oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Avoid dns canonlisation for hosts, until we know what client credential we are going to use, and when we know that, lets check if the user really want to use canonlision, XXX should be able to configure per target realm too

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23678 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-08-25 02:34:24 +00:00
parent ab4ce491b0
commit 227aca963e
6 changed files with 92 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/gssapi/krb5/acquire_cred.c
View File

@@ -340,13 +340,13 @@ OM_uint32 _gsskrb5_acquire_cred
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
if (desired_name != GSS_C_NO_NAME) {
krb5_principal name = (krb5_principal)desired_name;
ret = krb5_copy_principal(context, name, &handle->principal);
ret = _gsskrb5_canon_name(minor_status, context, 0, desired_name,
&handle->principal);
if (ret) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
*minor_status = ret;
free(handle);
return GSS_S_FAILURE;
return ret;
}
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {

16
lib/gssapi/krb5/canonicalize_name.c
View File

@@ -42,5 +42,19 @@ OM_uint32 _gsskrb5_canonicalize_name (
gss_name_t * output_name
)
{
return _gsskrb5_duplicate_name (minor_status, input_name, output_name);
krb5_context context;
krb5_principal name;
OM_uint32 ret;
*output_name = NULL;
GSSAPI_KRB5_INIT (&context);
ret = _gsskrb5_canon_name(minor_status, context, 1, input_name, &name);
if (ret)
return ret;
*output_name = (gss_name_t)name;
return GSS_S_COMPLETE;
}

7
lib/gssapi/krb5/duplicate_name.c
View File

@@ -41,18 +41,19 @@ OM_uint32 _gsskrb5_duplicate_name (
gss_name_t * dest_name
)
{
krb5_context context;
krb5_const_principal src = (krb5_const_principal)src_name;
krb5_principal *dest = (krb5_principal *)dest_name;
krb5_context context;
krb5_principal dest;
krb5_error_code kret;
GSSAPI_KRB5_INIT (&context);
kret = krb5_copy_principal (context, src, dest);
kret = krb5_copy_principal (context, src, &dest);
if (kret) {
*minor_status = kret;
return GSS_S_FAILURE;
} else {
*dest_name = (gss_name_t)dest;
*minor_status = 0;
return GSS_S_COMPLETE;
}

3
lib/gssapi/krb5/gsskrb5_locl.h
View File

@@ -137,4 +137,7 @@ struct gssapi_thr_context {
#define SC_LOCAL_SUBKEY 0x08
#define SC_REMOTE_SUBKEY 0x10
/* type to signal that that dns canon maybe should be done */
#define MAGIC_HOSTBASED_NAME_TYPE 4711
#endif

68
lib/gssapi/krb5/import_name.c
View File

@@ -83,18 +83,56 @@ import_krb5_name (OM_uint32 *minor_status,
return ret;
}
OM_uint32
_gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
int use_dns, gss_name_t name, krb5_principal *out)
{
krb5_principal p = (krb5_principal)name;
krb5_error_code ret;
char *hostname = NULL, *service;
*minor_status = 0;
/* If its not a hostname */
if (krb5_principal_get_type(context, p) != MAGIC_HOSTBASED_NAME_TYPE) {
ret = krb5_copy_principal(context, p, out);
} else if (!use_dns) {
ret = krb5_copy_principal(context, p, out);
if (ret == 0)
krb5_principal_set_type(context, *out, KRB5_NT_SRV_HST);
} else {
if (p->name.name_string.len == 0)
return GSS_S_BAD_NAME;
else if (p->name.name_string.len > 1)
hostname = p->name.name_string.val[1];
service = p->name.name_string.val[0];
ret = krb5_sname_to_principal(context,
hostname,
service,
KRB5_NT_SRV_HST,
out);
}
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
return 0;
}
static OM_uint32
import_hostbased_name (OM_uint32 *minor_status,
krb5_context context,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
krb5_error_code kerr;
char *tmp;
char *p;
char *host;
char local_hostname[MAXHOSTNAMELEN];
krb5_principal princ = NULL;
krb5_error_code kerr;
char *tmp, *p, *host = NULL;
tmp = malloc (input_name_buffer->length + 1);
if (tmp == NULL) {
@@ -110,26 +148,20 @@ import_hostbased_name (OM_uint32 *minor_status,
if (p != NULL) {
*p = '\0';
host = p + 1;
} else {
host = NULL;
}
kerr = krb5_sname_to_principal (context,
host,
tmp,
KRB5_NT_SRV_HST,
&princ);
kerr = krb5_make_principal(context, &princ, NULL, tmp, host, NULL);
free (tmp);
*minor_status = kerr;
if (kerr == 0) {
*output_name = (gss_name_t)princ;
return GSS_S_COMPLETE;
}
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
return GSS_S_BAD_NAME;
else if (kerr)
return GSS_S_FAILURE;
return GSS_S_FAILURE;
krb5_principal_set_type(context, princ, MAGIC_HOSTBASED_NAME_TYPE);
*output_name = (gss_name_t)princ;
return 0;
}
static OM_uint32

24
lib/gssapi/krb5/init_sec_context.c
View File

@@ -335,7 +335,7 @@ init_auth
gsskrb5_cred cred,
gsskrb5_ctx ctx,
krb5_context context,
krb5_const_principal name,
gss_name_t name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
@@ -351,6 +351,7 @@ init_auth
krb5_data outbuf;
krb5_data fwd_data;
OM_uint32 lifetime_rec;
int use_dns = 1;
krb5_data_zero(&outbuf);
krb5_data_zero(&fwd_data);
@@ -378,13 +379,21 @@ init_auth
goto failure;
}
kret = krb5_copy_principal (context, name, &ctx->target);
if (kret) {
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
/* canon name if needed for client + target realm */
kret = krb5_cc_get_config(context, ctx->ccache, NULL,
"realm-config", &outbuf);
if (kret == 0) {
/* XXX 2 is no server canon */
if (outbuf.length < 1 || ((((unsigned char *)outbuf.data)[0]) & 2))
use_dns = 0;
krb5_data_free(&outbuf);
}
ret = _gsskrb5_canon_name(minor_status, context, use_dns,
name, &ctx->target);
if (ret)
goto failure;
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
goto failure;
@@ -819,7 +828,6 @@ OM_uint32 _gsskrb5_init_sec_context
{
krb5_context context;
gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
krb5_const_principal name = (krb5_const_principal)target_name;
gsskrb5_ctx ctx;
OM_uint32 ret;
@@ -882,7 +890,7 @@ OM_uint32 _gsskrb5_init_sec_context
cred,
ctx,
context,
name,
target_name,
mech_type,
req_flags,
time_req,