oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

handle acceptor asserted subkey

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13519 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2004-03-14 16:31:02 +00:00
parent b521a2fb43
commit fb53d3762e
6 changed files with 132 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
lib/gssapi/accept_sec_context.c
View File

@@ -67,6 +67,44 @@ gsskrb5_register_acceptor_identity (const char *identity)
return GSS_S_COMPLETE; return GSS_S_COMPLETE;
} }
void
gsskrb5_is_cfx(gss_ctx_id_t context_handle, int *is_cfx)
{
krb5_keyblock *key;
int acceptor = (context_handle->more_flags & LOCAL) == 0;
if (acceptor) {
if (context_handle->auth_context->local_subkey)
key = context_handle->auth_context->local_subkey;
else
key = context_handle->auth_context->remote_subkey;
} else {
if (context_handle->auth_context->remote_subkey)
key = context_handle->auth_context->remote_subkey;
else
key = context_handle->auth_context->local_subkey;
}
if (key == NULL)
key = context_handle->auth_context->keyblock;
if (key == NULL)
return;
switch (key->keytype) {
case KEYTYPE_DES :
case KEYTYPE_ARCFOUR:
case KEYTYPE_DES3 :
break;
default :
*is_cfx = 1;
if ((acceptor && context_handle->auth_context->local_subkey) ||
(!acceptor && context_handle->auth_context->remote_subkey))
context_handle->more_flags |= ACCEPTOR_SUBKEY;
break;
}
}
static OM_uint32 static OM_uint32
gsskrb5_accept_sec_context gsskrb5_accept_sec_context
(OM_uint32 * minor_status, (OM_uint32 * minor_status,
@@ -91,6 +129,7 @@ gsskrb5_accept_sec_context
krb5_keytab keytab = NULL; krb5_keytab keytab = NULL;
krb5_data fwd_data; krb5_data fwd_data;
OM_uint32 minor; OM_uint32 minor;
int is_cfx = 0;
GSSAPI_KRB5_INIT(); GSSAPI_KRB5_INIT();
@@ -355,12 +394,10 @@ gsskrb5_accept_sec_context
goto end_fwd; goto end_fwd;
} }
krb5_auth_con_getflags(gssapi_krb5_context, krb5_auth_con_removeflags(gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
&ac_flags); KRB5_AUTH_CONTEXT_DO_TIME,
krb5_auth_con_setflags(gssapi_krb5_context, &ac_flags);
(*context_handle)->auth_context,
ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
kret = krb5_rd_cred2(gssapi_krb5_context, kret = krb5_rd_cred2(gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
ccache, ccache,
@@ -397,9 +434,19 @@ gsskrb5_accept_sec_context
goto failure; goto failure;
} }
gsskrb5_is_cfx(*context_handle, &is_cfx);
if(flags & GSS_C_MUTUAL_FLAG) { if(flags & GSS_C_MUTUAL_FLAG) {
krb5_data outbuf; krb5_data outbuf;
if (is_cfx) {
kret = krb5_auth_con_addflags(gssapi_krb5_context,
(*context_handle)->auth_context,
KRB5_AUTH_CONTEXT_USE_SUBKEY,
NULL);
(*context_handle)->more_flags |= ACCEPTOR_SUBKEY;
}
kret = krb5_mk_rep (gssapi_krb5_context, kret = krb5_mk_rep (gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
&outbuf); &outbuf);
@@ -435,7 +482,7 @@ gsskrb5_accept_sec_context
ret = gssapi_msg_order_create(minor_status, ret = gssapi_msg_order_create(minor_status,
&(*context_handle)->order, &(*context_handle)->order,
gssapi_msg_order_f(flags), gssapi_msg_order_f(flags),
seq_number, 0); seq_number, 0, is_cfx);
if (ret) if (ret)
goto failure; goto failure;

5
lib/gssapi/import_sec_context.c
View File

@@ -54,6 +54,7 @@ gss_import_sec_context (
int32_t tmp; int32_t tmp;
int32_t flags; int32_t flags;
OM_uint32 minor; OM_uint32 minor;
int is_cfx = 0;
GSSAPI_KRB5_INIT (); GSSAPI_KRB5_INIT ();
@@ -194,10 +195,12 @@ gss_import_sec_context (
else else
(*context_handle)->lifetime = GSS_C_INDEFINITE; (*context_handle)->lifetime = GSS_C_INDEFINITE;
gsskrb5_is_cfx(*context_handle, &is_cfx);
ret = gssapi_msg_order_create(minor_status, ret = gssapi_msg_order_create(minor_status,
&(*context_handle)->order, &(*context_handle)->order,
gssapi_msg_order_f((*context_handle)->flags), gssapi_msg_order_f((*context_handle)->flags),
0, 0); 0, 0, is_cfx);
if (ret) if (ret)
goto failure; goto failure;

10
lib/gssapi/init_sec_context.c
View File

@@ -431,15 +431,18 @@ init_auth
return GSS_S_CONTINUE_NEEDED; return GSS_S_CONTINUE_NEEDED;
} else { } else {
int32_t seq_number; int32_t seq_number;
int is_cfx = 0;
krb5_auth_getremoteseqnumber (gssapi_krb5_context, krb5_auth_getremoteseqnumber (gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
&seq_number); &seq_number);
gsskrb5_is_cfx(*context_handle, &is_cfx);
ret = gssapi_msg_order_create(minor_status, ret = gssapi_msg_order_create(minor_status,
&(*context_handle)->order, &(*context_handle)->order,
gssapi_msg_order_f(flags), gssapi_msg_order_f(flags),
seq_number, 0); seq_number, 0, is_cfx);
if (ret) if (ret)
goto failure; goto failure;
@@ -493,6 +496,7 @@ repl_mutual
krb5_error_code kret; krb5_error_code kret;
krb5_data indata; krb5_data indata;
krb5_ap_rep_enc_part *repl; krb5_ap_rep_enc_part *repl;
int is_cfx = 0;
output_token->length = 0; output_token->length = 0;
output_token->value = NULL; output_token->value = NULL;
@@ -527,10 +531,12 @@ repl_mutual
(*context_handle)->auth_context, (*context_handle)->auth_context,
&seq_number); &seq_number);
gsskrb5_is_cfx(*context_handle, &is_cfx);
ret = gssapi_msg_order_create(minor_status, ret = gssapi_msg_order_create(minor_status,
&(*context_handle)->order, &(*context_handle)->order,
gssapi_msg_order_f((*context_handle)->flags), gssapi_msg_order_f((*context_handle)->flags),
seq_number, 0); seq_number, 0, is_cfx);
if (ret) { if (ret) {
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
return ret; return ret;

61
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -67,6 +67,44 @@ gsskrb5_register_acceptor_identity (const char *identity)
return GSS_S_COMPLETE; return GSS_S_COMPLETE;
} }
void
gsskrb5_is_cfx(gss_ctx_id_t context_handle, int *is_cfx)
{
krb5_keyblock *key;
int acceptor = (context_handle->more_flags & LOCAL) == 0;
if (acceptor) {
if (context_handle->auth_context->local_subkey)
key = context_handle->auth_context->local_subkey;
else
key = context_handle->auth_context->remote_subkey;
} else {
if (context_handle->auth_context->remote_subkey)
key = context_handle->auth_context->remote_subkey;
else
key = context_handle->auth_context->local_subkey;
}
if (key == NULL)
key = context_handle->auth_context->keyblock;
if (key == NULL)
return;
switch (key->keytype) {
case KEYTYPE_DES :
case KEYTYPE_ARCFOUR:
case KEYTYPE_DES3 :
break;
default :
*is_cfx = 1;
if ((acceptor && context_handle->auth_context->local_subkey) ||
(!acceptor && context_handle->auth_context->remote_subkey))
context_handle->more_flags |= ACCEPTOR_SUBKEY;
break;
}
}
static OM_uint32 static OM_uint32
gsskrb5_accept_sec_context gsskrb5_accept_sec_context
(OM_uint32 * minor_status, (OM_uint32 * minor_status,
@@ -91,6 +129,7 @@ gsskrb5_accept_sec_context
krb5_keytab keytab = NULL; krb5_keytab keytab = NULL;
krb5_data fwd_data; krb5_data fwd_data;
OM_uint32 minor; OM_uint32 minor;
int is_cfx = 0;
GSSAPI_KRB5_INIT(); GSSAPI_KRB5_INIT();
@@ -355,12 +394,10 @@ gsskrb5_accept_sec_context
goto end_fwd; goto end_fwd;
} }
krb5_auth_con_getflags(gssapi_krb5_context, krb5_auth_con_removeflags(gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
&ac_flags); KRB5_AUTH_CONTEXT_DO_TIME,
krb5_auth_con_setflags(gssapi_krb5_context, &ac_flags);
(*context_handle)->auth_context,
ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
kret = krb5_rd_cred2(gssapi_krb5_context, kret = krb5_rd_cred2(gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
ccache, ccache,
@@ -397,9 +434,19 @@ gsskrb5_accept_sec_context
goto failure; goto failure;
} }
gsskrb5_is_cfx(*context_handle, &is_cfx);
if(flags & GSS_C_MUTUAL_FLAG) { if(flags & GSS_C_MUTUAL_FLAG) {
krb5_data outbuf; krb5_data outbuf;
if (is_cfx) {
kret = krb5_auth_con_addflags(gssapi_krb5_context,
(*context_handle)->auth_context,
KRB5_AUTH_CONTEXT_USE_SUBKEY,
NULL);
(*context_handle)->more_flags |= ACCEPTOR_SUBKEY;
}
kret = krb5_mk_rep (gssapi_krb5_context, kret = krb5_mk_rep (gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
&outbuf); &outbuf);
@@ -435,7 +482,7 @@ gsskrb5_accept_sec_context
ret = gssapi_msg_order_create(minor_status, ret = gssapi_msg_order_create(minor_status,
&(*context_handle)->order, &(*context_handle)->order,
gssapi_msg_order_f(flags), gssapi_msg_order_f(flags),
seq_number, 0); seq_number, 0, is_cfx);
if (ret) if (ret)
goto failure; goto failure;

5
lib/gssapi/krb5/import_sec_context.c
View File

@@ -54,6 +54,7 @@ gss_import_sec_context (
int32_t tmp; int32_t tmp;
int32_t flags; int32_t flags;
OM_uint32 minor; OM_uint32 minor;
int is_cfx = 0;
GSSAPI_KRB5_INIT (); GSSAPI_KRB5_INIT ();
@@ -194,10 +195,12 @@ gss_import_sec_context (
else else
(*context_handle)->lifetime = GSS_C_INDEFINITE; (*context_handle)->lifetime = GSS_C_INDEFINITE;
gsskrb5_is_cfx(*context_handle, &is_cfx);
ret = gssapi_msg_order_create(minor_status, ret = gssapi_msg_order_create(minor_status,
&(*context_handle)->order, &(*context_handle)->order,
gssapi_msg_order_f((*context_handle)->flags), gssapi_msg_order_f((*context_handle)->flags),
0, 0); 0, 0, is_cfx);
if (ret) if (ret)
goto failure; goto failure;

10
lib/gssapi/krb5/init_sec_context.c
View File

@@ -431,15 +431,18 @@ init_auth
return GSS_S_CONTINUE_NEEDED; return GSS_S_CONTINUE_NEEDED;
} else { } else {
int32_t seq_number; int32_t seq_number;
int is_cfx = 0;
krb5_auth_getremoteseqnumber (gssapi_krb5_context, krb5_auth_getremoteseqnumber (gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
&seq_number); &seq_number);
gsskrb5_is_cfx(*context_handle, &is_cfx);
ret = gssapi_msg_order_create(minor_status, ret = gssapi_msg_order_create(minor_status,
&(*context_handle)->order, &(*context_handle)->order,
gssapi_msg_order_f(flags), gssapi_msg_order_f(flags),
seq_number, 0); seq_number, 0, is_cfx);
if (ret) if (ret)
goto failure; goto failure;
@@ -493,6 +496,7 @@ repl_mutual
krb5_error_code kret; krb5_error_code kret;
krb5_data indata; krb5_data indata;
krb5_ap_rep_enc_part *repl; krb5_ap_rep_enc_part *repl;
int is_cfx = 0;
output_token->length = 0; output_token->length = 0;
output_token->value = NULL; output_token->value = NULL;
@@ -527,10 +531,12 @@ repl_mutual
(*context_handle)->auth_context, (*context_handle)->auth_context,
&seq_number); &seq_number);
gsskrb5_is_cfx(*context_handle, &is_cfx);
ret = gssapi_msg_order_create(minor_status, ret = gssapi_msg_order_create(minor_status,
&(*context_handle)->order, &(*context_handle)->order,
gssapi_msg_order_f((*context_handle)->flags), gssapi_msg_order_f((*context_handle)->flags),
seq_number, 0); seq_number, 0, is_cfx);
if (ret) { if (ret) {
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
return ret; return ret;