diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-12-01 22:18:34 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:46:57 -0500 |
commit | 6913dddf644525f4bdadfb740b5bff41abe030b2 (patch) | |
tree | 5325b59915008cd16f1f5bf6ab242e8788b0b808 | |
parent | f536c4a608bc8de3a9a0fd73f4c75f3183caa547 (diff) | |
download | samba-6913dddf644525f4bdadfb740b5bff41abe030b2.tar.gz samba-6913dddf644525f4bdadfb740b5bff41abe030b2.tar.xz samba-6913dddf644525f4bdadfb740b5bff41abe030b2.zip |
r12000: Update to current lorikeet-heimdal, including in particular support
for referencing an existing in-MEMORY keytab (required for the new way
we push that to GSSAPI).
Andrew Bartlett
(This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954)
-rw-r--r-- | source4/heimdal/lib/gssapi/acquire_cred.c | 13 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/gssapi_locl.h | 1 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/release_cred.c | 4 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/db.c | 2 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb-protos.h | 362 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.c | 30 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/ndbm.c | 4 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/cache.c | 5 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/keytab_memory.c | 66 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5-protos.h | 18 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5.h | 2 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/rd_req.c | 23 |
12 files changed, 504 insertions, 26 deletions
diff --git a/source4/heimdal/lib/gssapi/acquire_cred.c b/source4/heimdal/lib/gssapi/acquire_cred.c index 44dbef3c48..fa5d709a30 100644 --- a/source4/heimdal/lib/gssapi/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/acquire_cred.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: acquire_cred.c,v 1.25 2005/11/02 08:56:25 lha Exp $"); +RCSID("$Id: acquire_cred.c,v 1.27 2005/12/01 16:26:02 lha Exp $"); OM_uint32 _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status, @@ -245,6 +245,17 @@ static OM_uint32 acquire_acceptor_cred kret = get_keytab(context, &handle->keytab); if (kret) goto end; + + /* check that the requested principal exists in the keytab */ + if (handle->principal) { + krb5_keytab_entry entry; + + kret = krb5_kt_get_entry(gssapi_krb5_context, handle->keytab, + handle->principal, 0, 0, &entry); + if (kret) + goto end; + krb5_kt_free_entry(gssapi_krb5_context, &entry); + } ret = GSS_S_COMPLETE; end: diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h index b9bea7db2e..bd5d0db2b5 100644 --- a/source4/heimdal/lib/gssapi/gssapi_locl.h +++ b/source4/heimdal/lib/gssapi/gssapi_locl.h @@ -81,7 +81,6 @@ typedef struct gss_cred_id_t_desc_struct { gss_name_t principal; int cred_flags; #define GSS_CF_DESTROY_CRED_ON_RELEASE 1 - krb5_boolean made_keytab; struct krb5_keytab_data *keytab; OM_uint32 lifetime; gss_cred_usage_t usage; diff --git a/source4/heimdal/lib/gssapi/release_cred.c b/source4/heimdal/lib/gssapi/release_cred.c index cca3dfe379..fc9fc3fc01 100644 --- a/source4/heimdal/lib/gssapi/release_cred.c +++ b/source4/heimdal/lib/gssapi/release_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -52,7 +52,7 @@ OM_uint32 gss_release_cred if ((*cred_handle)->principal != NULL) krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); - if ((*cred_handle)->made_keytab) + if ((*cred_handle)->keytab != NULL) krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); if ((*cred_handle)->ccache != NULL) { const krb5_cc_ops *ops; diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c index b9f1ab47e1..4cc0218a5c 100644 --- a/source4/heimdal/lib/hdb/db.c +++ b/source4/heimdal/lib/hdb/db.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h index f7e0c54b7c..4b5b4d3ede 100644 --- a/source4/heimdal/lib/hdb/hdb-protos.h +++ b/source4/heimdal/lib/hdb/hdb-protos.h @@ -8,6 +8,317 @@ extern "C" { #endif +unsigned +HDBFlags2int (HDBFlags /*f*/); + +int +copy_Event ( + const Event */*from*/, + Event */*to*/); + +int +copy_GENERATION ( + const GENERATION */*from*/, + GENERATION */*to*/); + +int +copy_HDBFlags ( + const HDBFlags */*from*/, + HDBFlags */*to*/); + +int +copy_HDB_Ext_Aliases ( + const HDB_Ext_Aliases */*from*/, + HDB_Ext_Aliases */*to*/); + +int +copy_HDB_Ext_Constrained_delegation_acl ( + const HDB_Ext_Constrained_delegation_acl */*from*/, + HDB_Ext_Constrained_delegation_acl */*to*/); + +int +copy_HDB_Ext_Lan_Manager_OWF ( + const HDB_Ext_Lan_Manager_OWF */*from*/, + HDB_Ext_Lan_Manager_OWF */*to*/); + +int +copy_HDB_Ext_PKINIT_acl ( + const HDB_Ext_PKINIT_acl */*from*/, + HDB_Ext_PKINIT_acl */*to*/); + +int +copy_HDB_Ext_PKINIT_certificate ( + const HDB_Ext_PKINIT_certificate */*from*/, + HDB_Ext_PKINIT_certificate */*to*/); + +int +copy_HDB_Ext_Password ( + const HDB_Ext_Password */*from*/, + HDB_Ext_Password */*to*/); + +int +copy_HDB_extension ( + const HDB_extension */*from*/, + HDB_extension */*to*/); + +int +copy_HDB_extensions ( + const HDB_extensions */*from*/, + HDB_extensions */*to*/); + +int +copy_Key ( + const Key */*from*/, + Key */*to*/); + +int +copy_Salt ( + const Salt */*from*/, + Salt */*to*/); + +int +copy_hdb_entry ( + const hdb_entry */*from*/, + hdb_entry */*to*/); + +int +decode_Event ( + const unsigned char */*p*/, + size_t /*len*/, + Event */*data*/, + size_t */*size*/); + +int +decode_GENERATION ( + const unsigned char */*p*/, + size_t /*len*/, + GENERATION */*data*/, + size_t */*size*/); + +int +decode_HDBFlags ( + const unsigned char */*p*/, + size_t /*len*/, + HDBFlags */*data*/, + size_t */*size*/); + +int +decode_HDB_Ext_Aliases ( + const unsigned char */*p*/, + size_t /*len*/, + HDB_Ext_Aliases */*data*/, + size_t */*size*/); + +int +decode_HDB_Ext_Constrained_delegation_acl ( + const unsigned char */*p*/, + size_t /*len*/, + HDB_Ext_Constrained_delegation_acl */*data*/, + size_t */*size*/); + +int +decode_HDB_Ext_Lan_Manager_OWF ( + const unsigned char */*p*/, + size_t /*len*/, + HDB_Ext_Lan_Manager_OWF */*data*/, + size_t */*size*/); + +int +decode_HDB_Ext_PKINIT_acl ( + const unsigned char */*p*/, + size_t /*len*/, + HDB_Ext_PKINIT_acl */*data*/, + size_t */*size*/); + +int +decode_HDB_Ext_PKINIT_certificate ( + const unsigned char */*p*/, + size_t /*len*/, + HDB_Ext_PKINIT_certificate */*data*/, + size_t */*size*/); + +int +decode_HDB_Ext_Password ( + const unsigned char */*p*/, + size_t /*len*/, + HDB_Ext_Password */*data*/, + size_t */*size*/); + +int +decode_HDB_extension ( + const unsigned char */*p*/, + size_t /*len*/, + HDB_extension */*data*/, + size_t */*size*/); + +int +decode_HDB_extensions ( + const unsigned char */*p*/, + size_t /*len*/, + HDB_extensions */*data*/, + size_t */*size*/); + +int +decode_Key ( + const unsigned char */*p*/, + size_t /*len*/, + Key */*data*/, + size_t */*size*/); + +int +decode_Salt ( + const unsigned char */*p*/, + size_t /*len*/, + Salt */*data*/, + size_t */*size*/); + +int +decode_hdb_entry ( + const unsigned char */*p*/, + size_t /*len*/, + hdb_entry */*data*/, + size_t */*size*/); + +int +encode_Event ( + unsigned char */*p*/, + size_t /*len*/, + const Event */*data*/, + size_t */*size*/); + +int +encode_GENERATION ( + unsigned char */*p*/, + size_t /*len*/, + const GENERATION */*data*/, + size_t */*size*/); + +int +encode_HDBFlags ( + unsigned char */*p*/, + size_t /*len*/, + const HDBFlags */*data*/, + size_t */*size*/); + +int +encode_HDB_Ext_Aliases ( + unsigned char */*p*/, + size_t /*len*/, + const HDB_Ext_Aliases */*data*/, + size_t */*size*/); + +int +encode_HDB_Ext_Constrained_delegation_acl ( + unsigned char */*p*/, + size_t /*len*/, + const HDB_Ext_Constrained_delegation_acl */*data*/, + size_t */*size*/); + +int +encode_HDB_Ext_Lan_Manager_OWF ( + unsigned char */*p*/, + size_t /*len*/, + const HDB_Ext_Lan_Manager_OWF */*data*/, + size_t */*size*/); + +int +encode_HDB_Ext_PKINIT_acl ( + unsigned char */*p*/, + size_t /*len*/, + const HDB_Ext_PKINIT_acl */*data*/, + size_t */*size*/); + +int +encode_HDB_Ext_PKINIT_certificate ( + unsigned char */*p*/, + size_t /*len*/, + const HDB_Ext_PKINIT_certificate */*data*/, + size_t */*size*/); + +int +encode_HDB_Ext_Password ( + unsigned char */*p*/, + size_t /*len*/, + const HDB_Ext_Password */*data*/, + size_t */*size*/); + +int +encode_HDB_extension ( + unsigned char */*p*/, + size_t /*len*/, + const HDB_extension */*data*/, + size_t */*size*/); + +int +encode_HDB_extensions ( + unsigned char */*p*/, + size_t /*len*/, + const HDB_extensions */*data*/, + size_t */*size*/); + +int +encode_Key ( + unsigned char */*p*/, + size_t /*len*/, + const Key */*data*/, + size_t */*size*/); + +int +encode_Salt ( + unsigned char */*p*/, + size_t /*len*/, + const Salt */*data*/, + size_t */*size*/); + +int +encode_hdb_entry ( + unsigned char */*p*/, + size_t /*len*/, + const hdb_entry */*data*/, + size_t */*size*/); + +void +free_Event (Event */*data*/); + +void +free_GENERATION (GENERATION */*data*/); + +void +free_HDBFlags (HDBFlags */*data*/); + +void +free_HDB_Ext_Aliases (HDB_Ext_Aliases */*data*/); + +void +free_HDB_Ext_Constrained_delegation_acl (HDB_Ext_Constrained_delegation_acl */*data*/); + +void +free_HDB_Ext_Lan_Manager_OWF (HDB_Ext_Lan_Manager_OWF */*data*/); + +void +free_HDB_Ext_PKINIT_acl (HDB_Ext_PKINIT_acl */*data*/); + +void +free_HDB_Ext_PKINIT_certificate (HDB_Ext_PKINIT_certificate */*data*/); + +void +free_HDB_Ext_Password (HDB_Ext_Password */*data*/); + +void +free_HDB_extension (HDB_extension */*data*/); + +void +free_HDB_extensions (HDB_extensions */*data*/); + +void +free_Key (Key */*data*/); + +void +free_Salt (Salt */*data*/); + +void +free_hdb_entry (hdb_entry */*data*/); + krb5_error_code hdb_add_master_key ( krb5_context /*context*/, @@ -302,6 +613,57 @@ hdb_write_master_key ( const char */*filename*/, hdb_master_key /*mkey*/); +void +initialize_hdb_error_table (void); + +void +initialize_hdb_error_table_r (struct et_list **/*list*/); + +HDBFlags +int2HDBFlags (unsigned /*n*/); + +size_t +length_Event (const Event */*data*/); + +size_t +length_GENERATION (const GENERATION */*data*/); + +size_t +length_HDBFlags (const HDBFlags */*data*/); + +size_t +length_HDB_Ext_Aliases (const HDB_Ext_Aliases */*data*/); + +size_t +length_HDB_Ext_Constrained_delegation_acl (const HDB_Ext_Constrained_delegation_acl */*data*/); + +size_t +length_HDB_Ext_Lan_Manager_OWF (const HDB_Ext_Lan_Manager_OWF */*data*/); + +size_t +length_HDB_Ext_PKINIT_acl (const HDB_Ext_PKINIT_acl */*data*/); + +size_t +length_HDB_Ext_PKINIT_certificate (const HDB_Ext_PKINIT_certificate */*data*/); + +size_t +length_HDB_Ext_Password (const HDB_Ext_Password */*data*/); + +size_t +length_HDB_extension (const HDB_extension */*data*/); + +size_t +length_HDB_extensions (const HDB_extensions */*data*/); + +size_t +length_Key (const Key */*data*/); + +size_t +length_Salt (const Salt */*data*/); + +size_t +length_hdb_entry (const hdb_entry */*data*/); + #ifdef __cplusplus } #endif diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c index e8161afbc1..df342ffadf 100644 --- a/source4/heimdal/lib/hdb/hdb.c +++ b/source4/heimdal/lib/hdb/hdb.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: hdb.c,v 1.56 2005/10/19 13:51:40 lha Exp $"); +RCSID("$Id: hdb.c,v 1.59 2005/11/30 12:22:09 lha Exp $"); #ifdef HAVE_DLFCN_H #include <dlfcn.h> @@ -53,16 +53,17 @@ static struct hdb_method methods[] = { #endif #if defined(OPENLDAP) && !defined(OPENLDAP_MODULE) {"ldap:", hdb_ldap_create}, + {"ldapi:", hdb_ldapi_create}, #endif + {NULL, NULL} +}; + #if HAVE_DB1 || HAVE_DB3 - {"", hdb_db_create}, +static struct hdb_method dbmetod = {"", hdb_db_create }; #elif defined(HAVE_NDBM) - {"", hdb_ndbm_create}, -#elif defined(OPENLDAP) && !defined(OPENLDAP_MODULE) - {"", hdb_ldap_create}, +static struct hdb_method dbmetod = {"", hdb_ndbm_create }; #endif - {NULL, NULL} -}; + krb5_error_code hdb_next_enctype2key(krb5_context context, @@ -337,11 +338,22 @@ find_method (const char *filename, const char **rest) { const struct hdb_method *h; - for (h = methods; h->prefix != NULL; ++h) + for (h = methods; h->prefix != NULL; ++h) { if (strncmp (filename, h->prefix, strlen(h->prefix)) == 0) { *rest = filename + strlen(h->prefix); return h; } + } +#if defined(HAVE_DB1) || defined(HAVE_DB3) || defined(HAVE_NDBM) + if (strncmp(filename, "/", 1) == 0 + || strncmp(filename, "./", 2) == 0 + || strncmp(filename, "../", 3) == 0) + { + *rest = filename; + return &dbmetod; + } +#endif + return NULL; } @@ -367,8 +379,6 @@ hdb_list_builtin(krb5_context context, char **list) buf[0] = '\0'; for (h = methods; h->prefix != NULL; ++h) { - if (h->prefix[0] == '\0') - continue; if (h != methods) strlcat(buf, ", ", len); strlcat(buf, h->prefix, len); diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c index dfd5bfa8f1..793d03829d 100644 --- a/source4/heimdal/lib/hdb/ndbm.c +++ b/source4/heimdal/lib/hdb/ndbm.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: ndbm.c,v 1.35 2005/06/23 13:37:57 lha Exp $"); +RCSID("$Id: ndbm.c,v 1.36 2005/11/28 23:31:36 lha Exp $"); #if HAVE_NDBM @@ -333,7 +333,7 @@ krb5_error_code hdb_ndbm_create(krb5_context context, HDB **db, const char *filename) { - *db = malloc(sizeof(**db)); + *db = calloc(1, sizeof(**db)); if (*db == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c index 25dc2cb8c0..0c821cb11d 100644 --- a/source4/heimdal/lib/krb5/cache.c +++ b/source4/heimdal/lib/krb5/cache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: cache.c,v 1.74 2005/11/01 09:36:41 lha Exp $"); +RCSID("$Id: cache.c,v 1.76 2005/11/29 09:10:47 lha Exp $"); /* * Add a new ccache type with operations `ops', overwriting any @@ -701,6 +701,9 @@ krb5_cc_get_prefix_ops(krb5_context context, const char *prefix) char *p, *p1; int i; + if (prefix[0] == '/') + return &krb5_fcc_ops; + p = strdup(prefix); if (p == NULL) { krb5_set_error_string(context, "malloc - out of memory"); diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c index 1d866fa11e..afa8f433ac 100644 --- a/source4/heimdal/lib/krb5/keytab_memory.c +++ b/source4/heimdal/lib/krb5/keytab_memory.c @@ -33,26 +33,64 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_memory.c,v 1.6 2005/05/18 04:44:40 lha Exp $"); +RCSID("$Id: keytab_memory.c,v 1.7 2005/12/01 12:40:22 lha Exp $"); /* memory operations -------------------------------------------- */ struct mkt_data { krb5_keytab_entry *entries; int num_entries; + char *name; + int refcount; + struct mkt_data *next; }; +/* this mutex protects mkt_head, ->refcount, and ->next + * content is not protected (name is static and need no protection) + */ +static HEIMDAL_MUTEX mkt_mutex = HEIMDAL_MUTEX_INITIALIZER; +static struct mkt_data *mkt_head; + + static krb5_error_code mkt_resolve(krb5_context context, const char *name, krb5_keytab id) { struct mkt_data *d; - d = malloc(sizeof(*d)); + + HEIMDAL_MUTEX_lock(&mkt_mutex); + + for (d = mkt_head; d != NULL; d = d->next) + if (strcmp(d->name, name) == 0) + break; + if (d) { + if (d->refcount < 1) + krb5_abortx(context, "Double close on memory keytab, " + "refcount < 1 %d", d->refcount); + d->refcount++; + id->data = d; + HEIMDAL_MUTEX_unlock(&mkt_mutex); + return 0; + } + + d = calloc(1, sizeof(*d)); if(d == NULL) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + d->name = strdup(name); + if (d->name == NULL) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + free(d); krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } d->entries = NULL; d->num_entries = 0; + d->refcount = 1; + d->next = mkt_head; + mkt_head = d; + HEIMDAL_MUTEX_unlock(&mkt_mutex); id->data = d; return 0; } @@ -60,8 +98,27 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id) static krb5_error_code mkt_close(krb5_context context, krb5_keytab id) { - struct mkt_data *d = id->data; + struct mkt_data *d = id->data, **dp; int i; + + HEIMDAL_MUTEX_lock(&mkt_mutex); + if (d->refcount < 1) + krb5_abortx(context, + "krb5 internal error, memory keytab refcount < 1 on close"); + + if (--d->refcount > 0) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + return 0; + } + for (dp = &mkt_head; *dp != NULL; dp = &(*dp)->next) { + if (*dp == d) { + *dp = d->next; + break; + } + } + HEIMDAL_MUTEX_unlock(&mkt_mutex); + + free(d->name); for(i = 0; i < d->num_entries; i++) krb5_kt_free_entry(context, &d->entries[i]); free(d->entries); @@ -75,7 +132,8 @@ mkt_get_name(krb5_context context, char *name, size_t namesize) { - strlcpy(name, "", namesize); + struct mkt_data *d = id->data; + strlcpy(name, d->name, namesize); return 0; } diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index 33e35ca60e..301b8853e4 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -20,6 +20,24 @@ extern "C" { #endif #endif +void +initialize_heim_error_table (void); + +void +initialize_heim_error_table_r (struct et_list **/*list*/); + +void +initialize_k524_error_table (void); + +void +initialize_k524_error_table_r (struct et_list **/*list*/); + +void +initialize_krb5_error_table (void); + +void +initialize_krb5_error_table_r (struct et_list **/*list*/); + krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc ( krb5_context /*context*/, diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index fe9a0e5e7a..adee4708e6 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.239 2005/10/12 12:39:28 lha Exp $ */ +/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index 582b71db03..313c14f6e6 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_req.c,v 1.58 2005/08/27 05:48:57 lha Exp $"); +RCSID("$Id: rd_req.c,v 1.61 2005/11/29 18:22:51 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -136,7 +136,11 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) int num_realms; krb5_error_code ret; - /* Windows w2k and w2k3 uses this */ + /* + * Windows 2000 and 2003 uses this inside their TGT so its normaly + * not seen by others, however, samba4 joined with a Windows AD as + * a Domain Controller gets exposed to this. + */ if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) return 0; @@ -417,6 +421,19 @@ krb5_verify_ap_req2(krb5_context context, goto out; } + /* check timestamp in authenticator */ + { + krb5_timestamp now; + + krb5_timeofday (context, &now); + + if (abs(ac->authenticator->ctime - now) > context->max_skew) { + ret = KRB5KRB_AP_ERR_SKEW; + krb5_clear_error_string (context); + goto out; + } + } + if (ac->authenticator->seq_number) krb5_auth_con_setremoteseqnumber(context, ac, *ac->authenticator->seq_number); |