svn rev #22736: trunk/src/ clients/kvno/ include/ include/krb5/ kadmin/cli/ kdc/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Sat Sep 12 22:52:25 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22736
Commit By: ghudson
Log Message:
ticket: 6563
subject: Implement s4u extensions
Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self
and S4U2Proxy extensions.
Changed Files:
U trunk/src/clients/kvno/kvno.M
U trunk/src/clients/kvno/kvno.c
U trunk/src/include/k5-int.h
U trunk/src/include/kdb.h
U trunk/src/include/kdb_ext.h
U trunk/src/include/krb5/krb5.hin
U trunk/src/kadmin/cli/kadmin.c
U trunk/src/kdc/do_tgs_req.c
U trunk/src/kdc/kdc_authdata.c
U trunk/src/kdc/kdc_preauth.c
U trunk/src/kdc/kdc_util.c
U trunk/src/kdc/kdc_util.h
A trunk/src/lib/crypto/krb/enc_provider/
U trunk/src/lib/gssapi/generic/gssapi_ext.h
U trunk/src/lib/gssapi/krb5/Makefile.in
U trunk/src/lib/gssapi/krb5/accept_sec_context.c
U trunk/src/lib/gssapi/krb5/acquire_cred.c
U trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
U trunk/src/lib/gssapi/krb5/gssapi_krb5.c
U trunk/src/lib/gssapi/krb5/import_name.c
U trunk/src/lib/gssapi/krb5/init_sec_context.c
U trunk/src/lib/gssapi/krb5/krb5_gss_glue.c
A trunk/src/lib/gssapi/krb5/s4u_gss_glue.c
U trunk/src/lib/gssapi/krb5/val_cred.c
U trunk/src/lib/gssapi/libgssapi_krb5.exports
U trunk/src/lib/gssapi/mechglue/Makefile.in
U trunk/src/lib/gssapi/mechglue/g_accept_sec_context.c
U trunk/src/lib/gssapi/mechglue/g_acquire_cred.c
A trunk/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
U trunk/src/lib/gssapi/mechglue/g_glue.c
U trunk/src/lib/gssapi/mechglue/g_initialize.c
U trunk/src/lib/gssapi/mechglue/g_set_context_option.c
U trunk/src/lib/gssapi/mechglue/mglueP.h
U trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
U trunk/src/lib/gssapi/spnego/spnego_mech.c
U trunk/src/lib/kadm5/str_conv.c
U trunk/src/lib/krb5/asn.1/asn1_k_decode.c
U trunk/src/lib/krb5/asn.1/asn1_k_decode.h
U trunk/src/lib/krb5/asn.1/asn1_k_encode.c
U trunk/src/lib/krb5/asn.1/krb5_decode.c
U trunk/src/lib/krb5/krb/Makefile.in
U trunk/src/lib/krb5/krb/gc_frm_kdc.c
U trunk/src/lib/krb5/krb/gc_via_tkt.c
U trunk/src/lib/krb5/krb/get_creds.c
U trunk/src/lib/krb5/krb/get_in_tkt.c
U trunk/src/lib/krb5/krb/int-proto.h
U trunk/src/lib/krb5/krb/kfree.c
U trunk/src/lib/krb5/krb/preauth2.c
A trunk/src/lib/krb5/krb/s4u_creds.c
U trunk/src/lib/krb5/krb/send_tgs.c
U trunk/src/lib/krb5/krb/srv_dec_tkt.c
U trunk/src/lib/krb5/libkrb5.exports
U trunk/src/lib/krb5/os/sendto_kdc.c
U trunk/src/slave/kproplog.c
U trunk/src/tests/asn.1/krb5_decode_leak.c
U trunk/src/tests/asn.1/krb5_decode_test.c
U trunk/src/tests/asn.1/krb5_encode_test.c
U trunk/src/tests/asn.1/ktest.c
U trunk/src/tests/asn.1/ktest.h
U trunk/src/tests/asn.1/ktest_equal.c
U trunk/src/tests/asn.1/ktest_equal.h
U trunk/src/tests/asn.1/reference_encode.out
U trunk/src/tests/asn.1/trval_reference.out
U trunk/src/tests/gssapi/Makefile.in
A trunk/src/tests/gssapi/t_s4u.c
Modified: trunk/src/clients/kvno/kvno.M
===================================================================
--- trunk/src/clients/kvno/kvno.M 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/clients/kvno/kvno.M 2009-09-13 02:52:23 UTC (rev 22736)
@@ -51,6 +51,13 @@
.B \-h
prints a usage statement and exits
.TP
+.B \-P
+specifies that the
+.B service1 service2 ...
+arguments are to be treated as services for which credentials should
+be acquired using constrained delegation. This option is only valid
+when used in conjunction with protocol transition.
+.TP
.B \-S sname
specifies that krb5_sname_to_principal() will be used to build
principal names. If this flag is specified, the
@@ -59,6 +66,13 @@
and
.B sname
is interpreted as the service name.
+.TP
+.B \-U for_user
+specifies that protocol transition (S4U2Self) is to be used to acquire
+a ticket on behalf of
+.B for_user.
+If constrained delegation is not requested, the service name
+must match the credentials cache client principal.
.SH ENVIRONMENT
.B Kvno
uses the following environment variable:
Modified: trunk/src/clients/kvno/kvno.c
===================================================================
--- trunk/src/clients/kvno/kvno.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/clients/kvno/kvno.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -39,8 +39,9 @@
static void xusage()
{
- fprintf(stderr, "usage: %s [-C] [-u] [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n",
- prog);
+ fprintf(stderr, "usage: %s [-C] [-u] [-c ccache] [-e etype]\n", prog);
+ fprintf(stderr, "\t[-k keytab] [-S sname] [-U for_user [-P]]\n");
+ fprintf(stderr, "\tservice1 service2 ...\n");
exit(1);
}
@@ -48,7 +49,8 @@
static void do_v5_kvno (int argc, char *argv[],
char *ccachestr, char *etypestr, char *keytab_name,
- char *sname, int canon, int unknown);
+ char *sname, int canon, int unknown,
+ char *for_user, int proxy);
#include <com_err.h>
static void extended_com_err_fn (const char *, errcode_t, const char *,
@@ -58,8 +60,8 @@
{
int option;
char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL;
- char *sname = NULL;
- int canon = 0, unknown = 0;
+ char *sname = NULL, *for_user = NULL;
+ int canon = 0, unknown = 0, proxy = 0;
set_com_err_hook (extended_com_err_fn);
@@ -67,7 +69,7 @@
prog = strrchr(argv[0], '/');
prog = prog ? (prog + 1) : argv[0];
- while ((option = getopt(argc, argv, "uCc:e:hk:qS:")) != -1) {
+ while ((option = getopt(argc, argv, "uCc:e:hk:qPS:U:")) != -1) {
switch (option) {
case 'C':
canon = 1;
@@ -87,6 +89,9 @@
case 'q':
quiet = 1;
break;
+ case 'P':
+ proxy = 1; /* S4U2Proxy - constrained delegation */
+ break;
case 'S':
sname = optarg;
if (unknown == 1){
@@ -101,21 +106,37 @@
xusage();
}
break;
+ case 'U':
+ for_user = optarg; /* S4U2Self - protocol transition */
+ break;
default:
xusage();
break;
}
}
+ if (proxy) {
+ if (keytab_name == NULL) {
+ fprintf(stderr, "Option -P (constrained delegation) "
+ "requires keytab to be specified\n");
+ xusage();
+ } else if (for_user == NULL) {
+ fprintf(stderr, "Option -P (constrained delegation) requires "
+ "option -U (protocol transition)\n");
+ xusage();
+ }
+ }
+
if ((argc - optind) < 1)
xusage();
do_v5_kvno(argc - optind, argv + optind,
- ccachestr, etypestr, keytab_name, sname, canon, unknown);
+ ccachestr, etypestr, keytab_name, sname,
+ canon, unknown, for_user, proxy);
return 0;
}
-#include <krb5.h>
+#include <k5-int.h>
static krb5_context context;
static void extended_com_err_fn (const char *myprog, errcode_t code,
const char *fmt, va_list args)
@@ -130,17 +151,18 @@
static void do_v5_kvno (int count, char *names[],
char * ccachestr, char *etypestr, char *keytab_name,
- char *sname, int canon, int unknown)
+ char *sname, int canon, int unknown, char *for_user,
+ int proxy)
{
krb5_error_code ret;
int i, errors;
krb5_enctype etype;
krb5_ccache ccache;
krb5_principal me;
- krb5_creds in_creds, *out_creds;
- krb5_ticket *ticket;
- char *princ;
+ krb5_creds in_creds;
krb5_keytab keytab = NULL;
+ krb5_principal for_user_princ = NULL;
+ krb5_flags options;
ret = krb5_init_context(&context);
if (ret) {
@@ -175,6 +197,16 @@
}
}
+ if (for_user) {
+ ret = krb5_parse_name_flags(context, for_user,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+ &for_user_princ);
+ if (ret) {
+ com_err(prog, ret, "while parsing principal name %s", for_user);
+ exit(1);
+ }
+ }
+
ret = krb5_cc_get_principal(context, ccache, &me);
if (ret) {
com_err(prog, ret, "while getting client principal name");
@@ -183,91 +215,131 @@
errors = 0;
+ options = 0;
+ if (canon)
+ options |= KRB5_GC_CANONICALIZE;
+
for (i = 0; i < count; i++) {
+ krb5_principal server = NULL;
+ krb5_ticket *ticket = NULL;
+ krb5_creds *out_creds = NULL;
+ char *princ = NULL;
+
memset(&in_creds, 0, sizeof(in_creds));
- in_creds.client = me;
-
if (sname != NULL) {
ret = krb5_sname_to_principal(context, names[i],
sname, KRB5_NT_SRV_HST,
- &in_creds.server);
+ &server);
} else {
- ret = krb5_parse_name(context, names[i], &in_creds.server);
+ ret = krb5_parse_name(context, names[i], &server);
}
if (ret) {
if (!quiet)
com_err(prog, ret, "while parsing principal name %s", names[i]);
- errors++;
- continue;
+ goto error;
}
if (unknown == 1) {
- krb5_princ_type(context, in_creds.server) = KRB5_NT_UNKNOWN;
+ krb5_princ_type(context, server) = KRB5_NT_UNKNOWN;
}
- ret = krb5_unparse_name(context, in_creds.server, &princ);
+ ret = krb5_unparse_name(context, server, &princ);
if (ret) {
com_err(prog, ret,
"while formatting parsed principal name for '%s'",
names[i]);
- errors++;
- continue;
+ goto error;
}
in_creds.keyblock.enctype = etype;
- ret = krb5_get_credentials(context, canon ? KRB5_GC_CANONICALIZE : 0,
- ccache, &in_creds, &out_creds);
+ if (for_user) {
+ if (!proxy &&
+ !krb5_principal_compare(context, me, server)) {
+ com_err(prog, EINVAL,
+ "client and server principal names must match");
+ goto error;
+ }
- krb5_free_principal(context, in_creds.server);
+ in_creds.client = for_user_princ;
+ in_creds.server = me;
+ ret = krb5_get_credentials_for_user(context, options, ccache,
+ &in_creds, NULL, &out_creds);
+ } else {
+ in_creds.client = me;
+ in_creds.server = server;
+ ret = krb5_get_credentials(context, options, ccache,
+ &in_creds, &out_creds);
+ }
+
if (ret) {
com_err(prog, ret, "while getting credentials for %s", princ);
-
- krb5_free_unparsed_name(context, princ);
-
- errors++;
- continue;
+ goto error;
}
/* we need a native ticket */
ret = krb5_decode_ticket(&out_creds->ticket, &ticket);
if (ret) {
com_err(prog, ret, "while decoding ticket for %s", princ);
- krb5_free_creds(context, out_creds);
- krb5_free_unparsed_name(context, princ);
+ goto error;
+ }
- errors++;
- continue;
- }
-
if (keytab) {
ret = krb5_server_decrypt_ticket_keytab(context, keytab, ticket);
if (ret) {
- if (!quiet)
- printf("%s: kvno = %d, keytab entry invalid", princ, ticket->enc_part.kvno);
+ if (!quiet) {
+ fprintf(stderr, "%s: kvno = %d, keytab entry invalid\n",
+ princ, ticket->enc_part.kvno);
+ }
com_err(prog, ret, "while decrypting ticket for %s", princ);
- krb5_free_ticket(context, ticket);
+ goto error;
+ }
+ if (!quiet)
+ printf("%s: kvno = %d, keytab entry valid\n",
+ princ, ticket->enc_part.kvno);
+ if (proxy) {
krb5_free_creds(context, out_creds);
- krb5_free_unparsed_name(context, princ);
+ out_creds = NULL;
- errors++;
- continue;
+ in_creds.client = ticket->enc_part2->client;
+ in_creds.server = server;
+
+ ret = krb5_get_credentials_for_proxy(context,
+ KRB5_GC_CANONICALIZE,
+ ccache,
+ &in_creds,
+ ticket,
+ &out_creds);
+ if (ret) {
+ com_err(prog, ret,
+ "%s: constrained delegation failed", princ);
+ goto error;
+ }
}
- if (!quiet)
- printf("%s: kvno = %d, keytab entry valid\n", princ, ticket->enc_part.kvno);
} else {
if (!quiet)
printf("%s: kvno = %d\n", princ, ticket->enc_part.kvno);
}
- krb5_free_creds(context, out_creds);
- krb5_free_unparsed_name(context, princ);
+ continue;
+
+error:
+ if (server != NULL)
+ krb5_free_principal(context, server);
+ if (ticket != NULL)
+ krb5_free_ticket(context, ticket);
+ if (out_creds != NULL)
+ krb5_free_creds(context, out_creds);
+ if (princ != NULL)
+ krb5_free_unparsed_name(context, princ);
+ errors++;
}
if (keytab)
krb5_kt_close(context, keytab);
krb5_free_principal(context, me);
+ krb5_free_principal(context, for_user_princ);
krb5_cc_close(context, ccache);
krb5_free_context(context);
Modified: trunk/src/include/k5-int.h
===================================================================
--- trunk/src/include/k5-int.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/include/k5-int.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -966,6 +966,21 @@
krb5_data auth_package;
} krb5_pa_for_user;
+typedef struct _krb5_s4u_userid {
+ krb5_int32 nonce;
+ krb5_principal user;
+ krb5_data subject_cert;
+ krb5_flags options;
+} krb5_s4u_userid;
+
+#define KRB5_S4U_OPTS_CHECK_LOGON_HOURS 0x40000000 /* check logon hour restrictions */
+#define KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE 0x20000000 /* sign with usage 27 instead of 26 */
+
+typedef struct _krb5_pa_s4u_x509_user {
+ krb5_s4u_userid user_id;
+ krb5_checksum cksum;
+} krb5_pa_s4u_x509_user;
+
enum {
KRB5_FAST_ARMOR_AP_REQUEST = 0x1
};
@@ -1295,6 +1310,10 @@
(krb5_context, krb5_pa_enc_ts *);
void KRB5_CALLCONV krb5_free_pa_for_user
(krb5_context, krb5_pa_for_user * );
+void KRB5_CALLCONV krb5_free_s4u_userid_contents
+ (krb5_context, krb5_s4u_userid * );
+void KRB5_CALLCONV krb5_free_pa_s4u_x509_user
+ (krb5_context, krb5_pa_s4u_x509_user * );
void KRB5_CALLCONV krb5_free_pa_svr_referral_data
(krb5_context, krb5_pa_svr_referral_data * );
void KRB5_CALLCONV krb5_free_pa_server_referral_data
@@ -1609,6 +1628,12 @@
krb5_error_code encode_krb5_pa_for_user
(const krb5_pa_for_user * , krb5_data **);
+krb5_error_code encode_krb5_s4u_userid
+ (const krb5_s4u_userid * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_s4u_x509_user
+ (const krb5_pa_s4u_x509_user * , krb5_data **);
+
krb5_error_code encode_krb5_pa_svr_referral_data
(const krb5_pa_svr_referral_data * , krb5_data **);
@@ -1778,6 +1803,9 @@
krb5_error_code decode_krb5_pa_for_user
(const krb5_data *, krb5_pa_for_user **);
+krb5_error_code decode_krb5_pa_s4u_x509_user
+ (const krb5_data *, krb5_pa_s4u_x509_user **);
+
krb5_error_code decode_krb5_pa_svr_referral_data
(const krb5_data *, krb5_pa_svr_referral_data **);
@@ -2606,6 +2634,11 @@
krb5_pa_data * const *,
const krb5_data *,
krb5_creds *,
+ krb5_error_code (*gcvt_fct)(krb5_context,
+ krb5_keyblock *,
+ krb5_kdc_req *,
+ void *),
+ void *gcvt_data,
krb5_response * , krb5_keyblock **subkey);
/* The subkey field is an output parameter; if a
* tgs-rep is received then the subkey will be filled
@@ -2796,6 +2829,21 @@
const krb5_keyblock *privsvr_key,
krb5_data *data);
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+ krb5_ccache ccache,
+ krb5_creds *in_creds,
+ krb5_data *cert,
+ krb5_creds **out_creds);
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_proxy(krb5_context context,
+ krb5_flags options,
+ krb5_ccache ccache,
+ krb5_creds *in_creds,
+ krb5_ticket *evidence_tkt,
+ krb5_creds **out_creds);
+
krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr,
krb5_enctype *default_list,
krb5_enctype **result);
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/include/kdb.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -96,6 +96,8 @@
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
+#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* S4U2Self OK */
+#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
Modified: trunk/src/include/kdb_ext.h
===================================================================
--- trunk/src/include/kdb_ext.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/include/kdb_ext.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -31,10 +31,6 @@
#ifndef KRB5_KDB5_EXT__
#define KRB5_KDB5_EXT__
-/* Allowed to use protocol transition */
-#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000
-/* Service does not require authorization data */
-#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
/* Private flag used to indicate principal is local TGS */
#define KRB5_KDB_TICKET_GRANTING_SERVICE 0x01000000
/* Private flag used to indicate xrealm relationship is non-transitive */
Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/include/krb5/krb5.hin 2009-09-13 02:52:23 UTC (rev 22736)
@@ -631,6 +631,11 @@
/* Defined in KDC referrals draft */
#define KRB5_KEYUSAGE_PA_REFERRAL 26 /* XXX note conflict with above */
+
+/* Defined in [MS-SFU] */
+#define KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST 26 /* XXX note conflict with above */
+#define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27 /* XXX note conflict with above */
+
/* define in draft-ietf-krb-wg-preauth-framework*/
#define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
#define KRB5_KEYUSAGE_FAST_ENC 51
@@ -1566,6 +1571,10 @@
#define KRB5_GC_USER_USER 1 /* want user-user ticket */
#define KRB5_GC_CACHED 2 /* want cached ticket only */
#define KRB5_GC_CANONICALIZE 4 /* set canonicalize KDC option */
+#define KRB5_GC_NO_STORE 8 /* do not store in credentials cache */
+#define KRB5_GC_FORWARDABLE 16 /* acquire forwardable tickets */
+#define KRB5_GC_NO_TRANSIT_CHECK 32 /* disable transited check */
+#define KRB5_GC_CONSTRAINED_DELEGATION 64 /* constrained delegation */
krb5_error_code KRB5_CALLCONV krb5_get_credentials
(krb5_context,
Modified: trunk/src/kadmin/cli/kadmin.c
===================================================================
--- trunk/src/kadmin/cli/kadmin.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/kadmin/cli/kadmin.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -72,7 +72,9 @@
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
-{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 },
+{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 },
+{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0},
};
static char *prflags[] = {
@@ -97,6 +99,8 @@
"UNKNOWN_0x00040000", /* 0x00040000 */
"UNKNOWN_0x00080000", /* 0x00080000 */
"OK_AS_DELEGATE", /* 0x00100000 */
+ "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */
+ "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */
};
char *getenv();
@@ -1123,7 +1127,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
- "\t\tok_as_delegate\n"
+ "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
@@ -1140,7 +1144,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
- "\t\tok_as_delegate\n"
+ "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/kdc/do_tgs_req.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -117,7 +117,7 @@
krb5_enc_tkt_part *header_enc_tkt = NULL; /* ticket granting or evidence ticket */
krb5_db_entry client, krbtgt;
int c_nprincs = 0, k_nprincs = 0;
- krb5_pa_for_user *for_user = NULL; /* protocol transition request */
+ krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
char *s4u_name = NULL;
@@ -131,7 +131,7 @@
krb5_data scratch;
session_key.contents = NULL;
-
+
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
@@ -292,12 +292,20 @@
!krb5_principal_compare(kdc_context, tgs_server, server.princ);
/* Check for protocol transition */
- errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client,
- &server, header_enc_tkt->session, kdc_time,
- &for_user, &client, &c_nprincs, &status);
+ errcode = kdc_process_s4u2self_req(kdc_context,
+ request,
+ header_enc_tkt->client,
+ &server,
+ subkey,
+ header_enc_tkt->session,
+ kdc_time,
+ &s4u_x509_user,
+ &client,
+ &c_nprincs,
+ &status);
if (errcode)
goto cleanup;
- if (for_user != NULL)
+ if (s4u_x509_user != NULL)
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
/*
@@ -438,19 +446,32 @@
/* processing of any of these flags. For example, some */
/* realms may refuse to issue renewable tickets */
- if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
+ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
- if (!krb5_is_tgs_principal(server.princ) &&
- is_local_principal(server.princ)) {
- if (isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
- setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- else
+
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
+ /*
+ * If S4U2Self principal is not forwardable, then mark ticket as
+ * unforwardable. This behaviour matches Windows, but it is
+ * different to the MIT AS-REQ path, which returns an error
+ * (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
+ *
+ * Consider this block the S4U2Self equivalent to
+ * validate_forwardable().
+ */
+ if (c_nprincs &&
+ isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ /*
+ * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
+ * S4U2Self in order for forwardable tickets to be returned.
+ */
+ else if (!is_referral &&
+ !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
- if (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
+
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
@@ -560,7 +581,7 @@
enc_tkt_reply.times.starttime = 0;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
- errcode = krb5_unparse_name(kdc_context, for_user->user, &s4u_name);
+ errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user, &s4u_name);
} else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name);
} else {
@@ -670,8 +691,8 @@
enc_tkt_reply.authorization_data = NULL;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
- is_local_principal(header_enc_tkt->client))
- enc_tkt_reply.client = for_user->user;
+ !isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
+ enc_tkt_reply.client = s4u_x509_user->user_id.user;
else
enc_tkt_reply.client = header_enc_tkt->client;
@@ -685,7 +706,8 @@
&encrypting_key, /* U2U or server key */
pkt,
request,
- for_user ? for_user->user : NULL,
+ s4u_x509_user ?
+ s4u_x509_user->user_id.user : NULL,
header_enc_tkt,
&enc_tkt_reply);
if (errcode) {
@@ -845,6 +867,20 @@
/* Start assembling the response */
reply.msg_type = KRB5_TGS_REP;
reply.padata = 0;/* always */
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
+ find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER) != NULL) {
+ errcode = kdc_make_s4u2self_rep(kdc_context,
+ subkey,
+ header_ticket->enc_part2->session,
+ s4u_x509_user,
+ &reply,
+ &reply_encpart);
+ if (errcode) {
+ status = "KDC_RETURN_S4U2SELF_PADATA";
+ goto cleanup;
+ }
+ }
+
reply.client = enc_tkt_reply.client;
reply.enc_part.kvno = 0;/* We are using the session key */
reply.ticket = &ticket_reply;
@@ -958,14 +994,18 @@
krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs);
if (c_nprincs)
krb5_db_free_principal(kdc_context, &client, c_nprincs);
- if (for_user != NULL)
- krb5_free_pa_for_user(kdc_context, for_user);
+ if (s4u_x509_user != NULL)
+ krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
if (kdc_issued_auth_data != NULL)
krb5_free_authdata(kdc_context, kdc_issued_auth_data);
if (s4u_name != NULL)
free(s4u_name);
if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
+ if (reply.padata)
+ krb5_free_pa_data(kdc_context, reply.padata);
+ if (reply_encpart.enc_padata)
+ krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
return retval;
}
Modified: trunk/src/kdc/kdc_authdata.c
===================================================================
--- trunk/src/kdc/kdc_authdata.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/kdc/kdc_authdata.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -544,9 +544,18 @@
}
if (ad_nprincs != 0) {
+ /*
+ * This code was submitted by Novell; however there is no
+ * mention in [MS-SFU] of needing to examine the authorization
+ * data to clear the forwardable flag. My understanding is that
+ * the state of the forwardable flag is propagated through the
+ * cross-realm TGTs.
+ */
+#if 0
if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
clear(enc_tkt_reply->flags, TKT_FLG_FORWARDABLE);
+#endif
krb5_db_free_principal(context, &ad_entry, ad_nprincs);
Modified: trunk/src/kdc/kdc_preauth.c
===================================================================
--- trunk/src/kdc/kdc_preauth.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/kdc/kdc_preauth.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -1349,25 +1349,6 @@
}
static krb5_boolean
-enctype_requires_etype_info_2(krb5_enctype enctype)
-{
- switch(enctype) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES3_CBC_SHA1:
- case ENCTYPE_DES3_CBC_RAW:
- case ENCTYPE_ARCFOUR_HMAC:
- case ENCTYPE_ARCFOUR_HMAC_EXP :
- return 0;
- default:
- if (krb5_c_valid_enctype(enctype))
- return 1;
- else return 0;
- }
-}
-
-static krb5_boolean
request_contains_enctype (krb5_context context, const krb5_kdc_req *request,
krb5_enctype enctype)
{
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/kdc/kdc_util.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -223,7 +223,7 @@
krb5_pa_data *
find_pa_data(krb5_pa_data **padata, krb5_preauthtype pa_type)
{
-return krb5int_find_pa_data(kdc_context, padata, pa_type);
+ return krb5int_find_pa_data(kdc_context, padata, pa_type);
}
krb5_error_code
@@ -371,7 +371,8 @@
}
/* make sure the client is of proper lineage (see above) */
- if (foreign_server && !find_pa_data(request->padata, KRB5_PADATA_FOR_USER)) {
+ if (foreign_server &&
+ !find_pa_data(request->padata, KRB5_PADATA_FOR_USER)) {
if (is_local_principal((*ticket)->enc_part2->client)) {
/* someone in a foreign realm claiming to be local */
krb5_klog_syslog(LOG_INFO, "PROCESS_TGS: failed lineage check");
@@ -926,7 +927,8 @@
* as a com_err error number!
*/
#define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\
-KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY)
+ KDC_OPT_VALIDATE | KDC_OPT_RENEW | \
+ KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)
int
validate_as_request(register krb5_kdc_req *request, krb5_db_entry client,
krb5_db_entry server, krb5_timestamp kdc_time,
@@ -998,17 +1000,9 @@
* preauthentication data is absent in the request.
*
* Hence, this check most be done after the check for preauth
- * data, and is now performed by validate_forwardable().
+ * data, and is now performed by validate_forwardable() (the
+ * contents of which were previously below).
*/
-#if 0
- /* Client and server must allow forwardable tickets */
- if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) &&
- (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) ||
- isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) {
- *status = "FORWARDABLE NOT ALLOWED";
- return(KDC_ERR_POLICY);
- }
-#endif
/* Client and server must allow renewable tickets */
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE) &&
@@ -1793,7 +1787,7 @@
}
static krb5_error_code
-verify_s4u2self_checksum(krb5_context context,
+verify_for_user_checksum(krb5_context context,
krb5_keyblock *key,
krb5_pa_for_user *req)
{
@@ -1852,7 +1846,7 @@
&valid);
if (code == 0 && valid == FALSE)
- code = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ code = KRB5KRB_AP_ERR_MODIFIED;
free(data.data);
@@ -1860,55 +1854,246 @@
}
/*
- * Protocol transition validation code based on AS-REQ
- * validation code
+ * Legacy protocol transition (Windows 2003 and above)
*/
-static int
-validate_s4u2self_request(krb5_kdc_req *request,
- const krb5_db_entry *client,
- krb5_timestamp kdc_time,
- const char **status)
+static krb5_error_code
+kdc_process_for_user(krb5_context context,
+ krb5_pa_data *pa_data,
+ krb5_keyblock *tgs_session,
+ krb5_pa_s4u_x509_user **s4u_x509_user,
+ const char **status)
{
- int errcode;
- krb5_db_entry server = { 0 };
-
- /* The client must not be expired */
- if (client->expiration && client->expiration < kdc_time) {
- *status = "CLIENT EXPIRED";
- return KDC_ERR_NAME_EXP;
+ krb5_error_code code;
+ krb5_pa_for_user *for_user;
+ krb5_data req_data;
+
+ req_data.length = pa_data->length;
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_for_user(&req_data, &for_user);
+ if (code)
+ return code;
+
+ code = verify_for_user_checksum(context, tgs_session, for_user);
+ if (code) {
+ *status = "INVALID_S4U2SELF_CHECKSUM";
+ krb5_free_pa_for_user(kdc_context, for_user);
+ return code;
}
- /* The client's password must not be expired, unless the server is
- a KRB5_KDC_PWCHANGE_SERVICE. */
- if (client->pw_expiration && client->pw_expiration < kdc_time) {
- *status = "CLIENT KEY EXPIRED";
- return KDC_ERR_KEY_EXP;
+ *s4u_x509_user = calloc(1, sizeof(krb5_pa_s4u_x509_user));
+ if (*s4u_x509_user == NULL) {
+ krb5_free_pa_for_user(kdc_context, for_user);
+ return ENOMEM;
}
+ (*s4u_x509_user)->user_id.user = for_user->user;
+ for_user->user = NULL;
+ krb5_free_pa_for_user(context, for_user);
+
+ return 0;
+}
+
+static krb5_error_code
+verify_s4u_x509_user_checksum(krb5_context context,
+ krb5_keyblock *key,
+ krb5_data *req_data,
+ krb5_int32 kdc_req_nonce,
+ krb5_pa_s4u_x509_user *req)
+{
+ krb5_error_code code;
+ krb5_data scratch;
+ krb5_boolean valid = FALSE;
+
+ if (enctype_requires_etype_info_2(key->enctype) &&
+ !krb5_c_is_keyed_cksum(req->cksum.checksum_type))
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
+
+ if (req->user_id.nonce != kdc_req_nonce)
+ return KRB5KRB_AP_ERR_MODIFIED;
+
/*
- * If the client requires password changing, then return an
- * error; S4U2Self cannot be used to change a password.
+ * Verify checksum over the encoded userid. If that fails,
+ * re-encode, and verify that. This is similar to the
+ * behaviour in kdc_process_tgs_req().
*/
- if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PWCHANGE)) {
- *status = "REQUIRED PWCHANGE";
- return KDC_ERR_KEY_EXP;
+ if (fetch_asn1_field((unsigned char *)req_data->data, 1, 0, &scratch) < 0)
+ return ASN1_PARSE_ERROR;
+
+ code = krb5_c_verify_checksum(context,
+ key,
+ KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST,
+ &scratch,
+ &req->cksum,
+ &valid);
+ if (code != 0)
+ return code;
+
+ if (valid == FALSE) {
+ krb5_data *data;
+
+ code = encode_krb5_s4u_userid(&req->user_id, &data);
+ if (code != 0)
+ return code;
+
+ code = krb5_c_verify_checksum(context,
+ key,
+ KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST,
+ data,
+ &req->cksum,
+ &valid);
+
+ krb5_free_data(context, data);
+
+ if (code != 0)
+ return code;
}
- /* Check to see if client is locked out */
- if (isflagset(client->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
- *status = "CLIENT LOCKED OUT";
- return KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ return valid ? 0 : KRB5KRB_AP_ERR_MODIFIED;
+}
+
+/*
+ * New protocol transition request (Windows 2008 and above)
+ */
+static krb5_error_code
+kdc_process_s4u_x509_user(krb5_context context,
+ krb5_kdc_req *request,
+ krb5_pa_data *pa_data,
+ krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_session,
+ krb5_pa_s4u_x509_user **s4u_x509_user,
+ const char **status)
+{
+ krb5_error_code code;
+ krb5_data req_data;
+
+ req_data.length = pa_data->length;
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+ if (code)
+ return code;
+
+ code = verify_s4u_x509_user_checksum(context,
+ tgs_subkey ? tgs_subkey :
+ tgs_session,
+ &req_data,
+ request->nonce, *s4u_x509_user);
+
+ if (code) {
+ *status = "INVALID_S4U2SELF_CHECKSUM";
+ krb5_free_pa_s4u_x509_user(context, *s4u_x509_user);
+ *s4u_x509_user = NULL;
+ return code;
}
+ if (krb5_princ_size(context, (*s4u_x509_user)->user_id.user) == 0 ||
+ (*s4u_x509_user)->user_id.subject_cert.length != 0) {
+ *status = "INVALID_S4U2SELF_REQUEST";
+ krb5_free_pa_s4u_x509_user(context, *s4u_x509_user);
+ *s4u_x509_user = NULL;
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ }
+
+ return 0;
+}
+
+krb5_error_code
+kdc_make_s4u2self_rep(krb5_context context,
+ krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_session,
+ krb5_pa_s4u_x509_user *req_s4u_user,
+ krb5_kdc_rep *reply,
+ krb5_enc_kdc_rep_part *reply_encpart)
+{
+ krb5_error_code code;
+ krb5_data *data = NULL;
+ krb5_pa_s4u_x509_user rep_s4u_user;
+ krb5_pa_data padata;
+ krb5_enctype enctype;
+ krb5_keyusage usage;
+
+ memset(&rep_s4u_user, 0, sizeof(rep_s4u_user));
+
+ rep_s4u_user.user_id.nonce = req_s4u_user->user_id.nonce;
+ rep_s4u_user.user_id.user = req_s4u_user->user_id.user;
+ rep_s4u_user.user_id.options =
+ req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE;
+
+ code = encode_krb5_s4u_userid(&rep_s4u_user.user_id, &data);
+ if (code != 0)
+ goto cleanup;
+
+ if (req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE)
+ usage = KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY;
+ else
+ usage = KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST;
+
+ code = krb5_c_make_checksum(context, req_s4u_user->cksum.checksum_type,
+ tgs_subkey != NULL ? tgs_subkey : tgs_session,
+ usage, data,
+ &rep_s4u_user.cksum);
+ if (code != 0)
+ goto cleanup;
+
+ krb5_free_data(context, data);
+ data = NULL;
+
+ code = encode_krb5_pa_s4u_x509_user(&rep_s4u_user, &data);
+ if (code != 0)
+ goto cleanup;
+
+ padata.magic = KV5M_PA_DATA;
+ padata.pa_type = KRB5_PADATA_S4U_X509_USER;
+ padata.length = data->length;
+ padata.contents = (krb5_octet *)data->data;
+
+ code = add_pa_data_element(context, &padata, &reply->padata, FALSE);
+ if (code != 0)
+ goto cleanup;
+
+ free(data);
+ data = NULL;
+
+ if (tgs_subkey != NULL)
+ enctype = tgs_subkey->enctype;
+ else
+ enctype = tgs_session->enctype;
+
/*
- * Check against local policy
+ * Owing to a bug in Windows, unkeyed checksums were used for older
+ * enctypes, including rc4-hmac. A forthcoming workaround for this
+ * includes the checksum bytes in the encrypted padata.
*/
- errcode = against_local_policy_as(request, *client, server,
- kdc_time, status);
- if (errcode)
- return errcode;
+ if ((req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) &&
+ enctype_requires_etype_info_2(enctype) == FALSE) {
+ padata.length = req_s4u_user->cksum.length +
+ rep_s4u_user.cksum.length;
+ padata.contents = malloc(padata.length);
+ if (padata.contents == NULL) {
+ code = ENOMEM;
+ goto cleanup;
+ }
- return 0;
+ memcpy(padata.contents,
+ req_s4u_user->cksum.contents,
+ req_s4u_user->cksum.length);
+ memcpy(&padata.contents[req_s4u_user->cksum.length],
+ rep_s4u_user.cksum.contents,
+ rep_s4u_user.cksum.length);
+
+ code = add_pa_data_element(context,&padata,
+ &reply_encpart->enc_padata, FALSE);
+ if (code != 0)
+ goto cleanup;
+ }
+
+cleanup:
+ if (rep_s4u_user.cksum.contents != NULL)
+ krb5_free_checksum_contents(context, &rep_s4u_user.cksum);
+ krb5_free_data(context, data);
+
+ return code;
}
/*
@@ -1919,92 +2104,116 @@
krb5_kdc_req *request,
krb5_const_principal client_princ,
const krb5_db_entry *server,
- krb5_keyblock *subkey,
+ krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_session,
krb5_timestamp kdc_time,
- krb5_pa_for_user **for_user,
+ krb5_pa_s4u_x509_user **s4u_x509_user,
krb5_db_entry *princ,
int *nprincs,
const char **status)
{
krb5_error_code code;
- krb5_pa_data **pa_data;
- krb5_data req_data;
+ krb5_pa_data *pa_data;
krb5_boolean more;
+ int flags;
*nprincs = 0;
memset(princ, 0, sizeof(*princ));
- if (request->padata == NULL) {
- return 0;
+ pa_data = find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER);
+ if (pa_data != NULL) {
+ code = kdc_process_s4u_x509_user(context,
+ request,
+ pa_data,
+ tgs_subkey,
+ tgs_session,
+ s4u_x509_user,
+ status);
+ if (code != 0)
+ return code;
+ } else {
+ pa_data = find_pa_data(request->padata, KRB5_PADATA_FOR_USER);
+ if (pa_data != NULL) {
+ code = kdc_process_for_user(context,
+ pa_data,
+ tgs_session,
+ s4u_x509_user,
+ status);
+ if (code != 0)
+ return code;
+ } else
+ return 0;
}
- for (pa_data = request->padata; *pa_data != NULL; pa_data++) {
- if ((*pa_data)->pa_type == KRB5_PADATA_FOR_USER)
- break;
- }
- if (*pa_data == NULL) {
- return 0;
- }
-
-#if 0
/*
- * Ignore request if the server principal is a TGS, not so much
- * to avoid unconstrained tickets being issued (as that would
- * require knowing the TGS key anyway) but so that we do not
- * block the server referral path.
+ * We need to compare the client name in the TGT with the requested
+ * server name. Supporting server name aliases without assuming a
+ * global name service makes this difficult to do.
+ *
+ * The comparison below handles the following cases (note that the
+ * term "principal name" below excludes the realm).
+ *
+ * (1) The requested service is a host-based service with two name
+ * components, in which case we assume the principal name to
+ * contain sufficient qualifying information. The realm is
+ * ignored for the purpose of comparison.
+ *
+ * (2) The requested service name is an enterprise principal name:
+ * the service principal name is compared with the unparsed
+ * form of the client name (including its realm).
+ *
+ * (3) The requested service is some other name type: an exact
+ * match is required.
+ *
+ * An alternative would be to look up the server once again with
+ * FLAG_CANONICALIZE | FLAG_CLIENT_REFERRALS_ONLY set, do an exact
+ * match between the returned name and client_princ. However, this
+ * assumes that the client set FLAG_CANONICALIZE when requesting
+ * the TGT and that we have a global name service.
*/
- if (krb5_is_tgs_principal(server->princ)) {
- return 0;
+ flags = 0;
+ switch (krb5_princ_type(kdc_context, request->server)) {
+ case KRB5_NT_SRV_HST: /* (1) */
+ if (krb5_princ_size(kdc_context, request->server) == 2)
+ flags |= KRB5_PRINCIPAL_COMPARE_IGNORE_REALM;
+ break;
+ case KRB5_NT_ENTERPRISE_PRINCIPAL: /* (2) */
+ flags |= KRB5_PRINCIPAL_COMPARE_ENTERPRISE;
+ break;
+ default: /* (3) */
+ break;
}
-#endif
- *status = "PROCESS_S4U2SELF_REQUEST";
-
- req_data.length = (*pa_data)->length;
- req_data.data = (char *)(*pa_data)->contents;
-
- code = decode_krb5_pa_for_user(&req_data, for_user);
- if (code) {
- return code;
- }
-
- if (krb5_princ_type(context, (*for_user)->user) !=
- KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (!krb5_principal_compare_flags(context,
+ request->server,
+ client_princ,
+ flags)) {
*status = "INVALID_S4U2SELF_REQUEST";
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error code */
}
- code = verify_s4u2self_checksum(context, subkey, *for_user);
- if (code) {
- *status = "INVALID_S4U2SELF_CHECKSUM";
- krb5_free_pa_for_user(kdc_context, *for_user);
- *for_user = NULL;
- return code;
- }
- if (!krb5_principal_compare_flags(context, request->server, client_princ,
- KRB5_PRINCIPAL_COMPARE_ENTERPRISE)) {
- *status = "INVALID_S4U2SELF_REQUEST";
- return KRB5KDC_ERR_POLICY;
- }
-
/*
* Protocol transition is mutually exclusive with renew/forward/etc
- * as well as user-to-user and constrained delegation.
+ * as well as user-to-user and constrained delegation. This check
+ * is also made in validate_as_request().
*
* We can assert from this check that the header ticket was a TGT, as
* that is validated previously in validate_tgs_request().
*/
- if (request->kdc_options & (NO_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) {
+ if (request->kdc_options & AS_INVALID_OPTIONS) {
+ *status = "INVALID AS OPTIONS";
return KRB5KDC_ERR_BADOPTION;
}
/*
* Do not attempt to lookup principals in foreign realms.
*/
- if (is_local_principal((*for_user)->user)) {
+ if (is_local_principal((*s4u_x509_user)->user_id.user)) {
+ krb5_db_entry no_server;
+
*nprincs = 1;
code = krb5_db_get_principal_ext(kdc_context,
- (*for_user)->user,
+ (*s4u_x509_user)->user_id.user,
KRB5_KDB_FLAG_INCLUDE_PAC,
princ, nprincs, &more);
if (code) {
@@ -2021,14 +2230,15 @@
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
- code = validate_s4u2self_request(request, princ, kdc_time, status);
+ memset(&no_server, 0, sizeof(no_server));
+
+ code = validate_as_request(request, *princ,
+ no_server, kdc_time, status);
if (code) {
return code;
}
}
- *status = NULL;
-
return 0;
}
@@ -2049,7 +2259,7 @@
/* Must be in same realm */
if (!krb5_realm_compare(context, server->princ, proxy)) {
- return KRB5KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_POLICY;
}
req.server = server;
@@ -2345,3 +2555,63 @@
/* OpenSolaris: audit_krb5kdc_tgs_req_alt_tgt(...) */
}
+krb5_boolean
+enctype_requires_etype_info_2(krb5_enctype enctype)
+{
+ switch(enctype) {
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES3_CBC_SHA1:
+ case ENCTYPE_DES3_CBC_RAW:
+ case ENCTYPE_ARCFOUR_HMAC:
+ case ENCTYPE_ARCFOUR_HMAC_EXP :
+ return 0;
+ default:
+ return krb5_c_valid_enctype(enctype);
+ }
+}
+
+/* XXX where are the generic helper routines for this? */
+krb5_error_code
+add_pa_data_element(krb5_context context,
+ krb5_pa_data *padata,
+ krb5_pa_data ***inout_padata,
+ krb5_boolean copy)
+{
+ int i;
+ krb5_pa_data **p;
+
+ if (*inout_padata != NULL) {
+ for (i = 0; (*inout_padata)[i] != NULL; i++)
+ ;
+ } else
+ i = 0;
+
+ p = realloc(*inout_padata, (i + 2) * sizeof(krb5_pa_data *));
+ if (p == NULL)
+ return ENOMEM;
+
+ *inout_padata = p;
+
+ p[i] = (krb5_pa_data *)malloc(sizeof(krb5_pa_data));
+ if (p[i] == NULL)
+ return ENOMEM;
+ *(p[i]) = *padata;
+
+ p[i + 1] = NULL;
+
+ if (copy) {
+ p[i]->contents = (krb5_octet *)malloc(padata->length);
+ if (p[i]->contents == NULL) {
+ free(p[i]);
+ p[i] = NULL;
+ return ENOMEM;
+ }
+
+ memcpy(p[i]->contents, padata->contents, padata->length);
+ }
+
+ return 0;
+}
+
Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/kdc/kdc_util.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -150,6 +150,8 @@
krb5_ticket *, const char **);
/* kdc_preauth.c */
+krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype);
+
const char * missing_required_preauth
(krb5_db_entry *client, krb5_db_entry *server,
krb5_enc_tkt_part *enc_tkt_reply);
@@ -177,6 +179,12 @@
krb5_pa_data *find_pa_data
(krb5_pa_data **padata, krb5_preauthtype pa_type);
+krb5_error_code add_pa_data_element
+ (krb5_context context,
+ krb5_pa_data *padata,
+ krb5_pa_data ***out_padata,
+ krb5_boolean copy);
+
/* kdc_authdata.c */
krb5_error_code load_authdata_plugins(krb5_context context);
krb5_error_code unload_authdata_plugins(krb5_context context);
@@ -239,13 +247,22 @@
krb5_kdc_req *request,
krb5_const_principal client_princ,
const krb5_db_entry *server,
- krb5_keyblock *subkey,
+ krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_session,
krb5_timestamp kdc_time,
- krb5_pa_for_user **s4u2_req,
+ krb5_pa_s4u_x509_user **s4u2self_req,
krb5_db_entry *princ,
int *nprincs,
const char **status);
+krb5_error_code kdc_make_s4u2self_rep
+ (krb5_context context,
+ krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_session,
+ krb5_pa_s4u_x509_user *req_s4u_user,
+ krb5_kdc_rep *reply,
+ krb5_enc_kdc_rep_part *reply_encpart);
+
krb5_error_code kdc_process_s4u2proxy_req
(krb5_context context,
krb5_kdc_req *request,
Copied: trunk/src/lib/crypto/krb/enc_provider (from rev 22735, users/lhoward/s4u/src/lib/crypto/krb/enc_provider)
Modified: trunk/src/lib/gssapi/generic/gssapi_ext.h
===================================================================
--- trunk/src/lib/gssapi/generic/gssapi_ext.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/generic/gssapi_ext.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -254,6 +254,37 @@
gss_iov_buffer_desc *, /* iov */
int); /* iov_count */
+
+/*
+ * Protocol transition
+ */
+OM_uint32 KRB5_CALLCONV
+gss_acquire_cred_impersonate_name(
+ OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* impersonator_cred_handle */
+ const gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ const gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *); /* time_rec */
+
+OM_uint32 KRB5_CALLCONV
+gss_add_cred_impersonate_name(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* input_cred_handle */
+ const gss_cred_id_t, /* impersonator_cred_handle */
+ const gss_name_t, /* desired_name */
+ const gss_OID, /* desired_mech */
+ gss_cred_usage_t, /* cred_usage */
+ OM_uint32, /* initiator_time_req */
+ OM_uint32, /* acceptor_time_req */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *, /* initiator_time_rec */
+ OM_uint32 *); /* acceptor_time_rec */
+
#ifdef __cplusplus
}
#endif
Modified: trunk/src/lib/gssapi/krb5/Makefile.in
===================================================================
--- trunk/src/lib/gssapi/krb5/Makefile.in 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/Makefile.in 2009-09-13 02:52:23 UTC (rev 22736)
@@ -73,6 +73,7 @@
$(srcdir)/rel_cred.c \
$(srcdir)/rel_oid.c \
$(srcdir)/rel_name.c \
+ $(srcdir)/s4u_gss_glue.c \
$(srcdir)/seal.c \
$(srcdir)/set_allowable_enctypes.c \
$(srcdir)/ser_sctx.c \
@@ -123,6 +124,7 @@
$(OUTPRE)rel_cred.$(OBJEXT) \
$(OUTPRE)rel_oid.$(OBJEXT) \
$(OUTPRE)rel_name.$(OBJEXT) \
+ $(OUTPRE)s4u_gss_glue.$(OBJEXT) \
$(OUTPRE)seal.$(OBJEXT) \
$(OUTPRE)set_allowable_enctypes.$(OBJEXT) \
$(OUTPRE)ser_sctx.$(OBJEXT) \
@@ -176,6 +178,7 @@
rel_cred.o \
rel_oid.o \
rel_name.o \
+ s4u_gss_glue.o \
seal.o \
set_allowable_enctypes.o \
ser_sctx.o \
Modified: trunk/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/accept_sec_context.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/accept_sec_context.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -114,6 +114,53 @@
#ifndef LEAN_CLIENT
+static OM_uint32
+create_constrained_deleg_creds(OM_uint32 *minor_status,
+ krb5_gss_cred_id_t verifier_cred_handle,
+ krb5_ticket *ticket,
+ krb5_gss_cred_id_t *out_cred,
+ krb5_context context)
+{
+ OM_uint32 major_status;
+ krb5_creds krb_creds;
+ krb5_data *data;
+ krb5_error_code code;
+
+ assert(out_cred != NULL);
+ assert(verifier_cred_handle->usage == GSS_C_BOTH);
+
+ memset(&krb_creds, 0, sizeof(krb_creds));
+ krb_creds.client = ticket->enc_part2->client;
+ krb_creds.server = ticket->server;
+ krb_creds.keyblock = *(ticket->enc_part2->session);
+ krb_creds.ticket_flags = ticket->enc_part2->flags;
+ krb_creds.times = ticket->enc_part2->times;
+ krb_creds.magic = KV5M_CREDS;
+ krb_creds.authdata = NULL;
+
+ code = encode_krb5_ticket(ticket, &data);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ krb_creds.ticket = *data;
+
+ major_status = kg_compose_deleg_cred(minor_status,
+ verifier_cred_handle,
+ &krb_creds,
+ GSS_C_INDEFINITE,
+ GSS_C_NO_OID_SET,
+ out_cred,
+ NULL,
+ NULL,
+ context);
+
+ krb5_free_data(context, data);
+
+ return major_status;
+}
+
/* Decode, decrypt and store the forwarded creds in the local ccache. */
static krb5_error_code
rd_and_store_for_creds(context, auth_context, inbuf, out_cred)
@@ -866,6 +913,23 @@
ctx->krb_times = ticket->enc_part2->times; /* struct copy */
ctx->krb_flags = ticket->enc_part2->flags;
+ if (delegated_cred_handle != NULL &&
+ deleg_cred == NULL && /* no unconstrained delegation */
+ cred->usage == GSS_C_BOTH &&
+ (ticket->enc_part2->flags & TKT_FLG_FORWARDABLE)) {
+ /*
+ * Now, we always fabricate a delegated credentials handle
+ * containing the service ticket to ourselves, which can be
+ * used for S4U2Proxy.
+ */
+ major_status = create_constrained_deleg_creds(minor_status, cred,
+ ticket, &deleg_cred,
+ context);
+ if (GSS_ERROR(major_status))
+ goto fail;
+ ctx->gss_flags |= GSS_C_DELEG_FLAG;
+ }
+
krb5_free_ticket(context, ticket); /* Done with ticket */
{
@@ -1055,8 +1119,8 @@
if (src_name)
*src_name = (gss_name_t) name;
- if (delegated_cred_handle && deleg_cred) {
- if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) {
+ if (delegated_cred_handle) {
+ if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) {
major_status = GSS_S_FAILURE;
code = G_VALIDATE_FAILED;
goto fail;
Modified: trunk/src/lib/gssapi/krb5/acquire_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/acquire_cred.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/acquire_cred.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -532,8 +532,8 @@
cred->usage = cred_usage;
cred->princ = NULL;
- cred->prerfc_mech = req_old;
- cred->rfc_mech = req_new;
+ cred->prerfc_mech = (req_old != 0);
+ cred->rfc_mech = (req_new != 0);
#ifndef LEAN_CLIENT
cred->keytab = NULL;
@@ -759,3 +759,4 @@
*minor_status = 0;
return GSS_S_COMPLETE;
}
+
Modified: trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -162,8 +162,9 @@
/* name/type of credential */
gss_cred_usage_t usage;
krb5_principal princ; /* this is not interned as a gss_name_t */
- int prerfc_mech;
- int rfc_mech;
+ unsigned int prerfc_mech : 1;
+ unsigned int rfc_mech : 1;
+ unsigned int proxy_cred : 1;
/* keytab (accept) data */
krb5_keytab keytab;
@@ -466,6 +467,29 @@
krb5_error_code kg_allocate_iov(gss_iov_buffer_t iov, size_t size);
+krb5_error_code
+krb5_to_gss_cred(krb5_context context,
+ krb5_creds *creds,
+ krb5_gss_cred_id_t *out_cred);
+
+OM_uint32
+kg_new_connection(
+ OM_uint32 *minor_status,
+ krb5_gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context,
+ int default_mech);
+
/** declarations of internal name mechanism functions **/
OM_uint32 krb5_gss_acquire_cred
@@ -766,6 +790,17 @@
gss_cred_id_t /* cred */
);
+OM_uint32 krb5_gss_acquire_cred_impersonate_name(
+ OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* impersonator_cred_handle */
+ const gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ const gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *); /* time_rec */
+
OM_uint32
krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */,
gss_cred_id_t /* cred_handle */,
@@ -790,6 +825,19 @@
int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc);
+/* s4u_gss_glue.c */
+OM_uint32
+kg_compose_deleg_cred(OM_uint32 *minor_status,
+ krb5_gss_cred_id_t impersonator_cred,
+ krb5_creds *subject_creds,
+ OM_uint32 time_req,
+ const gss_OID_set desired_mechs,
+ krb5_gss_cred_id_t *output_cred,
+ gss_OID_set *actual_mechs,
+ OM_uint32 *time_rec,
+ krb5_context context);
+
+
/*
* These take unglued krb5-mech-specific contexts.
*/
Modified: trunk/src/lib/gssapi/krb5/gssapi_krb5.c
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapi_krb5.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/gssapi_krb5.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -140,6 +140,7 @@
/* gss_nt_krb5_principal. Object identifier for a krb5_principal. Do not use. */
{10, "\052\206\110\206\367\022\001\002\002\002"},
+
{ 0, 0 }
};
@@ -447,13 +448,11 @@
/*
* gss_set_sec_context_option() methods
*/
-#if 0
static struct {
gss_OID_desc oid;
OM_uint32 (*func)(OM_uint32 *, gss_ctx_id_t *, const gss_OID, const gss_buffer_t);
} krb5_gss_set_sec_context_option_ops[] = {
};
-#endif
static OM_uint32
krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
@@ -481,12 +480,8 @@
return GSS_S_NO_CONTEXT;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
-
- if (!ctx->established)
- return GSS_S_NO_CONTEXT;
}
-#if 0
for (i = 0; i < sizeof(krb5_gss_set_sec_context_option_ops)/
sizeof(krb5_gss_set_sec_context_option_ops[0]); i++) {
if (g_OID_prefix_equal(desired_object, &krb5_gss_set_sec_context_option_ops[i].oid)) {
@@ -496,7 +491,6 @@
value);
}
}
-#endif
*minor_status = EINVAL;
@@ -521,7 +515,7 @@
{
{GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH, GSS_KRB5_SET_CRED_RCACHE_OID},
gss_krb5int_set_cred_rcache
- }
+ },
};
static OM_uint32
@@ -587,7 +581,7 @@
{
{GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH, GSS_KRB5_USE_KDC_CONTEXT_OID},
krb5int_gss_use_kdc_context
- }
+ },
};
static OM_uint32
@@ -683,6 +677,8 @@
krb5_gss_unwrap_iov,
krb5_gss_wrap_iov_length,
NULL, /* complete_auth_token */
+ krb5_gss_acquire_cred_impersonate_name,
+ NULL, /* krb5_gss_add_cred_impersonate_name */
};
Modified: trunk/src/lib/gssapi/krb5/import_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/import_name.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/import_name.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -56,8 +56,7 @@
krb5_context context;
krb5_principal princ;
krb5_error_code code;
- unsigned char *cp, *end;
- char *stringrep, *tmp, *tmp2;
+ char *stringrep, *tmp, *tmp2, *cp;
OM_uint32 length;
#ifndef NO_PASSWORD
struct passwd *pw;
@@ -156,12 +155,7 @@
goto do_getpwuid;
#endif
} else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
-#define BOUNDS_CHECK(cp, end, n) do { if ((end) - (cp) < (n)) \
- goto fail_name; } while (0)
- cp = (unsigned char *)tmp;
- end = cp + input_name_buffer->length;
-
- BOUNDS_CHECK(cp, end, 4);
+ cp = tmp;
if (*cp++ != 0x04)
goto fail_name;
if (*cp++ != 0x01)
@@ -169,28 +163,20 @@
if (*cp++ != 0x00)
goto fail_name;
length = *cp++;
- if (length != (ssize_t)gss_mech_krb5->length+2)
+ if (length != gss_mech_krb5->length+2)
goto fail_name;
-
- BOUNDS_CHECK(cp, end, 2);
if (*cp++ != 0x06)
goto fail_name;
length = *cp++;
if (length != gss_mech_krb5->length)
goto fail_name;
-
- BOUNDS_CHECK(cp, end, length);
if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
goto fail_name;
cp += length;
-
- BOUNDS_CHECK(cp, end, 4);
length = *cp++;
length = (length << 8) | *cp++;
length = (length << 8) | *cp++;
length = (length << 8) | *cp++;
-
- BOUNDS_CHECK(cp, end, length);
tmp2 = malloc(length+1);
if (tmp2 == NULL) {
xfree(tmp);
@@ -198,7 +184,7 @@
krb5_free_context(context);
return GSS_S_FAILURE;
}
- strncpy(tmp2, (char *)cp, length);
+ strncpy(tmp2, cp, length);
tmp2[length] = 0;
stringrep = tmp2;
Modified: trunk/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/init_sec_context.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/init_sec_context.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -128,25 +128,69 @@
krb5_creds **out_creds;
{
krb5_error_code code;
- krb5_creds in_creds;
+ krb5_creds in_creds, evidence_creds;
+ krb5_flags flags = 0;
+ krb5_principal cc_princ = NULL;
k5_mutex_assert_locked(&cred->lock);
memset(&in_creds, 0, sizeof(krb5_creds));
+ memset(&evidence_creds, 0, sizeof(krb5_creds));
in_creds.client = in_creds.server = NULL;
- if ((code = krb5_copy_principal(context, cred->princ, &in_creds.client)))
+ if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
goto cleanup;
- if ((code = krb5_copy_principal(context, server, &in_creds.server)))
- goto cleanup;
+
+ /*
+ * Do constrained delegation if we have proxy credentials and
+ * we're not trying to get a ticket to ourselves (in which case
+ * we can just use the S4U2Self or evidence ticket directly).
+ */
+ if (cred->proxy_cred &&
+ !krb5_principal_compare(context, cc_princ, server)) {
+ krb5_creds mcreds;
+
+ flags |= KRB5_GC_CANONICALIZE |
+ KRB5_GC_NO_STORE |
+ KRB5_GC_CONSTRAINED_DELEGATION;
+
+ memset(&mcreds, 0, sizeof(mcreds));
+
+ mcreds.magic = KV5M_CREDS;
+ mcreds.times.endtime = cred->tgt_expire;
+ mcreds.server = cc_princ;
+ mcreds.client = cred->princ;
+
+ code = krb5_cc_retrieve_cred(context, cred->ccache,
+ KRB5_TC_MATCH_TIMES, &mcreds,
+ &evidence_creds);
+ if (code)
+ goto cleanup;
+
+ assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
+
+ in_creds.client = cc_princ;
+ in_creds.second_ticket = evidence_creds.ticket;
+ } else {
+ in_creds.client = cred->princ;
+ }
+
+ in_creds.server = server;
in_creds.times.endtime = endtime;
- in_creds.keyblock.enctype = 0;
-
- code = krb5_get_credentials(context, 0, cred->ccache,
+ code = krb5_get_credentials(context, flags, cred->ccache,
&in_creds, out_creds);
if (code)
goto cleanup;
+ if (flags & KRB5_GC_CONSTRAINED_DELEGATION) {
+ if (!krb5_principal_compare(context, cred->princ,
+ (*out_creds)->client)) {
+ /* server did not support constrained delegation */
+ code = KRB5_KDCREP_MODIFIED;
+ goto cleanup;
+ }
+ }
+
/*
* Enforce a stricter limit (without timeskew forgiveness at the
* boundaries) because accept_sec_context code is also similarly
@@ -159,10 +203,10 @@
}
cleanup:
- if (in_creds.client)
- krb5_free_principal(context, in_creds.client);
- if (in_creds.server)
- krb5_free_principal(context, in_creds.server);
+ if (cc_princ)
+ krb5_free_principal(context, cc_princ);
+ krb5_free_cred_contents(context, &evidence_creds);
+
return code;
}
struct gss_checksum_data {
@@ -390,8 +434,8 @@
*
* Do the grunt work of setting up a new context.
*/
-static OM_uint32
-new_connection(
+OM_uint32
+kg_new_connection(
OM_uint32 *minor_status,
krb5_gss_cred_id_t cred,
gss_ctx_id_t *context_handle,
@@ -931,12 +975,12 @@
/*SUPPRESS 29*/
if (*context_handle == GSS_C_NO_CONTEXT) {
- major_status = new_connection(minor_status, cred, context_handle,
- target_name, mech_type, req_flags,
- time_req, input_chan_bindings,
- input_token, actual_mech_type,
- output_token, ret_flags, time_rec,
- context, default_mech);
+ major_status = kg_new_connection(minor_status, cred, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context, default_mech);
k5_mutex_unlock(&cred->lock);
if (*context_handle == GSS_C_NO_CONTEXT) {
save_error_info (*minor_status, context);
Modified: trunk/src/lib/gssapi/krb5/krb5_gss_glue.c
===================================================================
--- trunk/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -416,3 +416,4 @@
return GSS_S_COMPLETE;
}
+
Copied: trunk/src/lib/gssapi/krb5/s4u_gss_glue.c (from rev 22735, users/lhoward/s4u/src/lib/gssapi/krb5/s4u_gss_glue.c)
Modified: trunk/src/lib/gssapi/krb5/val_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/val_cred.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/krb5/val_cred.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -58,7 +58,8 @@
*minor_status = code;
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
- if (!krb5_principal_compare(context, princ, cred->princ)) {
+ if (!cred->proxy_cred &&
+ !krb5_principal_compare(context, princ, cred->princ)) {
k5_mutex_unlock(&cred->lock);
*minor_status = KG_CCACHE_NOMATCH;
return(GSS_S_DEFECTIVE_CREDENTIAL);
Modified: trunk/src/lib/gssapi/libgssapi_krb5.exports
===================================================================
--- trunk/src/lib/gssapi/libgssapi_krb5.exports 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/libgssapi_krb5.exports 2009-09-13 02:52:23 UTC (rev 22736)
@@ -9,8 +9,10 @@
GSS_KRB5_NT_PRINCIPAL_NAME
gss_accept_sec_context
gss_acquire_cred
+gss_acquire_cred_impersonate_name
gss_add_buffer_set_member
gss_add_cred
+gss_add_cred_impersonate_name
gss_add_oid_set_member
gss_canonicalize_name
gss_compare_name
Modified: trunk/src/lib/gssapi/mechglue/Makefile.in
===================================================================
--- trunk/src/lib/gssapi/mechglue/Makefile.in 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/mechglue/Makefile.in 2009-09-13 02:52:23 UTC (rev 22736)
@@ -14,6 +14,7 @@
SRCS = \
$(srcdir)/g_accept_sec_context.c \
$(srcdir)/g_acquire_cred.c \
+ $(srcdir)/g_acquire_cred_imp_name.c \
$(srcdir)/g_buffer_set.c \
$(srcdir)/g_canon_name.c \
$(srcdir)/g_compare_name.c \
@@ -58,6 +59,7 @@
OBJS = \
$(OUTPRE)g_accept_sec_context.$(OBJEXT) \
$(OUTPRE)g_acquire_cred.$(OBJEXT) \
+ $(OUTPRE)g_acquire_cred_imp_name.$(OBJEXT) \
$(OUTPRE)g_buffer_set.$(OBJEXT) \
$(OUTPRE)g_canon_name.$(OBJEXT) \
$(OUTPRE)g_compare_name.$(OBJEXT) \
@@ -102,6 +104,7 @@
STLIBOBJS = \
g_accept_sec_context.o \
g_acquire_cred.o \
+ g_acquire_cred_imp_name.o \
g_buffer_set.o \
g_canon_name.o \
g_compare_name.o \
Modified: trunk/src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_accept_sec_context.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/mechglue/g_accept_sec_context.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -121,6 +121,7 @@
gss_name_t tmp_src_name = GSS_C_NO_NAME;
gss_OID_desc token_mech_type_desc;
gss_OID token_mech_type = &token_mech_type_desc;
+ gss_OID actual_mech = GSS_C_NO_OID;
gss_mechanism mech;
status = val_acc_sec_ctx_args(minor_status,
@@ -198,8 +199,8 @@
input_cred_handle,
input_token_buffer,
input_chan_bindings,
- &internal_name,
- mech_type,
+ src_name ? &internal_name : NULL,
+ &actual_mech,
output_token,
&temp_ret_flags,
time_rec,
@@ -222,110 +223,120 @@
* then call gss_import_name() to create
* the union name struct cast to src_name
*/
- if (internal_name != NULL) {
- temp_status = gssint_convert_name_to_union_name(
- &temp_minor_status, mech,
- internal_name, &tmp_src_name);
- if (temp_status != GSS_S_COMPLETE) {
- *minor_status = temp_minor_status;
- map_error(minor_status, mech);
- if (output_token->length)
- (void) gss_release_buffer(&temp_minor_status,
- output_token);
- if (internal_name != GSS_C_NO_NAME)
- mech->gss_release_name(
- &temp_minor_status,
- &internal_name);
- return (temp_status);
- }
- if (src_name != NULL) {
+ if (src_name != NULL) {
+ if (internal_name != GSS_C_NO_NAME) {
+ /* consumes internal_name regardless of success */
+ temp_status = gssint_convert_name_to_union_name(
+ &temp_minor_status, mech,
+ internal_name, &tmp_src_name);
+ if (temp_status != GSS_S_COMPLETE) {
+ *minor_status = temp_minor_status;
+ map_error(minor_status, mech);
+ if (output_token->length)
+ (void) gss_release_buffer(&temp_minor_status,
+ output_token);
+ return (temp_status);
+ }
*src_name = tmp_src_name;
- }
- } else if (src_name != NULL) {
- *src_name = GSS_C_NO_NAME;
+ } else
+ *src_name = GSS_C_NO_NAME;
}
+#define g_OID_prefix_equal(o1, o2) \
+ (((o1)->length >= (o2)->length) && \
+ (memcmp((o1)->elements, (o2)->elements, (o2)->length) == 0))
+
/* Ensure we're returning correct creds format */
if ((temp_ret_flags & GSS_C_DELEG_FLAG) &&
tmp_d_cred != GSS_C_NO_CREDENTIAL) {
- gss_union_cred_t d_u_cred = NULL;
+ if (actual_mech != GSS_C_NO_OID &&
+ !g_OID_prefix_equal(actual_mech, token_mech_type)) {
+ *d_cred = tmp_d_cred; /* unwrapped pseudo-mech */
+ } else {
+ gss_union_cred_t d_u_cred = NULL;
- d_u_cred = malloc(sizeof (gss_union_cred_desc));
- if (d_u_cred == NULL) {
- status = GSS_S_FAILURE;
- goto error_out;
- }
- (void) memset(d_u_cred, 0,
- sizeof (gss_union_cred_desc));
+ d_u_cred = malloc(sizeof (gss_union_cred_desc));
+ if (d_u_cred == NULL) {
+ status = GSS_S_FAILURE;
+ goto error_out;
+ }
+ (void) memset(d_u_cred, 0, sizeof (gss_union_cred_desc));
- d_u_cred->count = 1;
+ d_u_cred->count = 1;
- status = generic_gss_copy_oid(&temp_minor_status,
- token_mech_type,
- &d_u_cred->mechs_array);
+ status = generic_gss_copy_oid(&temp_minor_status,
+ token_mech_type,
+ &d_u_cred->mechs_array);
- if (status != GSS_S_COMPLETE) {
- free(d_u_cred);
- goto error_out;
- }
+ if (status != GSS_S_COMPLETE) {
+ free(d_u_cred);
+ goto error_out;
+ }
- d_u_cred->cred_array = malloc(sizeof (gss_cred_id_t));
- if (d_u_cred->cred_array != NULL) {
- d_u_cred->cred_array[0] = tmp_d_cred;
- } else {
- free(d_u_cred);
- status = GSS_S_FAILURE;
- goto error_out;
- }
+ d_u_cred->cred_array = malloc(sizeof(gss_cred_id_t));
+ if (d_u_cred->cred_array != NULL) {
+ d_u_cred->cred_array[0] = tmp_d_cred;
+ } else {
+ free(d_u_cred);
+ status = GSS_S_FAILURE;
+ goto error_out;
+ }
- internal_name = GSS_C_NO_NAME;
+ d_u_cred->auxinfo.creation_time = time(0);
+ d_u_cred->auxinfo.time_rec = 0;
+ d_u_cred->loopback = d_u_cred;
- d_u_cred->auxinfo.creation_time = time(0);
- d_u_cred->auxinfo.time_rec = 0;
- d_u_cred->loopback = d_u_cred;
+ internal_name = GSS_C_NO_NAME;
- if (mech->gss_inquire_cred) {
- status = mech->gss_inquire_cred(minor_status,
- tmp_d_cred,
- &internal_name,
- &d_u_cred->auxinfo.time_rec,
- &d_u_cred->auxinfo.cred_usage,
- NULL);
- if (status != GSS_S_COMPLETE)
- map_error(minor_status, mech);
- }
+ if (mech->gss_inquire_cred) {
+ status = mech->gss_inquire_cred(minor_status,
+ tmp_d_cred,
+ &internal_name,
+ &d_u_cred->auxinfo.time_rec,
+ &d_u_cred->auxinfo.cred_usage,
+ NULL);
+ if (status != GSS_S_COMPLETE)
+ map_error(minor_status, mech);
+ }
- if (internal_name != NULL) {
- temp_status = gssint_convert_name_to_union_name(
- &temp_minor_status, mech,
- internal_name, &tmp_src_name);
- if (temp_status != GSS_S_COMPLETE) {
- *minor_status = temp_minor_status;
- map_error(minor_status, mech);
- if (output_token->length)
- (void) gss_release_buffer(
+ if (internal_name != GSS_C_NO_NAME) {
+ /* consumes internal_name regardless of success */
+ temp_status = gssint_convert_name_to_union_name(
+ &temp_minor_status, mech,
+ internal_name, &tmp_src_name);
+ if (temp_status != GSS_S_COMPLETE) {
+ *minor_status = temp_minor_status;
+ map_error(minor_status, mech);
+ if (output_token->length)
+ (void) gss_release_buffer(
+ &temp_minor_status,
+ output_token);
+ (void) gss_release_oid(&temp_minor_status,
+ &actual_mech);
+ free(d_u_cred->cred_array);
+ free(d_u_cred);
+ return (temp_status);
+ }
+
+ if (tmp_src_name != GSS_C_NO_NAME) {
+ status = gss_display_name(
&temp_minor_status,
- output_token);
- free(d_u_cred->cred_array);
- free(d_u_cred);
- return (temp_status);
+ tmp_src_name,
+ &d_u_cred->auxinfo.name,
+ &d_u_cred->auxinfo.name_type);
+ (void) gss_release_name(&temp_minor_status,
+ &tmp_src_name);
+ }
}
- }
- if (tmp_src_name != NULL) {
- status = gss_display_name(
- &temp_minor_status,
- tmp_src_name,
- &d_u_cred->auxinfo.name,
- &d_u_cred->auxinfo.name_type);
+ *d_cred = (gss_cred_id_t)d_u_cred;
}
-
- *d_cred = (gss_cred_id_t)d_u_cred;
}
- if (src_name == NULL && tmp_src_name != NULL)
- (void) gss_release_name(&temp_minor_status,
- &tmp_src_name);
+ if (mech_type != NULL)
+ *mech_type = actual_mech;
+ else
+ (void) gss_release_oid(&temp_minor_status, &actual_mech);
if (ret_flags != NULL)
*ret_flags = temp_ret_flags;
return (status);
Modified: trunk/src/lib/gssapi/mechglue/g_acquire_cred.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_acquire_cred.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/mechglue/g_acquire_cred.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -2,7 +2,7 @@
/*
* Copyright 1996 by Sun Microsystems, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
@@ -12,7 +12,7 @@
* without specific, written prior permission. Sun Microsystems makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -35,42 +35,6 @@
#include <errno.h>
#include <time.h>
-static gss_OID_set
-create_actual_mechs(mechs_array, count)
- const gss_OID mechs_array;
- int count;
-{
- gss_OID_set actual_mechs;
- int i;
- OM_uint32 minor;
-
- actual_mechs = (gss_OID_set) malloc(sizeof(gss_OID_set_desc));
- if (!actual_mechs)
- return NULL;
-
- actual_mechs->elements = (gss_OID)
- malloc(sizeof (gss_OID_desc) * count);
- if (!actual_mechs->elements) {
- free(actual_mechs);
- return NULL;
- }
-
- actual_mechs->count = 0;
-
- for (i = 0; i < count; i++) {
- actual_mechs->elements[i].elements = (void *)
- malloc(mechs_array[i].length);
- if (actual_mechs->elements[i].elements == NULL) {
- (void) gss_release_oid_set(&minor, &actual_mechs);
- return (NULL);
- }
- g_OID_copy(&actual_mechs->elements[i], &mechs_array[i]);
- actual_mechs->count++;
- }
-
- return actual_mechs;
-}
-
static OM_uint32
val_acq_cred_args(
OM_uint32 *minor_status,
@@ -172,7 +136,7 @@
mech = gssint_get_mechanism(NULL);
if (mech == NULL)
return (GSS_S_BAD_MECH);
-
+
mechs = &default_OID_set;
default_OID_set.count = 1;
default_OID_set.elements = &default_OID;
@@ -234,12 +198,16 @@
* setup the actual mechs output parameter
*/
if (actual_mechs != NULL) {
- if ((*actual_mechs = create_actual_mechs(creds->mechs_array,
- creds->count)) == NULL) {
+ gss_OID_set_desc oids;
+
+ oids.count = creds->count;
+ oids.elements = creds->mechs_array;
+
+ major = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs);
+ if (GSS_ERROR(major)) {
(void) gss_release_cred(minor_status,
(gss_cred_id_t *)&creds);
- *minor_status = 0;
- return (GSS_S_FAILURE);
+ return (major);
}
}
@@ -312,7 +280,7 @@
gss_add_cred(minor_status, input_cred_handle,
desired_name, desired_mech, cred_usage,
initiator_time_req, acceptor_time_req,
- output_cred_handle, actual_mechs,
+ output_cred_handle, actual_mechs,
initiator_time_rec, acceptor_time_rec)
OM_uint32 *minor_status;
gss_cred_id_t input_cred_handle;
@@ -434,7 +402,7 @@
status = mech->gss_display_name(&temp_minor_status, internal_name,
&union_cred->auxinfo.name,
&union_cred->auxinfo.name_type);
-
+
if (status != GSS_S_COMPLETE)
goto errout;
}
@@ -475,10 +443,14 @@
g_OID_copy(&new_mechs_array[union_cred->count],
&mech->mech_type);
- if (actual_mechs) {
- *actual_mechs = create_actual_mechs(new_mechs_array,
- union_cred->count + 1);
- if (*actual_mechs == NULL) {
+ if (actual_mechs != NULL) {
+ gss_OID_set_desc oids;
+
+ oids.count = union_cred->count + 1;
+ oids.elements = new_mechs_array;
+
+ status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs);
+ if (GSS_ERROR(status)) {
free(new_mechs_array[union_cred->count].elements);
goto errout;
}
Copied: trunk/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c (from rev 22735, users/lhoward/s4u/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c)
Modified: trunk/src/lib/gssapi/mechglue/g_glue.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_glue.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/mechglue/g_glue.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -611,25 +611,9 @@
if (union_cred == GSS_C_NO_CREDENTIAL)
return GSS_C_NO_CREDENTIAL;
- /* SPNEGO mechanism will again call into GSSAPI */
- if (g_OID_equal(&gss_spnego_mechanism_oid_desc, mech_type))
- return (gss_cred_id_t)union_cred;
-
for (i=0; i < union_cred->count; i++) {
if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
return union_cred->cred_array[i];
-
- /* for SPNEGO, check the next-lower set of creds */
- if (g_OID_equal(&gss_spnego_mechanism_oid_desc, &union_cred->mechs_array[i])) {
- gss_union_cred_t candidate_cred;
- gss_cred_id_t sub_cred;
-
- candidate_cred = (gss_union_cred_t)union_cred->cred_array[i];
- sub_cred = gssint_get_mechanism_cred(candidate_cred, mech_type);
-
- if(sub_cred != GSS_C_NO_CREDENTIAL)
- return sub_cred;
- }
}
return GSS_C_NO_CREDENTIAL;
}
Modified: trunk/src/lib/gssapi/mechglue/g_initialize.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_initialize.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/mechglue/g_initialize.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -761,6 +761,9 @@
GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_unwrap_iov);
GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap_iov_length);
GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_complete_auth_token);
+ /* New for 1.8 */
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_acquire_cred_impersonate_name);
+ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_add_cred_impersonate_name);
assert(mech_type != GSS_C_NO_OID);
Modified: trunk/src/lib/gssapi/mechglue/g_set_context_option.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_set_context_option.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/mechglue/g_set_context_option.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -70,8 +70,8 @@
}
status = mech->gss_set_sec_context_option(minor_status,
- ctx ? &internal_ctx :
- &ctx->internal_ctx_id,
+ ctx ? &ctx->internal_ctx_id :
+ &internal_ctx,
desired_object,
value);
if (status == GSS_S_COMPLETE) {
Modified: trunk/src/lib/gssapi/mechglue/mglueP.h
===================================================================
--- trunk/src/lib/gssapi/mechglue/mglueP.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/mechglue/mglueP.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -473,6 +473,37 @@
gss_buffer_t /* input_message_buffer */
);
+ /* New for 1.8 */
+
+ OM_uint32 (*gss_acquire_cred_impersonate_name)
+ (
+ OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* impersonator_cred_handle */
+ const gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ const gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 * /* time_rec */
+ /* */);
+
+ OM_uint32 (*gss_add_cred_impersonate_name)
+ (
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* input_cred_handle */
+ const gss_cred_id_t, /* impersonator_cred_handle */
+ const gss_name_t, /* desired_name */
+ const gss_OID, /* desired_mech */
+ gss_cred_usage_t, /* cred_usage */
+ OM_uint32, /* initiator_time_req */
+ OM_uint32, /* acceptor_time_req */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *, /* initiator_time_rec */
+ OM_uint32 * /* acceptor_time_rec */
+ /* */);
+
} *gss_mechanism;
/* This structure MUST NOT be used by any code outside libgss */
Modified: trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- trunk/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -218,6 +218,16 @@
gss_name_t * /* input_name */
);
+OM_uint32 spnego_gss_inquire_cred
+(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* lifetime */
+ int *, /* cred_usage */
+ gss_OID_set * /* mechanisms */
+);
+
OM_uint32 spnego_gss_inquire_names_for_mech
(
OM_uint32 *, /* minor_status */
@@ -333,6 +343,15 @@
);
OM_uint32
+spnego_gss_inquire_cred_by_oid
+(
+ OM_uint32 *minor_status,
+ const gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set
+);
+
+OM_uint32
spnego_gss_set_sec_context_option
(
OM_uint32 *minor_status,
@@ -411,6 +430,18 @@
gss_buffer_t input_message_buffer
);
+OM_uint32
+spnego_gss_acquire_cred_impersonate_name(
+ OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* impersonator_cred_handle */
+ const gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ const gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *); /* time_rec */
+
#ifdef __cplusplus
}
#endif
Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -231,7 +231,7 @@
spnego_gss_display_name,
spnego_gss_import_name,
spnego_gss_release_name,
- NULL, /* gss_inquire_cred */
+ spnego_gss_inquire_cred, /* gss_inquire_cred */
NULL, /* gss_add_cred */
#ifndef LEAN_CLIENT
spnego_gss_export_sec_context, /* gss_export_sec_context */
@@ -248,7 +248,7 @@
NULL, /* gss_export_name */
NULL, /* gss_store_cred */
spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */
- NULL, /* gss_inquire_cred_by_oid */
+ spnego_gss_inquire_cred_by_oid, /* gss_inquire_cred_by_oid */
spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */
NULL, /* gssspi_set_cred_option */
NULL, /* gssspi_mech_invoke */
@@ -257,7 +257,9 @@
spnego_gss_wrap_iov,
spnego_gss_unwrap_iov,
spnego_gss_wrap_iov_length,
- spnego_gss_complete_auth_token
+ spnego_gss_complete_auth_token,
+ spnego_gss_acquire_cred_impersonate_name,
+ NULL, /* gss_add_cred_impersonate_name */
};
#ifdef _GSS_STATIC_LINK
@@ -1787,6 +1789,76 @@
return (status);
}
+OM_uint32
+spnego_gss_inquire_cred(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ gss_name_t *name,
+ OM_uint32 *lifetime,
+ int *cred_usage,
+ gss_OID_set *mechanisms)
+{
+ OM_uint32 status;
+ gss_cred_id_t creds = GSS_C_NO_CREDENTIAL;
+ OM_uint32 tmp_minor_status;
+ OM_uint32 initiator_lifetime, acceptor_lifetime;
+
+ dsyslog("Entering inquire_cred\n");
+
+ /*
+ * To avoid infinite recursion, if GSS_C_NO_CREDENTIAL is
+ * supplied we call gss_inquire_cred_by_mech() on the
+ * first non-SPNEGO mechanism.
+ */
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ status = get_available_mechs(minor_status,
+ GSS_C_NO_NAME,
+ GSS_C_BOTH,
+ &creds,
+ mechanisms);
+ if (status != GSS_S_COMPLETE) {
+ dsyslog("Leaving inquire_cred\n");
+ return (status);
+ }
+
+ if ((*mechanisms)->count == 0) {
+ gss_release_cred(&tmp_minor_status, &creds);
+ gss_release_oid_set(&tmp_minor_status, mechanisms);
+ dsyslog("Leaving inquire_cred\n");
+ return (GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+
+ assert((*mechanisms)->elements != NULL);
+
+ status = gss_inquire_cred_by_mech(minor_status,
+ creds,
+ &(*mechanisms)->elements[0],
+ name,
+ &initiator_lifetime,
+ &acceptor_lifetime,
+ cred_usage);
+ if (status != GSS_S_COMPLETE) {
+ gss_release_cred(&tmp_minor_status, &creds);
+ dsyslog("Leaving inquire_cred\n");
+ return (status);
+ }
+
+ if (lifetime != NULL)
+ *lifetime = (*cred_usage == GSS_C_ACCEPT) ?
+ acceptor_lifetime : initiator_lifetime;
+
+ gss_release_cred(&tmp_minor_status, &creds);
+ } else {
+ status = gss_inquire_cred(minor_status, cred_handle,
+ name, lifetime,
+ cred_usage, mechanisms);
+ }
+
+ dsyslog("Leaving inquire_cred\n");
+
+ return (status);
+}
+
/*ARGSUSED*/
OM_uint32
spnego_gss_compare_name(
@@ -1942,6 +2014,9 @@
*/
if (*ctx != NULL &&
(*ctx)->magic_num == SPNEGO_MAGIC_ID) {
+ (void) gss_delete_sec_context(minor_status,
+ &(*ctx)->ctx_handle,
+ output_token);
(void) release_spnego_ctx(ctx);
} else {
ret = gss_delete_sec_context(minor_status,
@@ -2088,6 +2163,21 @@
}
OM_uint32
+spnego_gss_inquire_cred_by_oid(
+ OM_uint32 *minor_status,
+ const gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ OM_uint32 ret;
+ ret = gss_inquire_cred_by_oid(minor_status,
+ cred_handle,
+ desired_object,
+ data_set);
+ return (ret);
+}
+
+OM_uint32
spnego_gss_set_sec_context_option(
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
@@ -2217,6 +2307,53 @@
return (ret);
}
+OM_uint32
+spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
+ const gss_cred_id_t impersonator_cred_handle,
+ gss_name_t desired_name,
+ OM_uint32 time_req,
+ gss_OID_set desired_mechs,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t *output_cred_handle,
+ gss_OID_set *actual_mechs,
+ OM_uint32 *time_rec)
+{
+ OM_uint32 status;
+ gss_OID_set amechs = GSS_C_NULL_OID_SET;
+
+ dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
+
+ if (actual_mechs)
+ *actual_mechs = NULL;
+
+ if (time_rec)
+ *time_rec = 0;
+
+ if (desired_mechs == GSS_C_NO_OID_SET) {
+ status = gss_inquire_cred(minor_status,
+ impersonator_cred_handle,
+ NULL, NULL,
+ NULL, &amechs);
+ if (status != GSS_S_COMPLETE)
+ return status;
+
+ desired_mechs = amechs;
+ }
+
+ status = gss_acquire_cred_impersonate_name(minor_status,
+ impersonator_cred_handle,
+ desired_name, time_req,
+ desired_mechs, cred_usage,
+ output_cred_handle, actual_mechs,
+ time_rec);
+
+ if (amechs != GSS_C_NULL_OID_SET)
+ (void) gss_release_oid_set(minor_status, &amechs);
+
+ dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n");
+ return (status);
+}
+
/*
* We will release everything but the ctx_handle so that it
* can be passed back to init/accept context. This routine should
Modified: trunk/src/lib/kadm5/str_conv.c
===================================================================
--- trunk/src/lib/kadm5/str_conv.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/kadm5/str_conv.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -78,6 +78,8 @@
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
static const char flags_md5_in[] = "md5";
+static const char flags_ok_to_auth_as_delegate_in[] = "ok-to-auth-as-delegate";
+static const char flags_no_auth_data_required_in[] = "no-auth-data-required";
static const char flags_pdate_out[] = "Not Postdateable";
static const char flags_fwd_out[] = "Not Forwardable";
static const char flags_tgtbased_out[] = "No TGT-based requests";
@@ -85,13 +87,15 @@
static const char flags_proxy_out[] = "Not proxiable";
static const char flags_dup_skey_out[] = "No DUP_SKEY requests";
static const char flags_tickets_out[] = "All Tickets Disallowed";
-static const char flags_preauth_out[] = "Preauthorization required";
-static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_preauth_out[] = "Preauthentication required";
+static const char flags_hwauth_out[] = "HW authentication required";
static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
static const char flags_md5_out[] = "RSA-MD5 supported";
+static const char flags_ok_to_auth_as_delegate_out[] = "Protocol transition with delegation allowed";
+static const char flags_no_auth_data_required_out[] = "No authorization data required";
static const char flags_default_neg[] = "-";
static const char flags_default_sep[] = " ";
@@ -115,7 +119,9 @@
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
-{ KRB5_KDB_SUPPORT_DESMD5, 1, flags_md5_in, flags_md5_out }
+{ KRB5_KDB_SUPPORT_DESMD5, 1, flags_md5_in, flags_md5_out },
+{ KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 1, flags_ok_to_auth_as_delegate_in, flags_ok_to_auth_as_delegate_out },
+{ KRB5_KDB_NO_AUTH_DATA_REQUIRED, 1, flags_no_auth_data_required_in, flags_no_auth_data_required_out }
};
static const int flags_table_nents = sizeof(flags_table)/
sizeof(flags_table[0]);
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -1616,6 +1616,47 @@
return retval;
}
+asn1_error_code asn1_decode_s4u_userid(asn1buf *buf, krb5_s4u_userid *val)
+{
+ setup();
+ val->nonce = 0;
+ val->user = NULL;
+ val->subject_cert.data = NULL;
+ val->options = 0;
+ { begin_structure();
+ get_field(val->nonce,0,asn1_decode_int32);
+ alloc_principal(val->user);
+ opt_field(val->user,1,asn1_decode_principal_name,0);
+ get_field(val->user,2,asn1_decode_realm);
+ opt_lenfield(val->subject_cert.length,val->subject_cert.data,3,asn1_decode_charstring);
+ opt_field(val->options,4,asn1_decode_krb5_flags,0);
+ end_structure();
+ }
+ return 0;
+error_out:
+ krb5_free_principal(NULL, val->user);
+ krb5_free_data_contents(NULL, &val->subject_cert);
+ val->user = NULL;
+ val->subject_cert.data = NULL;
+ return retval;
+}
+
+asn1_error_code asn1_decode_pa_s4u_x509_user(asn1buf *buf, krb5_pa_s4u_x509_user *val)
+{
+ setup();
+ val->cksum.contents = NULL;
+ { begin_structure();
+ get_field(val->user_id,0,asn1_decode_s4u_userid);
+ get_field(val->cksum,1,asn1_decode_checksum);
+ end_structure();
+ }
+ return 0;
+error_out:
+ krb5_free_s4u_userid_contents(NULL, &val->user_id);
+ krb5_free_checksum_contents(NULL, &val->cksum);
+ return retval;
+}
+
asn1_error_code asn1_decode_pa_pac_req(asn1buf *buf, krb5_pa_pac_req *val)
{
setup();
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.h
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -263,6 +263,10 @@
(asn1buf *buf, krb5_data *rep, krb5_principal *principal);
asn1_error_code asn1_decode_pa_for_user
(asn1buf *buf, krb5_pa_for_user *val);
+asn1_error_code asn1_decode_s4u_userid
+ (asn1buf *buf, krb5_s4u_userid *val);
+asn1_error_code asn1_decode_pa_s4u_x509_user
+ (asn1buf *buf, krb5_pa_s4u_x509_user *val);
asn1_error_code asn1_decode_pa_pac_req
(asn1buf *buf, krb5_pa_pac_req *val);
Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -263,6 +263,8 @@
optional |= (1u << 8);
if (val->caddrs != NULL && val->caddrs[0] != NULL)
optional |= (1u << 11);
+ if (val->enc_padata != NULL)
+ optional |= (1u << 12);
return optional;
}
@@ -1147,6 +1149,36 @@
DEFSEQTYPE(pa_for_user, krb5_pa_for_user, pa_for_user_fields, 0);
+/* [MS-SFU] Section 2.2.2. */
+static const struct field_info s4u_userid_fields[] = {
+ FIELDOF_NORM(krb5_s4u_userid, int32, nonce, 0),
+ FIELDOF_OPT(krb5_s4u_userid, principal, user, 1, 1),
+ FIELDOF_NORM(krb5_s4u_userid, realm_of_principal, user, 2),
+ FIELDOF_OPT(krb5_s4u_userid, ostring_data, subject_cert, 3, 3),
+ FIELDOF_OPT(krb5_s4u_userid, krb5_flags, options, 4, 4),
+};
+
+static unsigned int s4u_userid_optional (const void *p) {
+ const krb5_s4u_userid *val = p;
+ unsigned int optional = 0;
+ if (val->user != NULL && val->user->length != 0)
+ optional |= (1u)<<1;
+ if (val->subject_cert.length != 0)
+ optional |= (1u)<<3;
+ if (val->options != 0)
+ optional |= (1u)<<4;
+ return optional;
+}
+
+DEFSEQTYPE(s4u_userid, krb5_s4u_userid, s4u_userid_fields, s4u_userid_optional);
+
+static const struct field_info pa_s4u_x509_user_fields[] = {
+ FIELDOF_NORM(krb5_pa_s4u_x509_user, s4u_userid, user_id, 0),
+ FIELDOF_NORM(krb5_pa_s4u_x509_user, checksum, cksum, 1),
+};
+
+DEFSEQTYPE(pa_s4u_x509_user, krb5_pa_s4u_x509_user, pa_s4u_x509_user_fields, 0);
+
/* draft-ietf-krb-wg-kerberos-referrals Appendix A. */
static const struct field_info pa_svr_referral_data_fields[] = {
FIELDOF_NORM(krb5_pa_svr_referral_data, realm_of_principal, principal, 0),
@@ -1323,6 +1355,8 @@
predicted_sam_response);
MAKE_FULL_ENCODER(encode_krb5_setpw_req, setpw_req);
MAKE_FULL_ENCODER(encode_krb5_pa_for_user, pa_for_user);
+MAKE_FULL_ENCODER(encode_krb5_s4u_userid, s4u_userid);
+MAKE_FULL_ENCODER(encode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
MAKE_FULL_ENCODER(encode_krb5_pa_svr_referral_data, pa_svr_referral_data);
MAKE_FULL_ENCODER(encode_krb5_pa_server_referral_data, pa_server_referral_data);
MAKE_FULL_ENCODER(encode_krb5_etype_list, etype_list);
Modified: trunk/src/lib/krb5/asn.1/krb5_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -1061,6 +1061,18 @@
}
krb5_error_code
+decode_krb5_pa_s4u_x509_user(const krb5_data *code, krb5_pa_s4u_x509_user **repptr)
+{
+ setup_buf_only(krb5_pa_s4u_x509_user *);
+ alloc_field(rep);
+
+ retval = asn1_decode_pa_s4u_x509_user(&buf, rep);
+ if (retval) clean_return(retval);
+
+ cleanup(free);
+}
+
+krb5_error_code
decode_krb5_pa_pac_req(const krb5_data *code, krb5_pa_pac_req **repptr)
{
setup_buf_only(krb5_pa_pac_req *);
Modified: trunk/src/lib/krb5/krb/Makefile.in
===================================================================
--- trunk/src/lib/krb5/krb/Makefile.in 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/Makefile.in 2009-09-13 02:52:23 UTC (rev 22736)
@@ -79,6 +79,7 @@
rd_req_dec.o \
rd_safe.o \
recvauth.o \
+ s4u_creds.o \
sendauth.o \
send_tgs.o \
ser_actx.o \
@@ -167,6 +168,7 @@
$(OUTPRE)rd_req_dec.$(OBJEXT) \
$(OUTPRE)rd_safe.$(OBJEXT) \
$(OUTPRE)recvauth.$(OBJEXT) \
+ $(OUTPRE)s4u_creds.$(OBJEXT) \
$(OUTPRE)sendauth.$(OBJEXT) \
$(OUTPRE)send_tgs.$(OBJEXT) \
$(OUTPRE)ser_actx.$(OBJEXT) \
@@ -256,6 +258,7 @@
$(srcdir)/rd_req_dec.c \
$(srcdir)/rd_safe.c \
$(srcdir)/recvauth.c \
+ $(srcdir)/s4u_creds.c \
$(srcdir)/sendauth.c \
$(srcdir)/send_tgs.c \
$(srcdir)/ser_actx.c \
Modified: trunk/src/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- trunk/src/lib/krb5/krb/gc_frm_kdc.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/gc_frm_kdc.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -1007,6 +1007,11 @@
DUMP_PRINC("gc_from_kdc: server as requested", supplied_server);
+ if (in_cred->second_ticket.length != 0 &&
+ (kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) {
+ kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY;
+ }
+
/*
* Try requesting a service ticket from our local KDC with referrals
* turned on. If the first referral succeeds, follow a referral-only
@@ -1028,9 +1033,7 @@
retval = krb5_get_cred_via_tkt(context, tgtptr,
KDC_OPT_CANONICALIZE |
FLAGS2OPTS(tgtptr->ticket_flags) |
- kdcopt |
- (in_cred->second_ticket.length ?
- KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ kdcopt,
tgtptr->addresses, in_cred, out_cred);
if (retval) {
DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n",
@@ -1048,9 +1051,7 @@
"retrying without option.\n", referral_count + 1));
retval = krb5_get_cred_via_tkt(context, tgtptr,
FLAGS2OPTS(tgtptr->ticket_flags) |
- kdcopt |
- (in_cred->second_ticket.length ?
- KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ kdcopt,
tgtptr->addresses,
in_cred, out_cred);
/* Whether or not that succeeded, we're done. */
@@ -1090,9 +1091,7 @@
retval = krb5_get_cred_via_tkt(context, tgtptr,
KDC_OPT_CANONICALIZE |
FLAGS2OPTS(tgtptr->ticket_flags) |
- kdcopt |
- (in_cred->second_ticket.length ?
- KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ kdcopt,
tgtptr->addresses,
in_cred, out_cred);
goto cleanup;
@@ -1257,9 +1256,7 @@
context->use_conf_ktypes = old_use_conf_ktypes;
retval = krb5_get_cred_via_tkt(context, tgtptr,
FLAGS2OPTS(tgtptr->ticket_flags) |
- kdcopt |
- (in_cred->second_ticket.length ?
- KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ kdcopt,
tgtptr->addresses, in_cred, out_cred);
cleanup:
Modified: trunk/src/lib/krb5/krb/gc_via_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/gc_via_tkt.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/gc_via_tkt.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -1,7 +1,7 @@
/*
* lib/krb5/krb/gc_via_tgt.c
*
- * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2007-2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -159,12 +159,34 @@
krb5_flags kdcoptions, krb5_address *const *address,
krb5_creds *in_cred, krb5_creds **out_cred)
{
+ return krb5_get_cred_via_tkt_ext (context, tkt,
+ kdcoptions, address,
+ NULL, in_cred, NULL, NULL,
+ NULL, NULL, out_cred, NULL);
+}
+
+krb5_error_code
+krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt,
+ krb5_flags kdcoptions, krb5_address *const *address,
+ krb5_pa_data **in_padata,
+ krb5_creds *in_cred,
+ krb5_error_code (*pacb_fct)(krb5_context,
+ krb5_keyblock *,
+ krb5_kdc_req *,
+ void *),
+ void *pacb_data,
+ krb5_pa_data ***out_padata,
+ krb5_pa_data ***out_enc_padata,
+ krb5_creds **out_cred,
+ krb5_keyblock **out_subkey)
+{
krb5_error_code retval;
krb5_kdc_rep *dec_rep;
krb5_error *err_reply;
krb5_response tgsrep;
krb5_enctype *enctypes = 0;
krb5_keyblock *subkey = NULL;
+ krb5_boolean s4u2self = FALSE, second_tkt;
#ifdef DEBUG_REFERRALS
printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off");
@@ -179,10 +201,13 @@
if (!tkt->ticket.length)
return KRB5_NO_TKT_SUPPLIED;
- if ((kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) &&
- (!in_cred->second_ticket.length))
+ second_tkt = ((kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) != 0);
+
+ if (second_tkt && !in_cred->second_ticket.length)
return(KRB5_NO_2ND_TKT);
+ s4u2self = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_S4U_X509_USER) ||
+ krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FOR_USER);
/* check if we have the right TGT */
/* tkt->server must be equal to */
@@ -210,13 +235,12 @@
enctypes[0] = in_cred->keyblock.enctype;
enctypes[1] = 0;
}
-
+
retval = krb5int_send_tgs(context, kdcoptions, &in_cred->times, enctypes,
in_cred->server, address, in_cred->authdata,
- 0, /* no padata */
- (kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) ?
- &in_cred->second_ticket : NULL,
- tkt, &tgsrep, &subkey);
+ in_padata,
+ second_tkt ? &in_cred->second_ticket : NULL,
+ tkt, pacb_fct, pacb_data, &tgsrep, &subkey);
if (enctypes)
free(enctypes);
if (retval) {
@@ -318,8 +342,17 @@
/* make sure the response hasn't been tampered with..... */
retval = 0;
- if (!krb5_principal_compare(context, dec_rep->client, tkt->client))
- retval = KRB5_KDCREP_MODIFIED;
+ if (s4u2self && !IS_TGS_PRINC(context, dec_rep->ticket->server)) {
+ /* Final hop, check whether KDC supports S4U2Self */
+ if (krb5_principal_compare(context, dec_rep->client, in_cred->server))
+ retval = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ } else if ((kdcoptions & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) {
+ /* XXX for constrained delegation this check must be performed by caller
+ * as we don't have access to the key to decrypt the evidence ticket.
+ */
+ if (!krb5_principal_compare(context, dec_rep->client, tkt->client))
+ retval = KRB5_KDCREP_MODIFIED;
+ }
if (retval == 0)
retval = check_reply_server(context, kdcoptions, in_cred, dec_rep);
@@ -356,13 +389,26 @@
retval = KRB5_KDCREP_SKEW;
goto error_3;
}
+
+ if (out_padata != NULL) {
+ *out_padata = dec_rep->padata;
+ dec_rep->padata = NULL;
+ }
+ if (out_enc_padata != NULL) {
+ *out_enc_padata = dec_rep->enc_part2->enc_padata;
+ dec_rep->enc_part2->enc_padata = NULL;
+ }
retval = krb5_kdcrep2creds(context, dec_rep, address,
&in_cred->second_ticket, out_cred);
error_3:;
- if (subkey != NULL)
- krb5_free_keyblock(context, subkey);
+ if (subkey != NULL) {
+ if (retval == 0 && out_subkey != NULL)
+ *out_subkey = subkey;
+ else
+ krb5_free_keyblock(context, subkey);
+ }
memset(dec_rep->enc_part2->session->contents, 0,
dec_rep->enc_part2->session->length);
Modified: trunk/src/lib/krb5/krb/get_creds.c
===================================================================
--- trunk/src/lib/krb5/krb/get_creds.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/get_creds.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -46,7 +46,7 @@
#include "k5-int.h"
#include "int-proto.h"
-static krb5_error_code
+krb5_error_code
krb5_get_credentials_core(krb5_context context, krb5_flags options,
krb5_creds *in_creds, krb5_creds *mcreds,
krb5_flags *fields)
@@ -87,11 +87,14 @@
if (ret)
return ret;
}
- if (options & KRB5_GC_USER_USER) {
+ if (options & (KRB5_GC_USER_USER | KRB5_GC_CONSTRAINED_DELEGATION)) {
/* also match on identical 2nd tkt and tkt encrypted in a
session key */
- *fields |= KRB5_TC_MATCH_2ND_TKT|KRB5_TC_MATCH_IS_SKEY;
- mcreds->is_skey = TRUE;
+ *fields |= KRB5_TC_MATCH_2ND_TKT;
+ if (options & KRB5_GC_USER_USER) {
+ *fields |= KRB5_TC_MATCH_IS_SKEY;
+ mcreds->is_skey = TRUE;
+ }
mcreds->second_ticket = in_creds->second_ticket;
if (!in_creds->second_ticket.length)
return KRB5_NO_2ND_TKT;
@@ -113,25 +116,35 @@
int not_ktype;
int kdcopt = 0;
- retval = krb5_get_credentials_core(context, options,
- in_creds,
- &mcreds, &fields);
+ if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) {
+ retval = krb5_get_credentials_core(context, options,
+ in_creds,
+ &mcreds, &fields);
- if (retval) return retval;
+ if (retval)
+ return retval;
- if ((ncreds = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL)
- return ENOMEM;
+ if ((ncreds = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL)
+ return ENOMEM;
- memset(ncreds, 0, sizeof(krb5_creds));
- ncreds->magic = KV5M_CREDS;
+ memset(ncreds, 0, sizeof(krb5_creds));
+ ncreds->magic = KV5M_CREDS;
- /* The caller is now responsible for cleaning up in_creds */
- if ((retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds,
- ncreds))) {
- free(ncreds);
+ /* The caller is now responsible for cleaning up in_creds */
+ if ((retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds,
+ ncreds))) {
+ free(ncreds);
+ ncreds = in_creds;
+ } else {
+ *out_creds = ncreds;
+ }
+ } else {
+ /*
+ * To do this usefully for constrained delegation, we would
+ * need to look inside second_ticket, which we can't do.
+ */
ncreds = in_creds;
- } else {
- *out_creds = ncreds;
+ retval = KRB5_CC_NOTFOUND;
}
if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE)
@@ -145,6 +158,15 @@
if (options & KRB5_GC_CANONICALIZE)
kdcopt |= KDC_OPT_CANONICALIZE;
+ if (options & KRB5_GC_FORWARDABLE)
+ kdcopt |= KDC_OPT_FORWARDABLE;
+ if (options & KRB5_GC_NO_TRANSIT_CHECK)
+ kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK;
+ if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
+ if (options & KRB5_GC_USER_USER)
+ return EINVAL;
+ kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT;
+ }
retval = krb5_get_cred_from_kdc_opt(context, ccache, ncreds,
out_creds, &tgts, kdcopt);
@@ -160,6 +182,13 @@
}
krb5_free_tgt_creds(context, tgts);
}
+ if (!retval && (options & KRB5_GC_CONSTRAINED_DELEGATION)) {
+ if (((*out_creds)->ticket_flags & TKT_FLG_FORWARDABLE) == 0) {
+ retval = KRB5_TKT_NOT_FORWARDABLE;
+ krb5_free_creds(context, *out_creds);
+ *out_creds = NULL;
+ }
+ }
/*
* Translate KRB5_CC_NOTFOUND if we previously got
* KRB5_CC_NOT_KTYPE from krb5_cc_retrieve_cred(), in order to
@@ -175,7 +204,7 @@
&& not_ktype)
retval = KRB5_CC_NOT_KTYPE;
- if (!retval) {
+ if (!retval && (options & KRB5_GC_NO_STORE) == 0) {
/* the purpose of the krb5_get_credentials call is to
* obtain a set of credentials for the caller. the
* krb5_cc_store_cred() call is to optimize performance
@@ -184,6 +213,7 @@
*/
krb5_cc_store_cred(context, ccache, *out_creds);
}
+
return retval;
}
@@ -337,3 +367,4 @@
return(krb5_validate_or_renew_creds(context, creds, client, ccache,
in_tkt_service, 0));
}
+
Modified: trunk/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -493,6 +493,55 @@
0
};
+static krb5_error_code
+rewrite_server_realm(krb5_context context,
+ krb5_const_principal old_server,
+ const krb5_data *realm,
+ krb5_boolean tgs,
+ krb5_principal *server)
+{
+ krb5_error_code retval;
+
+ assert(*server == NULL);
+
+ retval = krb5_copy_principal(context, old_server, server);
+ if (retval)
+ return retval;
+
+ krb5_free_data_contents(context, &(*server)->realm);
+ (*server)->realm.data = NULL;
+
+ retval = krb5int_copy_data_contents(context, realm, &(*server)->realm);
+ if (retval)
+ goto cleanup;
+
+ if (tgs) {
+ krb5_free_data_contents(context, &(*server)->data[1]);
+ (*server)->data[1].data = NULL;
+
+ retval = krb5int_copy_data_contents(context, realm, &(*server)->data[1]);
+ if (retval)
+ goto cleanup;
+ }
+
+cleanup:
+ if (retval) {
+ krb5_free_principal(context, *server);
+ *server = NULL;
+ }
+
+ return retval;
+}
+
+static inline int
+tgt_is_local_realm(krb5_creds *tgt)
+{
+ return (tgt->server->length == 2
+ && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME)
+ && data_eq(tgt->server->data[1], tgt->client->realm)
+ && data_eq(tgt->server->realm, tgt->client->realm));
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt(krb5_context context,
krb5_flags options,
@@ -521,6 +570,8 @@
int use_master = 0;
int referral_count = 0;
krb5_principal_data referred_client;
+ krb5_principal referred_server = NULL;
+ krb5_boolean is_tgt_req;
#if APPLE_PKINIT
inTktDebug("krb5_get_in_tkt top\n");
@@ -616,6 +667,8 @@
goto cleanup;
}
+ is_tgt_req = tgt_is_local_realm(creds);
+
while (1) {
if (loopcount++ > MAX_IN_TKT_LOOPS) {
retval = KRB5_GET_IN_TKT_LOOP;
@@ -687,6 +740,21 @@
if (retval)
goto cleanup;
request.client = &referred_client;
+
+ if (referred_server != NULL) {
+ krb5_free_principal(context, referred_server);
+ referred_server = NULL;
+ }
+
+ retval = rewrite_server_realm(context,
+ creds->server,
+ &referred_client.realm,
+ is_tgt_req,
+ &referred_server);
+ if (retval)
+ goto cleanup;
+ request.server = referred_server;
+
continue;
} else {
retval = (krb5_error_code) err_reply->error
@@ -739,6 +807,8 @@
}
if (referred_client.realm.data)
krb5_free_data_contents(context, &referred_client.realm);
+ if (referred_server)
+ krb5_free_principal(context, referred_server);
return (retval);
}
@@ -939,6 +1009,52 @@
return 0;
}
+static krb5_error_code
+build_in_tkt_name(krb5_context context,
+ char *in_tkt_service,
+ krb5_const_principal client,
+ krb5_principal *server)
+{
+ krb5_error_code ret;
+
+ *server = NULL;
+
+ if (in_tkt_service) {
+ /* this is ugly, because so are the data structures involved. I'm
+ in the library, so I'm going to manipulate the data structures
+ directly, otherwise, it will be worse. */
+
+ if ((ret = krb5_parse_name(context, in_tkt_service, server)))
+ return ret;
+
+ /* stuff the client realm into the server principal.
+ realloc if necessary */
+ if ((*server)->realm.length < client->realm.length) {
+ char *p = realloc((*server)->realm.data,
+ client->realm.length);
+ if (p == NULL) {
+ krb5_free_principal(context, *server);
+ *server = NULL;
+ return ENOMEM;
+ }
+ (*server)->realm.data = p;
+ }
+
+ (*server)->realm.length = client->realm.length;
+ memcpy((*server)->realm.data, client->realm.data, client->realm.length);
+ } else {
+ ret = krb5_build_principal_ext(context, server,
+ client->realm.length,
+ client->realm.data,
+ KRB5_TGS_NAME_SIZE,
+ KRB5_TGS_NAME,
+ client->realm.length,
+ client->realm.data,
+ 0);
+ }
+ return ret;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds(krb5_context context,
krb5_creds *creds,
@@ -1125,42 +1241,10 @@
client->type == KRB5_NT_ENTERPRISE_PRINCIPAL;
/* service */
-
- if (in_tkt_service) {
- /* this is ugly, because so are the data structures involved. I'm
- in the library, so I'm going to manipulate the data structures
- directly, otherwise, it will be worse. */
+ if ((ret = build_in_tkt_name(context, in_tkt_service,
+ request.client, &request.server)))
+ goto cleanup;
- if ((ret = krb5_parse_name(context, in_tkt_service, &request.server)))
- goto cleanup;
-
- /* stuff the client realm into the server principal.
- realloc if necessary */
- if (request.server->realm.length < request.client->realm.length) {
- char *p = realloc(request.server->realm.data,
- request.client->realm.length);
- if (p == NULL) {
- ret = ENOMEM;
- goto cleanup;
- }
- request.server->realm.data = p;
- }
-
- request.server->realm.length = request.client->realm.length;
- memcpy(request.server->realm.data, request.client->realm.data,
- request.client->realm.length);
- } else {
- if ((ret = krb5_build_principal_ext(context, &request.server,
- request.client->realm.length,
- request.client->realm.data,
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME,
- request.client->realm.length,
- request.client->realm.data,
- 0)))
- goto cleanup;
- }
-
krb5_preauth_request_context_init(context);
@@ -1337,8 +1421,10 @@
}
preauth_to_use = out_padata;
out_padata = NULL;
- krb5_free_error(context, err_reply);
- err_reply = NULL;
+ if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED) {
+ krb5_free_error(context, err_reply);
+ err_reply = NULL;
+ }
ret = sort_krb5_padata_sequence(context,
&request.server->realm,
preauth_to_use);
@@ -1365,6 +1451,14 @@
if (ret)
goto cleanup;
request.client = &referred_client;
+
+ krb5_free_principal(context, request.server);
+ request.server = NULL;
+
+ ret = build_in_tkt_name(context, in_tkt_service,
+ request.client, &request.server);
+ if (ret)
+ goto cleanup;
} else {
if (retry) {
/* continue to next iteration */
Modified: trunk/src/lib/krb5/krb/int-proto.h
===================================================================
--- trunk/src/lib/krb5/krb/int-proto.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/int-proto.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -59,11 +59,31 @@
krb5_creds *in_cred, krb5_creds **out_cred,
krb5_creds ***tgts, int kdcopt);
+krb5_error_code
+krb5_get_credentials_core(krb5_context context, krb5_flags options,
+ krb5_creds *in_creds, krb5_creds *mcreds,
+ krb5_flags *fields);
+
#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
#define IS_TGS_PRINC(c, p) \
(krb5_princ_size((c), (p)) == 2 && \
data_eq_string(*krb5_princ_component((c), (p), 0), KRB5_TGS_NAME))
+krb5_error_code
+krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt,
+ krb5_flags kdcoptions, krb5_address *const *address,
+ krb5_pa_data **in_padata,
+ krb5_creds *in_cred,
+ krb5_error_code (*gcvt_fct)(krb5_context,
+ krb5_keyblock *,
+ krb5_kdc_req *,
+ void *),
+ void *gcvt_data,
+ krb5_pa_data ***out_padata,
+ krb5_pa_data ***enc_padata,
+ krb5_creds **out_cred,
+ krb5_keyblock **out_subkey);
+
#endif /* KRB5_INT_FUNC_PROTO__ */
Modified: trunk/src/lib/krb5/krb/kfree.c
===================================================================
--- trunk/src/lib/krb5/krb/kfree.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/kfree.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -170,7 +170,7 @@
if (val == NULL)
return;
free(val->contents);
- val->contents = 0;
+ val->contents = NULL;
}
void KRB5_CALLCONV
@@ -297,6 +297,7 @@
krb5_free_last_req(context, val->last_req);
krb5_free_principal(context, val->server);
krb5_free_addresses(context, val->caddrs);
+ krb5_free_pa_data(context, val->enc_padata);
free(val);
}
@@ -755,6 +756,30 @@
}
void KRB5_CALLCONV
+krb5_free_s4u_userid_contents(krb5_context context, krb5_s4u_userid *user_id)
+{
+ if (user_id == NULL)
+ return;
+ user_id->nonce = 0;
+ krb5_free_principal(context, user_id->user);
+ user_id->user = NULL;
+ krb5_free_data_contents(context, &user_id->subject_cert);
+ user_id->subject_cert.length = 0;
+ user_id->subject_cert.data = NULL;
+ user_id->options = 0;
+}
+
+void KRB5_CALLCONV
+krb5_free_pa_s4u_x509_user(krb5_context context, krb5_pa_s4u_x509_user *req)
+{
+ if (req == NULL)
+ return;
+ krb5_free_s4u_userid_contents(context, &req->user_id);
+ krb5_free_checksum_contents(context, &req->cksum);
+ free(req);
+}
+
+void KRB5_CALLCONV
krb5_free_pa_server_referral_data(krb5_context context,
krb5_pa_server_referral_data *ref)
{
Modified: trunk/src/lib/krb5/krb/preauth2.c
===================================================================
--- trunk/src/lib/krb5/krb/preauth2.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/preauth2.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -1706,6 +1706,59 @@
return(0);
}
+static krb5_error_code pa_s4u_x509_user(
+ krb5_context context,
+ krb5_kdc_req *request,
+ krb5_pa_data *in_padata,
+ krb5_pa_data **out_padata,
+ krb5_data *salt,
+ krb5_data *s2kparams,
+ krb5_enctype *etype,
+ krb5_keyblock *as_key,
+ krb5_prompter_fct prompter,
+ void *prompter_data,
+ krb5_gic_get_as_key_fct gak_fct,
+ void *gak_data)
+{
+ krb5_s4u_userid *userid = (krb5_s4u_userid *)gak_data; /* XXX private contract */
+ krb5_pa_data *s4u_padata;
+ krb5_error_code code;
+ krb5_principal client;
+
+ *out_padata = NULL;
+
+ if (userid == NULL)
+ return EINVAL;
+
+ code = krb5_copy_principal(context, request->client, &client);
+ if (code != 0)
+ return code;
+
+ if (userid->user != NULL)
+ krb5_free_principal(context, userid->user);
+ userid->user = client;
+
+ if (userid->subject_cert.length != 0) {
+ s4u_padata = malloc(sizeof(*s4u_padata));
+ if (s4u_padata == NULL)
+ return ENOMEM;
+
+ s4u_padata->magic = KV5M_PA_DATA;
+ s4u_padata->pa_type = KRB5_PADATA_S4U_X509_USER;
+ s4u_padata->contents = malloc(userid->subject_cert.length);
+ if (s4u_padata->contents == NULL) {
+ free(s4u_padata);
+ return ENOMEM;
+ }
+ memcpy(s4u_padata->contents, userid->subject_cert.data, userid->subject_cert.length);
+ s4u_padata->length = userid->subject_cert.length;
+
+ *out_padata = s4u_padata;
+ }
+
+ return 0;
+}
+
/* FIXME - order significant? */
static const pa_types_t pa_types[] = {
{
@@ -1751,6 +1804,11 @@
PA_INFO,
},
{
+ KRB5_PADATA_S4U_X509_USER,
+ pa_s4u_x509_user,
+ PA_INFO,
+ },
+ {
-1,
NULL,
0,
Copied: trunk/src/lib/krb5/krb/s4u_creds.c (from rev 22735, users/lhoward/s4u/src/lib/krb5/krb/s4u_creds.c)
Modified: trunk/src/lib/krb5/krb/send_tgs.c
===================================================================
--- trunk/src/lib/krb5/krb/send_tgs.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/send_tgs.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -77,7 +77,7 @@
if (retval)
goto cleanup;
}
-
+
/* Generate checksum */
if ((retval = krb5_c_make_checksum(context, cksumtype,
&in_cred->keyblock,
@@ -142,6 +142,9 @@
}
/*
* Note that this function fills in part of rep even on failure.
+ *
+ * The pacb_fct callback allows the caller access to the nonce
+ * and request subkey, for binding preauthentication data
*/
krb5_error_code
krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions,
@@ -149,7 +152,13 @@
krb5_const_principal sname, krb5_address *const *addrs,
krb5_authdata *const *authorization_data,
krb5_pa_data *const *padata, const krb5_data *second_ticket,
- krb5_creds *in_cred, krb5_response *rep, krb5_keyblock **subkey)
+ krb5_creds *in_cred,
+ krb5_error_code (*pacb_fct)(krb5_context,
+ krb5_keyblock *,
+ krb5_kdc_req *,
+ void *),
+ void *pacb_data,
+ krb5_response *rep, krb5_keyblock **subkey)
{
krb5_error_code retval;
krb5_kdc_req tgsreq;
@@ -157,13 +166,14 @@
krb5_ticket *sec_ticket = 0;
krb5_ticket *sec_ticket_arr[2];
krb5_timestamp time_now;
- krb5_pa_data **combined_padata;
+ krb5_pa_data **combined_padata = NULL;
krb5_pa_data ap_req_padata;
int tcp_only = 0, use_master;
krb5_keyblock *local_subkey = NULL;
assert (subkey != NULL);
*subkey = NULL;
+
/*
* in_creds MUST be a valid credential NOT just a partially filled in
* place holder for us to get credentials for the caller.
@@ -215,8 +225,8 @@
/* Get the encryption types list */
if (ktypes) {
- /* Check passed ktypes and make sure they're valid. */
- for (tgsreq.nktypes = 0; ktypes[tgsreq.nktypes]; tgsreq.nktypes++) {
+ /* Check passed ktypes and make sure they're valid. */
+ for (tgsreq.nktypes = 0; ktypes[tgsreq.nktypes]; tgsreq.nktypes++) {
if (!krb5_c_valid_enctype(ktypes[tgsreq.nktypes]))
return KRB5_PROG_ETYPE_NOSUPP;
}
@@ -236,6 +246,8 @@
} else
tgsreq.second_ticket = 0;
+ ap_req_padata.contents = NULL;
+
/* encode the body; then checksum it */
if ((retval = encode_krb5_kdc_req_body(&tgsreq, &scratch)))
goto send_tgs_error_2;
@@ -250,47 +262,74 @@
}
krb5_free_data(context, scratch);
- ap_req_padata.pa_type = KRB5_PADATA_AP_REQ;
- ap_req_padata.length = scratch2.length;
- ap_req_padata.contents = (krb5_octet *)scratch2.data;
+ tgsreq.padata = (krb5_pa_data **)calloc(2, sizeof(krb5_pa_data *));
+ if (tgsreq.padata == NULL) {
+ free(scratch2.data);
+ goto send_tgs_error_2;
+ }
+ tgsreq.padata[0] = (krb5_pa_data *)malloc(sizeof(krb5_pa_data));
+ if (tgsreq.padata[0] == NULL) {
+ free(scratch2.data);
+ goto send_tgs_error_2;
+ }
+ tgsreq.padata[0]->pa_type = KRB5_PADATA_AP_REQ;
+ tgsreq.padata[0]->length = scratch2.length;
+ tgsreq.padata[0]->contents = (krb5_octet *)scratch2.data;
+ tgsreq.padata[1] = NULL;
- /* combine in any other supplied padata */
+ /* combine in any other supplied padata, unfortunately now it is
+ * necessary to copy it as the callback function might modify the
+ * padata, and having a separate path for the non-callback case,
+ * or attempting to determine which elements were changed by the
+ * callback, would have complicated the code significantly.
+ */
if (padata) {
- krb5_pa_data * const * counter;
- register unsigned int i = 0;
- for (counter = padata; *counter; counter++, i++);
- combined_padata = malloc((i+2) * sizeof(*combined_padata));
- if (!combined_padata) {
- free(ap_req_padata.contents);
- retval = ENOMEM;
+ krb5_pa_data **tmp;
+ int i;
+
+ for (i = 0; padata[i]; i++)
+ ;
+
+ tmp = (krb5_pa_data **)realloc(tgsreq.padata,
+ (i + 2) * sizeof(*combined_padata));
+ if (tmp == NULL)
goto send_tgs_error_2;
+
+ tgsreq.padata = tmp;
+
+ for (i = 0; padata[i]; i++) {
+ krb5_pa_data *pa;
+
+ pa = tgsreq.padata[1 + i] = (krb5_pa_data *)malloc(sizeof(krb5_pa_data));
+ if (tgsreq.padata == NULL) {
+ retval = ENOMEM;
+ goto send_tgs_error_2;
+ }
+
+ pa->pa_type = padata[i]->pa_type;
+ pa->length = padata[i]->length;
+ pa->contents = (krb5_octet *)malloc(padata[i]->length);
+ if (pa->contents == NULL) {
+ retval = ENOMEM;
+ goto send_tgs_error_2;
+ }
+ memcpy(pa->contents, padata[i]->contents, padata[i]->length);
}
- combined_padata[0] = &ap_req_padata;
- for (i = 1, counter = padata; *counter; counter++, i++)
- combined_padata[i] = (krb5_pa_data *) *counter;
- combined_padata[i] = 0;
- } else {
- combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata));
- if (!combined_padata) {
- free(ap_req_padata.contents);
- retval = ENOMEM;
+ tgsreq.padata[1 + i] = NULL;
+ }
+
+ if (pacb_fct != NULL) {
+ if ((retval = (*pacb_fct)(context, local_subkey, &tgsreq, pacb_data)))
goto send_tgs_error_2;
- }
- combined_padata[0] = &ap_req_padata;
- combined_padata[1] = 0;
}
- tgsreq.padata = combined_padata;
-
/* the TGS_REQ is assembled in tgsreq, so encode it */
- if ((retval = encode_krb5_tgs_req(&tgsreq, &scratch))) {
- free(ap_req_padata.contents);
- free(combined_padata);
+ if ((retval = encode_krb5_tgs_req(&tgsreq, &scratch)))
goto send_tgs_error_2;
- }
- free(ap_req_padata.contents);
- free(combined_padata);
/* now send request & get response from KDC */
+ krb5_free_pa_data(context, tgsreq.padata);
+ tgsreq.padata = NULL;
+
send_again:
use_master = 0;
retval = krb5_sendto_kdc(context, scratch,
@@ -325,6 +364,8 @@
krb5_free_data(context, scratch);
send_tgs_error_2:;
+ if (tgsreq.padata)
+ krb5_free_pa_data(context, tgsreq.padata);
if (sec_ticket)
krb5_free_ticket(context, sec_ticket);
Modified: trunk/src/lib/krb5/krb/srv_dec_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/srv_dec_tkt.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/krb/srv_dec_tkt.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -70,27 +70,70 @@
}
-krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
krb5_server_decrypt_ticket_keytab(krb5_context context,
- const krb5_keytab kt,
+ const krb5_keytab keytab,
krb5_ticket *ticket)
{
- krb5_error_code retval;
- krb5_enctype enctype;
- krb5_keytab_entry ktent;
+ krb5_error_code retval;
+ krb5_keytab_entry ktent;
- enctype = ticket->enc_part.enctype;
+ retval = KRB5_KT_NOTFOUND;
- if ((retval = krb5_kt_get_entry(context, kt, ticket->server,
- ticket->enc_part.kvno,
- enctype, &ktent)))
- return retval;
+ if (keytab->ops->start_seq_get == NULL) {
+ retval = krb5_kt_get_entry(context, keytab,
+ ticket->server,
+ ticket->enc_part.kvno,
+ ticket->enc_part.enctype, &ktent);
+ if (retval == 0) {
+ retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket);
- retval = krb5int_server_decrypt_ticket_keyblock(context,
- &ktent.key, ticket);
- /* Upon error, Free keytab entry first, then return */
+ (void) krb5_free_keytab_entry_contents(context, &ktent);
+ }
+ } else {
+ krb5_error_code code;
+ krb5_kt_cursor cursor;
- (void) krb5_kt_free_entry(context, &ktent);
+ retval = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (retval != 0)
+ goto map_error;
+
+ while ((code = krb5_kt_next_entry(context, keytab,
+ &ktent, &cursor)) == 0) {
+ if (ktent.key.enctype != ticket->enc_part.enctype)
+ continue;
+
+ retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket);
+ if (retval == 0) {
+ krb5_principal tmp;
+
+ retval = krb5_copy_principal(context, ktent.principal, &tmp);
+ if (retval == 0) {
+ krb5_free_principal(context, ticket->server);
+ ticket->server = tmp;
+ }
+ (void) krb5_free_keytab_entry_contents(context, &ktent);
+ break;
+ }
+ (void) krb5_free_keytab_entry_contents(context, &ktent);
+ }
+
+ code = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (code != 0)
+ retval = code;
+ }
+
+map_error:
+ switch (retval) {
+ case KRB5_KT_KVNONOTFOUND:
+ case KRB5_KT_NOTFOUND:
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+ retval = KRB5KRB_AP_WRONG_PRINC;
+ break;
+ default:
+ break;
+ }
+
return retval;
}
#endif /* LEAN_CLIENT */
Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/libkrb5.exports 2009-09-13 02:52:23 UTC (rev 22736)
@@ -20,11 +20,12 @@
decode_krb5_etype_info
decode_krb5_etype_info2
decode_krb5_fast_req
-decode_krb5_pa_fx_fast_request
decode_krb5_kdc_req_body
decode_krb5_pa_enc_ts
decode_krb5_pa_for_user
+decode_krb5_pa_fx_fast_request
decode_krb5_pa_pac_req
+decode_krb5_pa_s4u_x509_user
decode_krb5_padata_sequence
decode_krb5_predicted_sam_response
decode_krb5_priv
@@ -60,10 +61,11 @@
encode_krb5_etype_info
encode_krb5_etype_info2
encode_krb5_fast_response
-encode_krb5_pa_fx_fast_reply
encode_krb5_kdc_req_body
encode_krb5_pa_enc_ts
encode_krb5_pa_for_user
+encode_krb5_pa_fx_fast_reply
+encode_krb5_pa_s4u_x509_user
encode_krb5_pa_server_referral_data
encode_krb5_pa_svr_referral_data
encode_krb5_padata_sequence
@@ -71,6 +73,7 @@
encode_krb5_priv
encode_krb5_pwd_data
encode_krb5_pwd_sequence
+encode_krb5_s4u_userid
encode_krb5_safe
encode_krb5_sam_challenge
encode_krb5_sam_key
@@ -134,9 +137,9 @@
krb5_auth_con_setuseruserkey
krb5_auth_to_rep
krb5_build_principal
+krb5_build_principal_alloc_va
krb5_build_principal_ext
krb5_build_principal_va
-krb5_build_principal_alloc_va
krb5_cc_close
krb5_cc_copy_creds
krb5_cc_default
@@ -243,8 +246,9 @@
krb5_free_last_req
krb5_free_pa_data
krb5_free_pa_enc_ts
+krb5_free_pa_for_user
krb5_free_pa_pac_req
-krb5_free_pa_for_user
+krb5_free_pa_s4u_x509_user
krb5_free_pa_server_referral_data
krb5_free_pa_svr_referral_data
krb5_free_passwd_phrase_element
@@ -284,6 +288,8 @@
krb5_get_cred_from_kdc_validate
krb5_get_cred_via_tkt
krb5_get_credentials
+krb5_get_credentials_for_proxy
+krb5_get_credentials_for_user
krb5_get_credentials_renew
krb5_get_credentials_validate
krb5_get_default_config_files
@@ -380,7 +386,6 @@
krb5_os_hostaddr
krb5_os_init_context
krb5_os_localaddr
-krb5int_get_domain_realm_mapping
krb5_overridekeyname
krb5_pac_add_buffer
krb5_pac_free
@@ -529,6 +534,7 @@
krb5int_find_pa_data
krb5int_foreach_localaddr
krb5int_free_addrlist
+krb5int_get_domain_realm_mapping
krb5int_init_context_kdc
krb5int_initialize_library
krb5int_pac_sign
Modified: trunk/src/lib/krb5/os/sendto_kdc.c
===================================================================
--- trunk/src/lib/krb5/os/sendto_kdc.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/lib/krb5/os/sendto_kdc.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -57,7 +57,7 @@
#define DEFAULT_UDP_PREF_LIMIT 1465
#define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */
-#undef DEBUG
+#define DEBUG 1
#ifdef DEBUG
int krb5int_debug_sendto_kdc = 0;
Modified: trunk/src/slave/kproplog.c
===================================================================
--- trunk/src/slave/kproplog.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/slave/kproplog.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -40,23 +40,31 @@
print_flags(unsigned int flags)
{
unsigned int i;
- static char *prflags[] = {
- "DISALLOW_POSTDATED", /* 0x00000001 */
- "DISALLOW_FORWARDABLE", /* 0x00000002 */
- "DISALLOW_TGT_BASED", /* 0x00000004 */
- "DISALLOW_RENEWABLE", /* 0x00000008 */
- "DISALLOW_PROXIABLE", /* 0x00000010 */
- "DISALLOW_DUP_SKEY", /* 0x00000020 */
- "DISALLOW_ALL_TIX", /* 0x00000040 */
- "REQUIRES_PRE_AUTH", /* 0x00000080 */
- "REQUIRES_HW_AUTH", /* 0x00000100 */
- "REQUIRES_PWCHANGE", /* 0x00000200 */
- "UNKNOWN_0x00000400", /* 0x00000400 */
- "UNKNOWN_0x00000800", /* 0x00000800 */
- "DISALLOW_SVR", /* 0x00001000 */
- "PWCHANGE_SERVICE", /* 0x00002000 */
- "SUPPORT_DESMD5", /* 0x00004000 */
- "NEW_PRINC", /* 0x00008000 */
+ static char *prflags[] = {
+ "DISALLOW_POSTDATED", /* 0x00000001 */
+ "DISALLOW_FORWARDABLE", /* 0x00000002 */
+ "DISALLOW_TGT_BASED", /* 0x00000004 */
+ "DISALLOW_RENEWABLE", /* 0x00000008 */
+ "DISALLOW_PROXIABLE", /* 0x00000010 */
+ "DISALLOW_DUP_SKEY", /* 0x00000020 */
+ "DISALLOW_ALL_TIX", /* 0x00000040 */
+ "REQUIRES_PRE_AUTH", /* 0x00000080 */
+ "REQUIRES_HW_AUTH", /* 0x00000100 */
+ "REQUIRES_PWCHANGE", /* 0x00000200 */
+ "UNKNOWN_0x00000400", /* 0x00000400 */
+ "UNKNOWN_0x00000800", /* 0x00000800 */
+ "DISALLOW_SVR", /* 0x00001000 */
+ "PWCHANGE_SERVICE", /* 0x00002000 */
+ "SUPPORT_DESMD5", /* 0x00004000 */
+ "NEW_PRINC", /* 0x00008000 */
+ "UNKNOWN_0x00010000", /* 0x00010000 */
+ "UNKNOWN_0x00020000", /* 0x00020000 */
+ "UNKNOWN_0x00040000", /* 0x00040000 */
+ "UNKNOWN_0x00080000", /* 0x00080000 */
+ "OK_AS_DELEGATE", /* 0x00100000 */
+ "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */
+ "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */
+
};
for (i = 0; i < sizeof (prflags) / sizeof (char *); i++) {
@@ -169,7 +177,7 @@
for (i = 0; i < k->k_enctype.k_enctype_len; i++) {
printf("\t\t\tenc type: 0x%x\n",
- k->k_enctype.k_enctype_val[i]);
+ k->k_enctype.k_enctype_val[i]);
}
str = k->k_contents.k_contents_val;
Modified: trunk/src/tests/asn.1/krb5_decode_leak.c
===================================================================
--- trunk/src/tests/asn.1/krb5_decode_leak.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/krb5_decode_leak.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -658,7 +658,18 @@
krb5_free_enc_sam_response_enc_2);
ktest_empty_enc_sam_response_enc_2(&sam_ch2);
}
+ /****************************************************************/
+ /* encode_krb5_pa_s4u_x509_user */
+ {
+ krb5_pa_s4u_x509_user s4u, *tmp;
+ setup(s4u, "pa_s4u_x509_user",
+ ktest_make_sample_pa_s4u_x509_user);
+ leak_test(s4u, encode_krb5_pa_s4u_x509_user,
+ decode_krb5_pa_s4u_x509_user,
+ krb5_free_pa_s4u_x509_user);
+ ktest_empty_pa_s4u_x509_user(&s4u);
+ }
krb5_free_context(test_context);
return 0;
}
Modified: trunk/src/tests/asn.1/krb5_decode_test.c
===================================================================
--- trunk/src/tests/asn.1/krb5_decode_test.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/krb5_decode_test.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -890,7 +890,13 @@
ktest_empty_sam_response(&ref);
}
-
+
+ {
+ setup(krb5_pa_s4u_x509_user,"krb5_pa_s4u_x509_user",ktest_make_sample_pa_s4u_x509_user);
+ decode_run("pa_s4u_x509_user","","30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_pa_s4u_x509_user,ktest_equal_pa_s4u_x509_user,krb5_free_pa_s4u_x509_user);
+ ktest_empty_pa_s4u_x509_user(&ref);
+ }
+
#ifdef ENABLE_LDAP
/* ldap sequence_of_keys */
{
Modified: trunk/src/tests/asn.1/krb5_encode_test.c
===================================================================
--- trunk/src/tests/asn.1/krb5_encode_test.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/krb5_encode_test.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -695,6 +695,18 @@
acc.encode_krb5_enc_sam_response_enc_2);
ktest_empty_enc_sam_response_enc_2(&sam_ch2);
}
+ /****************************************************************/
+ /* encode_krb5_pa_s4u_x509_user */
+ {
+ krb5_pa_s4u_x509_user s4u;
+ setup(s4u,krb5_pa_s4u_x509_user,"pa_s4u_x509_user",
+ ktest_make_sample_pa_s4u_x509_user);
+ encode_run(s4u,krb5_pa_s4u_x509_user,
+ "pa_s4u_x509_user","",
+ encode_krb5_pa_s4u_x509_user);
+ ktest_empty_pa_s4u_x509_user(&s4u);
+ }
+
#ifdef ENABLE_LDAP
{
ldap_seqof_key_data skd;
Modified: trunk/src/tests/asn.1/ktest.c
===================================================================
--- trunk/src/tests/asn.1/ktest.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/ktest.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -825,6 +825,23 @@
return 0;
}
+krb5_error_code ktest_make_sample_pa_s4u_x509_user(p)
+ krb5_pa_s4u_x509_user *p;
+{
+ krb5_error_code retval;
+ krb5_s4u_userid *u = &p->user_id;
+ u->nonce = 13243546;
+ retval = ktest_make_sample_principal(&u->user);
+ if (retval) return retval;
+ u->subject_cert.data = strdup("pa_s4u_x509_user");
+ if (u->subject_cert.data == NULL) return ENOMEM;
+ u->subject_cert.length = strlen(u->subject_cert.data);
+ u->options = 0x80000000;
+ retval = ktest_make_sample_checksum(&p->cksum);
+ if (retval) return retval;
+ return 0;
+}
+
#ifdef ENABLE_LDAP
static krb5_error_code ktest_make_sample_key_data(krb5_key_data *p, int i)
{
@@ -1420,6 +1437,14 @@
ktest_empty_data(&p->sam_sad);
}
+void ktest_empty_pa_s4u_x509_user(p)
+ krb5_pa_s4u_x509_user *p;
+{
+ ktest_destroy_principal(&p->user_id.user);
+ ktest_empty_data(&p->user_id.subject_cert);
+ if (p->cksum.contents) free(p->cksum.contents);
+}
+
#ifdef ENABLE_LDAP
void ktest_empty_ldap_seqof_key_data(ctx, p)
krb5_context ctx;
Modified: trunk/src/tests/asn.1/ktest.h
===================================================================
--- trunk/src/tests/asn.1/ktest.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/ktest.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -105,8 +105,8 @@
(krb5_enc_sam_response_enc *p);
krb5_error_code ktest_make_sample_predicted_sam_response(krb5_predicted_sam_response *p);
krb5_error_code ktest_make_sample_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
+krb5_error_code ktest_make_sample_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
-
#ifdef ENABLE_LDAP
krb5_error_code ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data * p);
#endif
@@ -214,6 +214,7 @@
void ktest_empty_predicted_sam_response(krb5_predicted_sam_response *p);
void ktest_empty_sam_response_2(krb5_sam_response_2 *p);
void ktest_empty_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
+void ktest_empty_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
#ifdef ENABLE_LDAP
void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p);
Modified: trunk/src/tests/asn.1/ktest_equal.c
===================================================================
--- trunk/src/tests/asn.1/ktest_equal.c 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/ktest_equal.c 2009-09-13 02:52:23 UTC (rev 22736)
@@ -542,6 +542,20 @@
return p;
}
+int ktest_equal_pa_s4u_x509_user(ref, var)
+ krb5_pa_s4u_x509_user *ref;
+ krb5_pa_s4u_x509_user *var;
+{
+ int p = TRUE;
+ if (ref == var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p=p&&scalar_equal(user_id.nonce);
+ p=p&&ptr_equal(user_id.user,ktest_equal_principal_data);
+ p=p&&struct_equal(user_id.subject_cert,ktest_equal_data);
+ p=p&&scalar_equal(user_id.options);
+ p=p&&struct_equal(cksum,ktest_equal_checksum);
+ return p;
+}
#ifdef ENABLE_LDAP
static int equal_key_data(ref, var)
krb5_key_data *ref;
Modified: trunk/src/tests/asn.1/ktest_equal.h
===================================================================
--- trunk/src/tests/asn.1/ktest_equal.h 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/ktest_equal.h 2009-09-13 02:52:23 UTC (rev 22736)
@@ -91,6 +91,10 @@
(krb5_etype_info_entry * ref,
krb5_etype_info_entry * var);
+int ktest_equal_pa_s4u_x509_user
+ (krb5_pa_s4u_x509_user *ref,
+ krb5_pa_s4u_x509_user *var);
+
int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
ldap_seqof_key_data *var);
#endif
Modified: trunk/src/tests/asn.1/reference_encode.out
===================================================================
--- trunk/src/tests/asn.1/reference_encode.out 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/reference_encode.out 2009-09-13 02:52:23 UTC (rev 22736)
@@ -56,3 +56,4 @@
encode_krb5_predicted_sam_response: 30 6D A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 07 03 05 00 00 00 00 09 A2 11 18 0F 31 39 37 30 30 31 30 31 30 30 30 30 31 37 5A A3 03 02 01 12 A4 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A6 07 04 05 68 65 6C 6C 6F
encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 01 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10
encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32
+encode_krb5_pa_s4u_x509_user: 30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
Modified: trunk/src/tests/asn.1/trval_reference.out
===================================================================
--- trunk/src/tests/asn.1/trval_reference.out 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/asn.1/trval_reference.out 2009-09-13 02:52:23 UTC (rev 22736)
@@ -1246,3 +1246,20 @@
. [0] [Integer] 88
. [1] [Octet String] "enc_sam_response_enc_2"
+encode_krb5_pa_s4u_x509_user:
+
+[Sequence/Sequence Of]
+. [0] [Sequence/Sequence Of]
+. . [0] [Integer] 13243546
+. . [1] [Sequence/Sequence Of]
+. . . [0] [Integer] 1
+. . . [1] [Sequence/Sequence Of]
+. . . . [General string] "hftsai"
+. . . . [General string] "extra"
+. . [2] [General string] "ATHENA.MIT.EDU"
+. . [3] [Octet String] "pa_s4u_x509_user"
+. . [4] [Bit String] 0x80000000
+. [1] [Sequence/Sequence Of]
+. . [0] [Integer] 1
+. . [1] [Octet String] "1234"
+
Modified: trunk/src/tests/gssapi/Makefile.in
===================================================================
--- trunk/src/tests/gssapi/Makefile.in 2009-09-11 22:28:42 UTC (rev 22735)
+++ trunk/src/tests/gssapi/Makefile.in 2009-09-13 02:52:23 UTC (rev 22736)
@@ -6,15 +6,18 @@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
-SRCS= $(srcdir)/t_imp_name.c
+SRCS= $(srcdir)/t_imp_name.c $(srcdir)/t_s4u.c
-OBJS= t_imp_name.o
+OBJS= t_imp_name.o t_s4u.o
-all:: t_imp_name
+all:: t_imp_name t_s4u
t_imp_name: t_imp_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_imp_name t_imp_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
+t_s4u: t_s4u.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o t_s4u t_s4u.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
+
clean::
- $(RM) t_imp_name
+ $(RM) t_imp_name t_s4u
Copied: trunk/src/tests/gssapi/t_s4u.c (from rev 22735, users/lhoward/s4u/src/tests/gssapi/t_s4u.c)
More information about the cvs-krb5
mailing list