ break;
+ }
+
+ printf("Attribute %.*s %s %s\n\n%.*s\n",
+ (int)attribute->length, (char *)attribute->value,
+ authenticated ? "Authenticated" : "",
+ complete ? "Complete" : "",
+ (int)display_value.length, (char *)display_value.value);
+
+ if (noisy) {
+ for (i = 0; i < value.length; i++) {
+ if ((i % 32) == 0)
+ printf("\n");
+ printf("%02x", ((char *)value.value)[i] & 0xFF);
+ }
+ printf("\n\n");
+ }
+
+ gss_release_buffer(&tmp_minor, &value);
+ gss_release_buffer(&tmp_minor, &display_value);
+ }
+}
+
static OM_uint32
+enumerateAttributes(OM_uint32 *minor,
+ gss_name_t name,
+ int noisy)
+{
+ OM_uint32 major, tmp_minor;
+ int name_is_MN;
+ gss_OID mech = GSS_C_NO_OID;
+ gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET;
+ unsigned int i;
+
+ major = gss_inquire_name(minor,
+ name,
+ &name_is_MN,
+ &mech,
+ &attrs);
+ if (GSS_ERROR(major)) {
+ displayStatus("gss_inquire_name", major, *minor);
+ return major;
+ }
+
+ if (attrs != GSS_C_NO_BUFFER_SET) {
+ for (i = 0; i < attrs->count; i++)
+ dumpAttribute(minor, name, &attrs->elements[i], noisy);
+ }
+
+ gss_release_oid(&tmp_minor, &mech);
+ gss_release_buffer_set(&tmp_minor, &attrs);
+
+ return major;
+}
+
+static OM_uint32
+testGreetAuthzData(OM_uint32 *minor,
+ gss_name_t *name)
+{
+ OM_uint32 major, tmp_minor;
+ gss_buffer_desc attr;
+ gss_buffer_desc value;
+ gss_name_t canon;
+
+ major = gss_canonicalize_name(minor,
+ *name,
+ (gss_OID)gss_mech_krb5,
+ &canon);
+ if (GSS_ERROR(major)) {
+ displayStatus("gss_canonicalize_name", major, *minor);
+ return major;
+ }
+
+ attr.value = "greet:greeting";
+ attr.length = strlen((char *)attr.value);
+
+ value.value = "Hello, acceptor world!";
+ value.length = strlen((char *)value.value);
+
+ major = gss_set_name_attribute(minor,
+ canon,
+ 1,
+ &attr,
+ &value);
+ if (major == GSS_S_UNAVAILABLE)
+ major = GSS_S_COMPLETE;
+ else if (GSS_ERROR(major))
+ displayStatus("gss_set_name_attribute", major, *minor);
+ else {
+ gss_release_name(&tmp_minor, name);
+ *name = canon;
+ canon = GSS_C_NO_NAME;
+ }
+
+ if (canon != GSS_C_NO_NAME)
+ gss_release_name(&tmp_minor, &canon);
+
+ return GSS_S_COMPLETE;
+}
+
+static OM_uint32
initAcceptSecContext(OM_uint32 *minor,
gss_cred_id_t claimant_cred_handle,
gss_cred_id_t verifier_cred_handle,
@@ -217,6 +345,7 @@
else {
displayCanonName(minor, source_name, "Source name");
displayOID(minor, mech, "Source mech");
+ enumerateAttributes(minor, source_name, 1);
}
(void) gss_release_name(&tmp_minor, &source_name);
@@ -367,6 +496,10 @@
printf("Protocol transition tests follow\n");
printf("-----------------------------------\n\n");
+ major = testGreetAuthzData(&minor, &user);
+ if (GSS_ERROR(major))
+ goto out;
+
/* get S4U2Self cred */
major = gss_acquire_cred_impersonate_name(&minor,
impersonator_cred_handle,
Property changes on: trunk/src/plugins/authdata/greet_client
___________________________________________________________________
Name: svn:ignore
+ Makefile
Copied: trunk/src/plugins/authdata/greet_server (from rev 22872, users/lhoward/authdata/src/plugins/authdata/greet_server)
Property changes on: trunk/src/plugins/authdata/greet_server
___________________________________________________________________
Name: svn:ignore
+ Makefile
More information about the cvs-krb5
mailing list