Merge remote branch 'h-github/master' into win32-port2

* h-github/master: (64 commits) refix socket wrappers with rk_ Patch from Secure Endpoints/Asanka Herath for windows support unset KRB5CCNAME its really just LIBADD more most of them correct quoting Use -lpthread for modern freebsd instead clean KRB5CCNAME and KRB5_CONFIG, require test to reset them more up ${env_setup} use PTHREADS_LIBADD for freebsd6 and newer add PTHREAD_LIBADD add PTHREAD_LIBADD add PTHREAD_LIBADD switch to PTHREADS_LIBADD log what the error string say too More debug logging sprinkle more 'echo "test failed"' sprinkle 'echo "test failed"' use calloc(), indent more prettier in sh, equal compare is really = for strings, not == Check for duplicates, already loaded mechs ... Conflicts (resolved): lib/krb5/auth_context.c lib/krb5/changepw.c lib/krb5/context.c lib/krb5/error_string.c lib/krb5/kuserok.c lib/krb5/libkrb5-exports.def.in lib/krb5/net_write.c lib/krb5/store_fd.c lib/krb5/test_cc.c lib/roken/strerror_r.c
2009-12-21 13:44:00 -05:00
parent 94bf68aaae d1d0de730d
commit a0ae9f5a0e
52 changed files with 529 additions and 272 deletions
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -207,9 +207,9 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
    int32_t seq_number;
    int is_cfx = 0;

-    krb5_auth_getremoteseqnumber (context,
-				  ctx->auth_context,
-				  &seq_number);
+    krb5_auth_con_getremoteseqnumber (context,
+				      ctx->auth_context,
+				      &seq_number);

    _gsskrb5i_is_cfx(context, ctx, 1);
    is_cfx = (ctx->more_flags & IS_CFX);
@@ -669,9 +669,9 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
 	    return GSS_S_FAILURE;
 	}

-	kret = krb5_auth_getremoteseqnumber(context,
-					    ctx->auth_context,
-					    &r_seq_number);
+	kret = krb5_auth_con_getremoteseqnumber(context,
+						ctx->auth_context,
+						&r_seq_number);
 	if (kret) {
 	    *minor_status = kret;
 	    return GSS_S_FAILURE;
@@ -749,9 +749,9 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
    {
 	int32_t tmp_r_seq_number, tmp_l_seq_number;

-	kret = krb5_auth_getremoteseqnumber(context,
-					    ctx->auth_context,
-					    &tmp_r_seq_number);
+	kret = krb5_auth_con_getremoteseqnumber(context,
+						ctx->auth_context,
+						&tmp_r_seq_number);
 	if (kret) {
 	    *minor_status = kret;
 	    return GSS_S_FAILURE;
--- a/lib/gssapi/krb5/acquire_cred.c
+++ b/lib/gssapi/krb5/acquire_cred.c
@@ -339,7 +339,7 @@ OM_uint32 _gsskrb5_acquire_cred

    if (desired_name != GSS_C_NO_NAME) {

-	ret = _gsskrb5_canon_name(minor_status, context, 0, NULL,
+	ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
 				  desired_name, &handle->principal);
 	if (ret) {
 	    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -255,7 +255,7 @@ gsskrb5_initiator_ready(
 	krb5_cc_close(context, ctx->ccache);
    ctx->ccache = NULL;

-    krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number);
+    krb5_auth_con_getremoteseqnumber (context, ctx->auth_context, &seq_number);

    _gsskrb5i_is_cfx(context, ctx, 0);
    is_cfx = (ctx->more_flags & IS_CFX);
@@ -782,7 +782,7 @@ repl_mutual
 	 * for the gss_wrap calls.
 	 */

-	krb5_auth_getremoteseqnumber(context, ctx->auth_context, &remote_seq);
+	krb5_auth_con_getremoteseqnumber(context, ctx->auth_context, &remote_seq);
 	krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &local_seq);
 	krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, remote_seq);

--- a/lib/gssapi/krb5/inquire_sec_context_by_oid.c
+++ b/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -302,9 +302,9 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
    if (ret) goto out;
    ret = krb5_store_uint32(sp, (uint32_t)number);
    if (ret) goto out;
-    krb5_auth_getremoteseqnumber (context,
-				  context_handle->auth_context,
-				  &number);
+    krb5_auth_con_getremoteseqnumber (context,
+				      context_handle->auth_context,
+				      &number);
    ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
    if (ret) goto out;
    ret = krb5_store_uint32(sp, (uint32_t)number);
--- a/lib/gssapi/mech/gss_mech_switch.c
+++ b/lib/gssapi/mech/gss_mech_switch.c
@@ -176,9 +176,9 @@ add_builtin(gssapi_mech_interface mech)
    if (mech == NULL)
 	return 0;

-    m = malloc(sizeof(*m));
+    m = calloc(1, sizeof(*m));
    if (m == NULL)
-	return 1;
+	return ENOMEM;
    m->gm_so = NULL;
    m->gm_mech = *mech;
    m->gm_mech_oid = mech->gm_mech_oid; /* XXX */
@@ -187,12 +187,12 @@ add_builtin(gssapi_mech_interface mech)

    /* pick up the oid sets of names */

-    if (m->gm_mech.gm_inquire_names_for_mech) {
+    if (m->gm_mech.gm_inquire_names_for_mech)
 	(*m->gm_mech.gm_inquire_names_for_mech)(&minor_status,
 	    &m->gm_mech.gm_mech_oid, &m->gm_name_types);
-    } else {
+
+    if (m->gm_name_types == NULL)
 	gss_create_empty_oid_set(&minor_status, &m->gm_name_types);
-    }

    SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
    return 0;
@@ -211,6 +211,8 @@ _gss_load_mech(void)
 	char		*name, *oid, *lib, *kobj;
 	struct _gss_mech_switch *m;
 	void		*so;
+	gss_OID_desc	mech_oid;
+	int		found;


 	HEIMDAL_MUTEX_lock(&_gss_mech_mutex);
@@ -253,6 +255,23 @@ _gss_load_mech(void)
 		if (!name || !oid || !lib || !kobj)
 			continue;

+		if (_gss_string_to_oid(oid, &mech_oid))
+			continue;
+
+		/*
+		 * Check for duplicates, already loaded mechs.
+		 */
+		found = 0;
+		SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+			if (gss_oid_equal(&m->gm_mech.gm_mech_oid, &mech_oid)) {
+				found = 1;
+				free(mech_oid.elements);
+				break;
+			}
+		}
+		if (found)
+			continue;
+
 #ifndef RTLD_LOCAL
 #define RTLD_LOCAL 0
 #endif
@@ -260,17 +279,17 @@ _gss_load_mech(void)
 		so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL);
 		if (!so) {
 /*			fprintf(stderr, "dlopen: %s\n", dlerror()); */
+			free(mech_oid.elements);
 			continue;
 		}

 		m = malloc(sizeof(*m));
-		if (!m)
+		if (!m) {
+			free(mech_oid.elements);
 			break;
-		m->gm_so = so;
-		if (_gss_string_to_oid(oid, &m->gm_mech.gm_mech_oid)) {
-			free(m);
-			continue;
 		}
+		m->gm_so = so;
+		m->gm_mech.gm_mech_oid = mech_oid;
 		m->gm_mech.gm_flags = 0;
 		
 		major_status = gss_add_oid_set_member(&minor_status,
--- a/lib/gssapi/test_context.c
+++ b/lib/gssapi/test_context.c
@@ -43,6 +43,7 @@
 static char *type_string;
 static char *mech_string;
 static char *ret_mech_string;
+static char *client_name;
 static int dns_canon_flag = -1;
 static int mutual_auth_flag = 0;
 static int dce_style_flag = 0;
@@ -58,10 +59,14 @@ static char *session_enctype_string = NULL;
 static int client_time_offset = 0;
 static int server_time_offset = 0;
 static int max_loops = 0;
+static char *limit_enctype_string = NULL;
 static int version_flag = 0;
 static int verbose_flag = 0;
 static int help_flag	= 0;

+static krb5_context context;
+static krb5_enctype limit_enctype = 0;
+
 static struct {
    const char *name;
    gss_OID *oid;
@@ -452,6 +457,8 @@ static struct getargs args[] = {
    {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag,
     "use dns to canonicalize", NULL },
    {"mutual-auth",0,	arg_flag,	&mutual_auth_flag,"mutual auth", NULL },
+    {"client-name", 0,  arg_string,     &client_name, "client name", NULL },
+    {"limit-enctype",0,	arg_string,	&limit_enctype_string, "enctype", NULL },
    {"dce-style",0,	arg_flag,	&dce_style_flag, "dce-style", NULL },
    {"wrapunwrap",0,	arg_flag,	&wrapunwrap_flag, "wrap/unwrap", NULL },
    {"iov", 0, 		arg_flag,	&iov_flag, "wrap/unwrap iov", NULL },
@@ -488,10 +495,13 @@ main(int argc, char **argv)
    gss_ctx_id_t cctx, sctx;
    void *ctx;
    gss_OID nameoid, mechoid, actual_mech, actual_mech2;
-    gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
+    gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL;

    setprogname(argv[0]);

+    if (krb5_init_context(&context))
+	errx(1, "krb5_init_context");
+
    cctx = sctx = GSS_C_NO_CONTEXT;

    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
@@ -531,7 +541,47 @@ main(int argc, char **argv)
    if (gsskrb5_acceptor_identity)
 	gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);

-    loop(mechoid, nameoid, argv[0], GSS_C_NO_CREDENTIAL,
+    if (client_name) {
+	gss_buffer_desc cn;
+	gss_name_t cname;
+	cn.value = client_name;
+	cn.length = strlen(client_name);
+	maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname);
+	if (maj_stat)
+	    errx(1, "gss_import_name: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+
+	maj_stat = gss_acquire_cred(&min_stat, cname, 0, NULL, 
+				    GSS_C_INITIATE, &client_cred, NULL, NULL);
+	if (GSS_ERROR(maj_stat))
+	    errx(1, "gss_import_name: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+	gss_release_name(&min_stat, &cname);
+    }
+
+    if (limit_enctype_string) {
+	krb5_error_code ret;
+
+	ret = krb5_string_to_enctype(context,
+				     limit_enctype_string,
+				     &limit_enctype);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_string_to_enctype");
+    }
+
+
+    if (limit_enctype) {
+	if (client_cred == NULL)
+	    errx(1, "client_cred missing");
+
+	maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred,
+						   1, &limit_enctype); 
+	if (maj_stat)
+	    errx(1, "gss_krb5_set_allowable_enctypes: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+    }
+
+    loop(mechoid, nameoid, argv[0], client_cred,
 	 &sctx, &cctx, &actual_mech, &deleg_cred);

    if (verbose_flag)
@@ -549,7 +599,6 @@ main(int argc, char **argv)

    /* XXX should be actual_mech */
    if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
-	krb5_context context;
 	time_t time;
 	gss_buffer_desc authz_data;
 	gss_buffer_desc in, out1, out2;
@@ -557,10 +606,6 @@ main(int argc, char **argv)
 	krb5_timestamp now;
 	krb5_error_code ret;

-	ret = krb5_init_context(&context);
-	if (ret)
-	    errx(1, "krb5_init_context");
-
 	ret = krb5_timeofday(context, &now);
 	if (ret)
 	    errx(1, "krb5_timeofday failed");
@@ -624,6 +669,8 @@ main(int argc, char **argv)

 	if (maj_stat != GSS_S_COMPLETE)
 	    keyblock = NULL;
+	else if (limit_enctype && keyblock->keytype != limit_enctype)
+	    errx(1, "gsskrb5_get_subkey wrong enctype");
 	
 	maj_stat = gsskrb5_get_subkey(&min_stat,
 				      cctx,
@@ -635,6 +682,8 @@ main(int argc, char **argv)

 	if (maj_stat != GSS_S_COMPLETE)
 	    keyblock2 = NULL;
+	else if (limit_enctype && keyblock->keytype != limit_enctype)
+	    errx(1, "gsskrb5_get_subkey wrong enctype");

 	if (keyblock || keyblock2) {
 	    if (keyblock == NULL)
@@ -679,8 +728,12 @@ main(int argc, char **argv)
 	    errx(1, "gsskrb5_get_initiator_subkey failed: %s",
 		     gssapi_err(maj_stat, min_stat, actual_mech));

-	if (maj_stat == GSS_S_COMPLETE)
+	if (maj_stat == GSS_S_COMPLETE) {
+
+	    if (limit_enctype && keyblock->keytype != limit_enctype)
+		errx(1, "gsskrb5_get_initiator_subkey wrong enctype");
 	    krb5_free_keyblock(context, keyblock);
+	}

 	maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
 							       sctx,
@@ -689,8 +742,6 @@ main(int argc, char **argv)
 	if (maj_stat == GSS_S_COMPLETE)
 	    gss_release_buffer(&min_stat, &authz_data);

-	krb5_free_context(context);
-

 	memset(&out1, 0, sizeof(out1));
 	memset(&out2, 0, sizeof(out2));
@@ -866,8 +917,9 @@ main(int argc, char **argv)

    }

-
    empty_release();
+    
+    krb5_free_context(context);

    return 0;
 }