Revamp name canonicalization code
This commit is contained in:
Nicolas Williams
@@ -105,9 +105,9 @@ NAME-TYPE ::= INTEGER {
|
|||||||
KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
|
KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
|
||||||
KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
|
KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
|
||||||
KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
|
KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
|
||||||
KRB5_NT_GSS_HOSTBASED_SERVICE(-1202),
|
KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove
|
||||||
KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
|
KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
|
||||||
KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- -(0x0bad1dea)
|
KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed
|
||||||
}
|
}
|
||||||
|
|
||||||
-- message types
|
-- message types
|
||||||
|
|||||||
@@ -399,7 +399,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
|
|||||||
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
|
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
|
||||||
|
|
||||||
if (desired_name != GSS_C_NO_NAME) {
|
if (desired_name != GSS_C_NO_NAME) {
|
||||||
ret = _gsskrb5_canon_name(minor_status, context, NULL,
|
ret = _gsskrb5_canon_name(minor_status, context,
|
||||||
desired_name, &handle->principal);
|
desired_name, &handle->principal);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
|
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_canonicalize_name (
|
|||||||
|
|
||||||
GSSAPI_KRB5_INIT (&context);
|
GSSAPI_KRB5_INIT (&context);
|
||||||
|
|
||||||
ret = _gsskrb5_canon_name(minor_status, context, NULL, input_name, &name);
|
ret = _gsskrb5_canon_name(minor_status, context, input_name, &name);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
|
|||||||
@@ -83,7 +83,6 @@ import_krb5_name (OM_uint32 *minor_status,
|
|||||||
|
|
||||||
OM_uint32
|
OM_uint32
|
||||||
_gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
|
_gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
|
||||||
krb5_const_principal sourcename,
|
|
||||||
gss_const_name_t targetname, krb5_principal *out)
|
gss_const_name_t targetname, krb5_principal *out)
|
||||||
{
|
{
|
||||||
krb5_const_principal p = (krb5_const_principal)targetname;
|
krb5_const_principal p = (krb5_const_principal)targetname;
|
||||||
@@ -121,7 +120,7 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
|
|||||||
|
|
||||||
|
|
||||||
static OM_uint32
|
static OM_uint32
|
||||||
import_hostbased_name (OM_uint32 *minor_status,
|
import_hostbased_name(OM_uint32 *minor_status,
|
||||||
krb5_context context,
|
krb5_context context,
|
||||||
const gss_buffer_t input_name_buffer,
|
const gss_buffer_t input_name_buffer,
|
||||||
gss_name_t *output_name)
|
gss_name_t *output_name)
|
||||||
@@ -146,7 +145,7 @@ import_hostbased_name (OM_uint32 *minor_status,
|
|||||||
host = p + 1;
|
host = p + 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
kerr = krb5_make_principal(context, &princ, NULL, tmp, host, NULL);
|
kerr = krb5_make_principal(context, &princ, "", tmp, host, NULL);
|
||||||
free (tmp);
|
free (tmp);
|
||||||
*minor_status = kerr;
|
*minor_status = kerr;
|
||||||
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
|
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
|
||||||
@@ -154,7 +153,7 @@ import_hostbased_name (OM_uint32 *minor_status,
|
|||||||
else if (kerr)
|
else if (kerr)
|
||||||
return GSS_S_FAILURE;
|
return GSS_S_FAILURE;
|
||||||
|
|
||||||
krb5_principal_set_type(context, princ, KRB5_NT_SRV_HST_NEEDS_CANON);
|
krb5_principal_set_type(context, princ, KRB5_NT_SRV_HST);
|
||||||
*output_name = (gss_name_t)princ;
|
*output_name = (gss_name_t)princ;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
@@ -224,8 +224,8 @@ gsskrb5_get_creds(
|
|||||||
ctx->kcred = NULL;
|
ctx->kcred = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = _gsskrb5_canon_name(minor_status, context, ctx->source,
|
ret = _gsskrb5_canon_name(minor_status, context, target_name,
|
||||||
target_name, &ctx->target);
|
&ctx->target);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
|
|||||||
@@ -601,6 +601,7 @@ krb5_copy_context(krb5_context context, krb5_context *out)
|
|||||||
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
|
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
|
||||||
krb5_free_context(krb5_context context)
|
krb5_free_context(krb5_context context)
|
||||||
{
|
{
|
||||||
|
_krb5_free_name_canon_rules(context, context->name_canon_rules);
|
||||||
if (context->default_cc_name)
|
if (context->default_cc_name)
|
||||||
free(context->default_cc_name);
|
free(context->default_cc_name);
|
||||||
if (context->default_cc_name_env)
|
if (context->default_cc_name_env)
|
||||||
|
|||||||
@@ -1159,9 +1159,8 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
|
|||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_timestamp now;
|
krb5_timestamp now;
|
||||||
krb5_times save_times;
|
krb5_times save_times = in_creds->times;
|
||||||
|
NAME_TYPE save_type = in_creds->server->name.name_type;
|
||||||
save_times = in_creds->times;
|
|
||||||
|
|
||||||
krb5_timeofday(context, &now);
|
krb5_timeofday(context, &now);
|
||||||
|
|
||||||
@@ -1171,12 +1170,20 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
|
|||||||
krb5_timeofday(context, &in_creds->times.endtime);
|
krb5_timeofday(context, &in_creds->times.endtime);
|
||||||
options |= KRB5_TC_MATCH_TIMES;
|
options |= KRB5_TC_MATCH_TIMES;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (save_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
|
||||||
|
/* Avoid name canonicalization in krb5_cc_retrieve_cred() */
|
||||||
|
krb5_principal_set_type(context, in_creds->server, KRB5_NT_SRV_HST);
|
||||||
|
}
|
||||||
|
|
||||||
ret = krb5_cc_retrieve_cred(context, ccache,
|
ret = krb5_cc_retrieve_cred(context, ccache,
|
||||||
(options &
|
(options &
|
||||||
(KRB5_TC_MATCH_KEYTYPE |
|
(KRB5_TC_DONT_MATCH_REALM |
|
||||||
|
KRB5_TC_MATCH_KEYTYPE |
|
||||||
KRB5_TC_MATCH_TIMES)),
|
KRB5_TC_MATCH_TIMES)),
|
||||||
in_creds, out_creds);
|
in_creds, out_creds);
|
||||||
|
|
||||||
|
in_creds->server->name.name_type = save_type;
|
||||||
in_creds->times = save_times;
|
in_creds->times = save_times;
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -1185,23 +1192,19 @@ static void
|
|||||||
store_cred(krb5_context context, krb5_ccache ccache,
|
store_cred(krb5_context context, krb5_ccache ccache,
|
||||||
krb5_const_principal server_princ, krb5_creds *creds)
|
krb5_const_principal server_princ, krb5_creds *creds)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
if (strcmp(server_princ->realm, "") == 0) {
|
||||||
krb5_principal tmp_princ = creds->server;
|
krb5_principal tmp_princ = creds->server;
|
||||||
krb5_principal p;
|
/*
|
||||||
|
* Store the cred with the pre-canon server princ first so it
|
||||||
krb5_cc_store_cred(context, ccache, creds);
|
* can be found quickly in the future.
|
||||||
if (strcmp(server_princ->realm, "") != 0)
|
*/
|
||||||
return;
|
creds->server = (krb5_principal)server_princ;
|
||||||
|
|
||||||
ret = krb5_copy_principal(context, server_princ, &p);
|
|
||||||
if (ret)
|
|
||||||
return;
|
|
||||||
if (p->name.name_type == KRB5_NT_SRV_HST_NEEDS_CANON)
|
|
||||||
p->name.name_type = KRB5_NT_SRV_HST;
|
|
||||||
creds->server = p;
|
|
||||||
krb5_cc_store_cred(context, ccache, creds);
|
krb5_cc_store_cred(context, ccache, creds);
|
||||||
creds->server = tmp_princ;
|
creds->server = tmp_princ;
|
||||||
krb5_free_principal(context, p);
|
/* Then store again with the canonicalized server princ */
|
||||||
|
}
|
||||||
|
|
||||||
|
krb5_cc_store_cred(context, ccache, creds);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -1216,8 +1219,9 @@ krb5_get_credentials_with_flags(krb5_context context,
|
|||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_name_canon_iterator name_canon_iter = NULL;
|
krb5_name_canon_iterator name_canon_iter = NULL;
|
||||||
krb5_name_canon_rule_options rule_opts;
|
krb5_name_canon_rule_options rule_opts;
|
||||||
|
krb5_const_principal try_princ = NULL;
|
||||||
|
krb5_principal save_princ = in_creds->server;
|
||||||
krb5_creds **tgts;
|
krb5_creds **tgts;
|
||||||
krb5_creds *try_creds;
|
|
||||||
krb5_creds *res_creds;
|
krb5_creds *res_creds;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
@@ -1233,15 +1237,7 @@ krb5_get_credentials_with_flags(krb5_context context,
|
|||||||
if (res_creds == NULL)
|
if (res_creds == NULL)
|
||||||
return krb5_enomem(context);
|
return krb5_enomem(context);
|
||||||
|
|
||||||
if (in_creds->server->name.name_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
|
ret = krb5_name_canon_iterator_start(context, in_creds->server,
|
||||||
ret = check_cc(context, options, ccache, in_creds, res_creds);
|
|
||||||
if (ret == 0) {
|
|
||||||
*out_creds = res_creds;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = krb5_name_canon_iterator_start(context, NULL, in_creds,
|
|
||||||
&name_canon_iter);
|
&name_canon_iter);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
@@ -1249,10 +1245,12 @@ krb5_get_credentials_with_flags(krb5_context context,
|
|||||||
next_rule:
|
next_rule:
|
||||||
krb5_free_cred_contents(context, res_creds);
|
krb5_free_cred_contents(context, res_creds);
|
||||||
memset(res_creds, 0, sizeof (*res_creds));
|
memset(res_creds, 0, sizeof (*res_creds));
|
||||||
ret = krb5_name_canon_iterate_creds(context, &name_canon_iter, &try_creds,
|
ret = krb5_name_canon_iterate(context, &name_canon_iter, &try_princ,
|
||||||
&rule_opts);
|
&rule_opts);
|
||||||
|
in_creds->server = rk_UNCONST(try_princ);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if (name_canon_iter == NULL) {
|
if (name_canon_iter == NULL) {
|
||||||
if (options & KRB5_GC_CACHED)
|
if (options & KRB5_GC_CACHED)
|
||||||
ret = KRB5_CC_NOTFOUND;
|
ret = KRB5_CC_NOTFOUND;
|
||||||
@@ -1261,14 +1259,15 @@ next_rule:
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = check_cc(context, options, ccache, try_creds, res_creds);
|
ret = check_cc(context, options, ccache, in_creds, res_creds);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
*out_creds = res_creds;
|
*out_creds = res_creds;
|
||||||
|
res_creds = NULL;
|
||||||
goto out;
|
goto out;
|
||||||
} else if(ret != KRB5_CC_END) {
|
} else if(ret != KRB5_CC_END) {
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(options & KRB5_GC_CACHED)
|
if (options & KRB5_GC_CACHED)
|
||||||
goto next_rule;
|
goto next_rule;
|
||||||
|
|
||||||
if(options & KRB5_GC_USER_USER)
|
if(options & KRB5_GC_USER_USER)
|
||||||
@@ -1278,26 +1277,28 @@ next_rule:
|
|||||||
|
|
||||||
tgts = NULL;
|
tgts = NULL;
|
||||||
ret = _krb5_get_cred_kdc_any(context, flags, ccache,
|
ret = _krb5_get_cred_kdc_any(context, flags, ccache,
|
||||||
try_creds, NULL, NULL, out_creds, &tgts);
|
in_creds, NULL, NULL, out_creds, &tgts);
|
||||||
for (i = 0; tgts && tgts[i]; i++) {
|
for (i = 0; tgts && tgts[i]; i++) {
|
||||||
if ((options & KRB5_GC_NO_STORE) == 0)
|
if ((options & KRB5_GC_NO_STORE) == 0)
|
||||||
krb5_cc_store_cred(context, ccache, tgts[i]);
|
krb5_cc_store_cred(context, ccache, tgts[i]);
|
||||||
krb5_free_creds(context, tgts[i]);
|
krb5_free_creds(context, tgts[i]);
|
||||||
}
|
}
|
||||||
free(tgts);
|
free(tgts);
|
||||||
|
|
||||||
|
/* We don't yet have TGS w/ FAST, so we can't protect KBR-ERRORs */
|
||||||
if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN &&
|
if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN &&
|
||||||
!(rule_opts & KRB5_NCRO_SECURE))
|
!(rule_opts & KRB5_NCRO_USE_FAST))
|
||||||
goto next_rule;
|
goto next_rule;
|
||||||
|
|
||||||
if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
|
if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
|
||||||
store_cred(context, ccache, in_creds->server, *out_creds);
|
store_cred(context, ccache, in_creds->server, *out_creds);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
krb5_free_name_canon_iterator(context, name_canon_iter);
|
in_creds->server = save_princ;
|
||||||
if (ret) {
|
|
||||||
krb5_free_creds(context, res_creds);
|
krb5_free_creds(context, res_creds);
|
||||||
|
krb5_free_name_canon_iterator(context, name_canon_iter);
|
||||||
|
if (ret)
|
||||||
return not_found(context, in_creds->server, ret);
|
return not_found(context, in_creds->server, ret);
|
||||||
}
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1419,8 +1420,8 @@ krb5_get_creds(krb5_context context,
|
|||||||
krb5_creds in_creds;
|
krb5_creds in_creds;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_creds **tgts;
|
krb5_creds **tgts;
|
||||||
krb5_creds *try_creds;
|
|
||||||
krb5_creds *res_creds;
|
krb5_creds *res_creds;
|
||||||
|
krb5_const_principal try_princ = NULL;
|
||||||
krb5_name_canon_iterator name_canon_iter = NULL;
|
krb5_name_canon_iterator name_canon_iter = NULL;
|
||||||
krb5_name_canon_rule_options rule_opts;
|
krb5_name_canon_rule_options rule_opts;
|
||||||
int i;
|
int i;
|
||||||
@@ -1456,25 +1457,18 @@ krb5_get_creds(krb5_context context,
|
|||||||
options |= KRB5_TC_MATCH_KEYTYPE;
|
options |= KRB5_TC_MATCH_KEYTYPE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check for entry in ccache */
|
ret = krb5_name_canon_iterator_start(context, in_creds.server,
|
||||||
if (inprinc->name.name_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
|
|
||||||
ret = check_cc(context, options, ccache, &in_creds, res_creds);
|
|
||||||
if (ret == 0) {
|
|
||||||
*out_creds = res_creds;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = krb5_name_canon_iterator_start(context, NULL, &in_creds,
|
|
||||||
&name_canon_iter);
|
&name_canon_iter);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
next_rule:
|
next_rule:
|
||||||
ret = krb5_name_canon_iterate_creds(context, &name_canon_iter, &try_creds,
|
ret = krb5_name_canon_iterate(context, &name_canon_iter, &try_princ,
|
||||||
&rule_opts);
|
&rule_opts);
|
||||||
|
in_creds.server = rk_UNCONST(try_princ);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
goto out;
|
||||||
|
|
||||||
if (name_canon_iter == NULL) {
|
if (name_canon_iter == NULL) {
|
||||||
if (options & KRB5_GC_CACHED)
|
if (options & KRB5_GC_CACHED)
|
||||||
ret = KRB5_CC_NOTFOUND;
|
ret = KRB5_CC_NOTFOUND;
|
||||||
@@ -1482,23 +1476,25 @@ next_rule:
|
|||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = check_cc(context, options, ccache, try_creds, res_creds);
|
|
||||||
|
ret = check_cc(context, options, ccache, &in_creds, res_creds);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
*out_creds = res_creds;
|
*out_creds = res_creds;
|
||||||
|
res_creds = NULL;
|
||||||
goto out;
|
goto out;
|
||||||
} else if(ret != KRB5_CC_END) {
|
} else if (ret != KRB5_CC_END) {
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(options & KRB5_GC_CACHED)
|
if (options & KRB5_GC_CACHED)
|
||||||
goto next_rule;
|
goto next_rule;
|
||||||
|
|
||||||
if (try_creds->server->name.name_type == KRB5_NT_SRV_HST)
|
if (try_princ->name.name_type == KRB5_NT_SRV_HST)
|
||||||
flags.b.canonicalize = 1;
|
flags.b.canonicalize = 1;
|
||||||
if (rule_opts & KRB5_NCRO_NO_REFERRALS)
|
if (rule_opts & KRB5_NCRO_NO_REFERRALS)
|
||||||
flags.b.canonicalize = 0;
|
flags.b.canonicalize = 0;
|
||||||
else
|
else
|
||||||
flags.b.canonicalize = (options & KRB5_GC_CANONICALIZE) ? 1 : 0;
|
flags.b.canonicalize = (options & KRB5_GC_CANONICALIZE) ? 1 : 0;
|
||||||
if(options & KRB5_GC_USER_USER) {
|
if (options & KRB5_GC_USER_USER) {
|
||||||
flags.b.enc_tkt_in_skey = 1;
|
flags.b.enc_tkt_in_skey = 1;
|
||||||
options |= KRB5_GC_NO_STORE;
|
options |= KRB5_GC_NO_STORE;
|
||||||
}
|
}
|
||||||
@@ -1513,7 +1509,7 @@ next_rule:
|
|||||||
|
|
||||||
tgts = NULL;
|
tgts = NULL;
|
||||||
ret = _krb5_get_cred_kdc_any(context, flags, ccache,
|
ret = _krb5_get_cred_kdc_any(context, flags, ccache,
|
||||||
try_creds, opt ? opt->self : 0,
|
&in_creds, opt ? opt->self : 0,
|
||||||
opt ? opt->ticket : 0, out_creds,
|
opt ? opt->ticket : 0, out_creds,
|
||||||
&tgts);
|
&tgts);
|
||||||
for (i = 0; tgts && tgts[i]; i++) {
|
for (i = 0; tgts && tgts[i]; i++) {
|
||||||
@@ -1523,21 +1519,20 @@ next_rule:
|
|||||||
}
|
}
|
||||||
free(tgts);
|
free(tgts);
|
||||||
|
|
||||||
|
/* We don't yet have TGS w/ FAST, so we can't protect KBR-ERRORs */
|
||||||
if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN &&
|
if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN &&
|
||||||
!(rule_opts & KRB5_NCRO_SECURE))
|
!(rule_opts & KRB5_NCRO_USE_FAST))
|
||||||
goto next_rule;
|
goto next_rule;
|
||||||
|
|
||||||
if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
|
if (ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
|
||||||
store_cred(context, ccache, inprinc, *out_creds);
|
store_cred(context, ccache, inprinc, *out_creds);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
if (ret) {
|
|
||||||
krb5_free_creds(context, res_creds);
|
krb5_free_creds(context, res_creds);
|
||||||
ret = not_found(context, inprinc, ret);
|
|
||||||
}
|
|
||||||
krb5_free_principal(context, in_creds.client);
|
krb5_free_principal(context, in_creds.client);
|
||||||
krb5_free_name_canon_iterator(context, name_canon_iter);
|
krb5_free_name_canon_iterator(context, name_canon_iter);
|
||||||
_krb5_debug(context, 5, "krb5_get_creds: ret = %d", ret);
|
if (ret)
|
||||||
|
return not_found(context, inprinc, ret);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -2747,10 +2747,22 @@ krb5_get_init_creds_keytab(krb5_context context,
|
|||||||
krb5_get_init_creds_opt *options)
|
krb5_get_init_creds_opt *options)
|
||||||
{
|
{
|
||||||
krb5_init_creds_context ctx;
|
krb5_init_creds_context ctx;
|
||||||
|
krb5_keytab_entry ktent;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
|
|
||||||
|
memset(&ktent, 0, sizeof(ktent));
|
||||||
memset(creds, 0, sizeof(*creds));
|
memset(creds, 0, sizeof(*creds));
|
||||||
|
|
||||||
|
if (strcmp(client->realm, "") == 0) {
|
||||||
|
/*
|
||||||
|
* Referral realm. We have a keytab, so pick a realm by
|
||||||
|
* matching in the keytab.
|
||||||
|
*/
|
||||||
|
ret = krb5_kt_get_entry(context, keytab, client, 0, 0, &ktent);
|
||||||
|
if (ret == 0)
|
||||||
|
client = ktent.principal;
|
||||||
|
}
|
||||||
|
|
||||||
ret = krb5_init_creds_init(context, client, NULL, NULL, start_time, options, &ctx);
|
ret = krb5_init_creds_init(context, client, NULL, NULL, start_time, options, &ctx);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2768,6 +2780,7 @@ krb5_get_init_creds_keytab(krb5_context context,
|
|||||||
krb5_process_last_request(context, options, ctx);
|
krb5_process_last_request(context, options, ctx);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
|
krb5_kt_free_entry(context, &ktent);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
krb5_init_creds_get_creds(context, ctx, creds);
|
krb5_init_creds_get_creds(context, ctx, creds);
|
||||||
|
|
||||||
|
|||||||
@@ -519,7 +519,7 @@ krb5_kt_destroy(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
static krb5_boolean
|
static krb5_boolean
|
||||||
compare_aliseses(krb5_context context,
|
compare_aliases(krb5_context context,
|
||||||
krb5_keytab_entry *entry,
|
krb5_keytab_entry *entry,
|
||||||
krb5_const_principal principal)
|
krb5_const_principal principal)
|
||||||
{
|
{
|
||||||
@@ -555,13 +555,19 @@ krb5_kt_compare(krb5_context context,
|
|||||||
krb5_kvno vno,
|
krb5_kvno vno,
|
||||||
krb5_enctype enctype)
|
krb5_enctype enctype)
|
||||||
{
|
{
|
||||||
if(principal != NULL &&
|
/* krb5_principal_compare() does not special-case the referral realm */
|
||||||
|
if (principal != NULL && strcmp(principal->realm, "") == 0 &&
|
||||||
|
!(krb5_principal_compare_any_realm(context, entry->principal, principal) ||
|
||||||
|
compare_aliases(context, entry, principal))) {
|
||||||
|
return FALSE;
|
||||||
|
} else if (principal != NULL && strcmp(principal->realm, "") != 0 &&
|
||||||
!(krb5_principal_compare(context, entry->principal, principal) ||
|
!(krb5_principal_compare(context, entry->principal, principal) ||
|
||||||
compare_aliseses(context, entry, principal)))
|
compare_aliases(context, entry, principal))) {
|
||||||
return FALSE;
|
return FALSE;
|
||||||
if(vno && vno != entry->vno)
|
}
|
||||||
|
if (vno && vno != entry->vno)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
if(enctype && enctype != entry->keyblock.keytype)
|
if (enctype && enctype != entry->keyblock.keytype)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
@@ -674,23 +680,26 @@ krb5_kt_get_entry(krb5_context context,
|
|||||||
krb5_keytab_entry *entry)
|
krb5_keytab_entry *entry)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_principal try_princ;
|
krb5_const_principal try_princ;
|
||||||
krb5_name_canon_iterator name_canon_iter;
|
krb5_name_canon_iterator name_canon_iter;
|
||||||
|
|
||||||
if (!principal || principal->name.name_type != KRB5_NT_SRV_HST_NEEDS_CANON)
|
if (!principal)
|
||||||
return krb5_kt_get_entry_wrapped(context, id, principal, kvno, enctype,
|
return krb5_kt_get_entry_wrapped(context, id, principal, kvno, enctype,
|
||||||
entry);
|
entry);
|
||||||
|
|
||||||
ret = krb5_name_canon_iterator_start(context, principal, NULL,
|
ret = krb5_name_canon_iterator_start(context, principal, &name_canon_iter);
|
||||||
&name_canon_iter);
|
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
do {
|
do {
|
||||||
ret = krb5_name_canon_iterate_princ(context, &name_canon_iter,
|
ret = krb5_name_canon_iterate(context, &name_canon_iter, &try_princ,
|
||||||
&try_princ, NULL);
|
NULL);
|
||||||
if (ret)
|
if (ret)
|
||||||
break;
|
break;
|
||||||
|
if (try_princ == NULL) {
|
||||||
|
ret = KRB5_KT_NOTFOUND;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
ret = krb5_kt_get_entry_wrapped(context, id, try_princ, kvno,
|
ret = krb5_kt_get_entry_wrapped(context, id, try_princ, kvno,
|
||||||
enctype, entry);
|
enctype, entry);
|
||||||
} while (ret == KRB5_KT_NOTFOUND && name_canon_iter);
|
} while (ret == KRB5_KT_NOTFOUND && name_canon_iter);
|
||||||
|
|||||||
@@ -926,10 +926,13 @@ typedef enum krb5_name_canon_rule_options {
|
|||||||
KRB5_NCRO_GC_ONLY = 1 << 0,
|
KRB5_NCRO_GC_ONLY = 1 << 0,
|
||||||
KRB5_NCRO_USE_REFERRALS = 1 << 1,
|
KRB5_NCRO_USE_REFERRALS = 1 << 1,
|
||||||
KRB5_NCRO_NO_REFERRALS = 1 << 2,
|
KRB5_NCRO_NO_REFERRALS = 1 << 2,
|
||||||
KRB5_NCRO_SECURE = 1 << 2
|
KRB5_NCRO_USE_FAST = 1 << 3,
|
||||||
|
KRB5_NCRO_USE_DNSSEC = 1 << 4,
|
||||||
|
KRB5_NCRO_LOOKUP_REALM = 1 << 5
|
||||||
} krb5_name_canon_rule_options;
|
} krb5_name_canon_rule_options;
|
||||||
|
|
||||||
typedef struct krb5_name_canon_rule_data *krb5_name_canon_rule;
|
typedef struct krb5_name_canon_rule_data *krb5_name_canon_rule;
|
||||||
|
typedef const struct krb5_name_canon_rule_data *krb5_const_name_canon_rule;
|
||||||
typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator;
|
typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
@@ -308,6 +308,7 @@ typedef struct krb5_context_data {
|
|||||||
hx509_context hx509ctx;
|
hx509_context hx509ctx;
|
||||||
#endif
|
#endif
|
||||||
unsigned int num_kdc_requests;
|
unsigned int num_kdc_requests;
|
||||||
|
krb5_name_canon_rule name_canon_rules;
|
||||||
} krb5_context_data;
|
} krb5_context_data;
|
||||||
|
|
||||||
#ifndef KRB5_USE_PATH_TOKENS
|
#ifndef KRB5_USE_PATH_TOKENS
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -5,7 +5,7 @@
|
|||||||
name_canon_rules = as-is:realm=TEST.H5L.SE
|
name_canon_rules = as-is:realm=TEST.H5L.SE
|
||||||
name_canon_rules = as-is:realm=TEST2.H5L.SE
|
name_canon_rules = as-is:realm=TEST2.H5L.SE
|
||||||
name_canon_rules = as-is:realm=TEST3.H5L.SE
|
name_canon_rules = as-is:realm=TEST3.H5L.SE
|
||||||
name_canon_rules = use-resolver-searchlist
|
name_canon_rules = nss
|
||||||
|
|
||||||
[appdefaults]
|
[appdefaults]
|
||||||
pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
|
pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
|
||||||
|
|||||||
Reference in New Issue
Block a user