diff options
author | Theodore Tso <tytso@mit.edu> | 1996-12-13 19:28:16 +0000 |
---|---|---|
committer | Theodore Tso <tytso@mit.edu> | 1996-12-13 19:28:16 +0000 |
commit | e73566996463fb1947cf80ad2e11fadce3dc0b66 (patch) | |
tree | 4c75494b8a5a0e1169c37bcac34cc0aeccda7de2 /src/lib/gssapi | |
parent | 20b3f46e04d4d0104dc971d22793011f20f2e51c (diff) | |
download | krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.tar.gz krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.tar.xz krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.zip |
Merge V1_0_FREEZE_3 into the mainline. (Note this merge does *not*
include the doc subtree!!)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9632 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi')
-rw-r--r-- | src/lib/gssapi/ChangeLog | 4 | ||||
-rw-r--r-- | src/lib/gssapi/configure.in | 2 | ||||
-rw-r--r-- | src/lib/gssapi/generic/ChangeLog | 9 | ||||
-rw-r--r-- | src/lib/gssapi/generic/Makefile.in | 8 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/ChangeLog | 24 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 34 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/get_tkt_flags.c | 2 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 2 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 75 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/ser_sctx.c | 4 | ||||
-rw-r--r-- | src/lib/gssapi/mechglue/ChangeLog | 4 | ||||
-rw-r--r-- | src/lib/gssapi/mechglue/configure.in | 2 |
12 files changed, 122 insertions, 48 deletions
diff --git a/src/lib/gssapi/ChangeLog b/src/lib/gssapi/ChangeLog index 505b5d355..b29cc371b 100644 --- a/src/lib/gssapi/ChangeLog +++ b/src/lib/gssapi/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:39:41 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Set shared library version to 1.0. [krb5-libs/201] + Tue Jul 23 22:50:22 1996 Theodore Y. Ts'o <tytso@mit.edu> * Makefile.in (MAC_SUBDIRS): Remove mechglue from the list of diff --git a/src/lib/gssapi/configure.in b/src/lib/gssapi/configure.in index 164582c64..f2bb70429 100644 --- a/src/lib/gssapi/configure.in +++ b/src/lib/gssapi/configure.in @@ -7,7 +7,7 @@ AC_PROG_ARCHIVE_ADD AC_PROG_RANLIB AC_PROG_INSTALL DO_SUBDIRS -V5_MAKE_SHARED_LIB(libgssapi_krb5,0.1,.., ./gssapi) +V5_MAKE_SHARED_LIB(libgssapi_krb5,1.0,.., ./gssapi) CRYPTO_SH_VERS=$krb5_cv_shlib_version_libcrypto AC_SUBST(CRYPTO_SH_VERS) COMERR_SH_VERS=$krb5_cv_shlib_version_libcom_err diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog index 993470825..30fd1c3c2 100644 --- a/src/lib/gssapi/generic/ChangeLog +++ b/src/lib/gssapi/generic/ChangeLog @@ -1,3 +1,12 @@ +Wed Nov 20 13:59:58 1996 Ezra Peisach <epeisach@mit.edu> + + * Makefile.in (install): Install gssapi.h from the build tree. + +Tue Nov 19 16:43:16 1996 Tom Yu <tlyu@mit.edu> + + * Makefile.in (gssapi.h): grep USE_.*_H out from autoconf.h as + well (some stuff was depending on USE_STRING_H). + Mon Nov 18 12:38:34 1996 Tom Yu <tlyu@mit.edu> *gssapi.h: Renamed to gssapi.hin. diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in index 1e1aa7ebb..87b414f47 100644 --- a/src/lib/gssapi/generic/Makefile.in +++ b/src/lib/gssapi/generic/Makefile.in @@ -37,6 +37,7 @@ gssapi.h: gssapi.hin echo "/* It contains some choice pieces of autoconf.h */" >> $@ grep SIZEOF $(BUILDTOP)/include/krb5/autoconf.h >> $@ grep 'HAVE_.*_H' $(BUILDTOP)/include/krb5/autoconf.h >> $@ + grep 'USE_.*_H' $(BUILDTOP)/include/krb5/autoconf.h >> $@ echo "/* End of gssapi.h prologue. */" cat $(srcdir)/gssapi.hin >> $@ @@ -84,7 +85,8 @@ OBJS = \ $(OBJS): $(HDRS) $(ETHDRS) -EXPORTED_HEADERS= gssapi.h gssapi_generic.h +EXPORTED_HEADERS= gssapi_generic.h +EXPORTED_BUILT_HEADERS= gssapi.h all-unix:: shared $(SRCS) $(ETHDRS) $(OBJS) @@ -116,5 +118,9 @@ install:: do $(INSTALL_DATA) $(srcdir)/$$f \ $(DESTDIR)$(KRB5_INCDIR)/gssapi/$$f ; \ done + @set -x; for f in $(EXPORTED_BUILT_HEADERS) ; \ + do $(INSTALL_DATA) $$f \ + $(DESTDIR)$(KRB5_INCDIR)/gssapi/$$f ; \ + done depend:: $(ETSRCS) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index e1c1d9849..8f9ac2c0d 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -4,6 +4,30 @@ Wed Dec 4 13:06:13 1996 Barry Jaspan <bjaspan@mit.edu> instead of scanning through keytab to find matching principal [krb5-libs/210] +Wed Nov 20 19:55:29 1996 Marc Horowitz <marc@cygnus.com> + + * init_sec_context.c (make_ap_rep, krb5_gss_init_sec_context), + accept_sec_context.c (krb5_gss_accept_sec_context): fix up use of + gss flags. under some circumstances, the context would not have + checked for replay or sequencing, even if those features were + requested. + + * init_sec_context.c (make_ap_req), (krb5_gss_init_sec_context): + If delegation is requested, but forwarding the credentials fails, + instead of aborting the context setup, just don't forward + credentials. + + * gssapiP_krb5.h (krb5_gss_ctx_id_t), ser_sctx.c + (kg_ctx_externalize, kg_ctx_internalize), init_sec_context.c + (krb5_gss_init_sec_context), get_tkt_flags.c + (gss_krb5_get_tkt_flags), accept_sec_context.c + (krb5_gss_accept_sec_context): rename ctx->flags to + ctx->krb_flags, to disambiguate it from ctx->gss_flags + + * accept_sec_context.c (krb5_gss_accept_sec_context): If the subkey + isn't present in the authenticator, then use the session key + instead. + Sat Oct 19 00:38:22 1996 Theodore Y. Ts'o <tytso@mit.edu> * ser_sctx.c (kg_oid_externalize, kg_oid_internalize, diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 234606921..158983557 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -384,8 +384,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, ctx->mech_used = mech_used; ctx->auth_context = auth_context; ctx->initiate = 0; - ctx->gss_flags = GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | - (gss_flags & (GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG)); + ctx->gss_flags = KG_IMPLFLAGS(gss_flags); ctx->seed_init = 0; ctx->big_endian = bigend; @@ -417,6 +416,29 @@ krb5_gss_accept_sec_context(minor_status, context_handle, return(GSS_S_FAILURE); } + /* use the session key if the subkey isn't present */ + + if (ctx->subkey == NULL) { + if ((code = krb5_auth_con_getkey(context, auth_context, + &ctx->subkey))) { + krb5_free_principal(context, ctx->there); + krb5_free_principal(context, ctx->here); + xfree(ctx); + *minor_status = code; + return(GSS_S_FAILURE); + } + } + + if (ctx->subkey == NULL) { + krb5_free_principal(context, ctx->there); + krb5_free_principal(context, ctx->here); + xfree(ctx); + /* this isn't a very good error, but it's not clear to me this + can actually happen */ + *minor_status = KRB5KDC_ERR_NULL_KEY; + return(GSS_S_FAILURE); + } + switch(ctx->subkey->enctype) { case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES_CBC_CRC: @@ -464,7 +486,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, } ctx->endtime = ticket->enc_part2->times.endtime; - ctx->flags = ticket->enc_part2->flags; + ctx->krb_flags = ticket->enc_part2->flags; krb5_free_ticket(context, ticket); /* Done with ticket */ @@ -487,8 +509,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, } g_order_init(&(ctx->seqstate), ctx->seq_recv, - (gss_flags & GSS_C_REPLAY_FLAG) != 0, - (gss_flags & GSS_C_SEQUENCE_FLAG) != 0); + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0); /* at this point, the entire context structure is filled in, so it can be released. */ @@ -545,7 +567,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, *time_rec = ctx->endtime - now; if (ret_flags) - *ret_flags = KG_IMPLFLAGS(gss_flags); + *ret_flags = ctx->gss_flags; ctx->established = 1; diff --git a/src/lib/gssapi/krb5/get_tkt_flags.c b/src/lib/gssapi/krb5/get_tkt_flags.c index 5dd91064f..eebf06d81 100644 --- a/src/lib/gssapi/krb5/get_tkt_flags.c +++ b/src/lib/gssapi/krb5/get_tkt_flags.c @@ -48,7 +48,7 @@ gss_krb5_get_tkt_flags(minor_status, context_handle, ticket_flags) } if (ticket_flags) - *ticket_flags = ctx->flags; + *ticket_flags = ctx->krb_flags; *minor_status = 0; return(GSS_S_COMPLETE); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index ee327baf6..97f2d51d5 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -113,7 +113,7 @@ typedef struct _krb5_gss_ctx_id_rec { krb5_gss_enc_desc enc; krb5_gss_enc_desc seq; krb5_timestamp endtime; - krb5_flags flags; + krb5_flags krb_flags; krb5_int32 seq_send; krb5_int32 seq_recv; void *seqstate; diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 690d5af2b..3b8935fff 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -30,15 +30,15 @@ static krb5_error_code make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, - req_flags, flags, mech_type, token) + req_flags, krb_flags, mech_type, token) krb5_context context; krb5_auth_context * auth_context; krb5_gss_cred_id_t cred; krb5_principal server; krb5_timestamp *endtime; gss_channel_bindings_t chan_bindings; - OM_uint32 req_flags; - krb5_flags *flags; + OM_uint32 *req_flags; + krb5_flags *krb_flags; gss_OID mech_type; gss_buffer_t token; { @@ -74,8 +74,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, /* build the checksum field */ - if(*flags && GSS_C_DELEG_FLAG) { - + if (*req_flags & GSS_C_DELEG_FLAG) { /* first get KRB_CRED message, so we know its length */ /* clear the time check flag that was set in krb5_auth_con_init() */ @@ -83,20 +82,27 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, krb5_auth_con_setflags(context, *auth_context, con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); - if ((code = krb5_fwd_tgt_creds(context, *auth_context, 0, + code = krb5_fwd_tgt_creds(context, *auth_context, 0, cred->princ, server, cred->ccache, 1, - &credmsg))) - return(code); + &credmsg); /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */ krb5_auth_con_setflags(context, *auth_context, con_flags); - if(credmsg.length+28 > KRB5_INT16_MAX) { - krb5_xfree(credmsg.data); - return(KRB5KRB_ERR_FIELD_TOOLONG); - } + if (code) { + /* don't fail here; just don't accept/do the delegation + request */ + *req_flags &= ~GSS_C_DELEG_FLAG; - checksum_data.length = 28+credmsg.length; + checksum_data.length = 24; + } else { + if (credmsg.length+28 > KRB5_INT16_MAX) { + krb5_xfree(credmsg.data); + return(KRB5KRB_ERR_FIELD_TOOLONG); + } + + checksum_data.length = 28+credmsg.length; + } } else { checksum_data.length = 24; } @@ -115,7 +121,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, TWRITE_INT(ptr, md5.length, 0); TWRITE_STR(ptr, (unsigned char *) md5.contents, md5.length); - TWRITE_INT(ptr, KG_IMPLFLAGS(req_flags), 0); + TWRITE_INT(ptr, *req_flags, 0); /* done with this, free it */ xfree(md5.contents); @@ -151,7 +157,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, mk_req_flags = AP_OPTS_USE_SUBKEY; - if (req_flags & GSS_C_MUTUAL_FLAG) + if (*req_flags & GSS_C_MUTUAL_FLAG) mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED; if ((code = krb5_mk_req_extended(context, auth_context, mk_req_flags, @@ -160,7 +166,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, /* store the interesting stuff from creds and authent */ *endtime = out_creds->times.endtime; - *flags = out_creds->ticket_flags; + *krb_flags = out_creds->ticket_flags; /* build up the token */ @@ -264,15 +270,15 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, err = 0; if (mech_type == GSS_C_NULL_OID) { - mech_type = cred->rfc_mech?gss_mech_krb5:gss_mech_krb5_old; - } else if (g_OID_equal(mech_type, gss_mech_krb5)) { - if (!cred->rfc_mech) - err = 1; - } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { - if (!cred->prerfc_mech) - err = 1; - } else - err = 1; + mech_type = cred->rfc_mech?gss_mech_krb5:gss_mech_krb5_old; + } else if (g_OID_equal(mech_type, gss_mech_krb5)) { + if (!cred->rfc_mech) + err = 1; + } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { + if (!cred->prerfc_mech) + err = 1; + } else + err = 1; if (err) { *minor_status = 0; @@ -318,9 +324,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, ctx->mech_used = mech_type; ctx->auth_context = NULL; ctx->initiate = 1; - ctx->gss_flags = ((req_flags & (GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG)) | - GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG); - ctx->flags = req_flags & GSS_C_DELEG_FLAG; + ctx->gss_flags = KG_IMPLFLAGS(req_flags); ctx->seed_init = 0; ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ ctx->seqstate = 0; @@ -352,7 +356,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, if ((code = make_ap_req(context, &(ctx->auth_context), cred, ctx->there, &ctx->endtime, input_chan_bindings, - req_flags, &ctx->flags, mech_type, &token))) { + &ctx->gss_flags, &ctx->krb_flags, mech_type, + &token))) { krb5_free_principal(context, ctx->here); krb5_free_principal(context, ctx->there); xfree(ctx); @@ -438,7 +443,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, *output_token = token; if (ret_flags) - *ret_flags = KG_IMPLFLAGS(req_flags); + *ret_flags = ctx->gss_flags; if (actual_mech_type) *actual_mech_type = mech_type; @@ -452,8 +457,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, } else { ctx->seq_recv = ctx->seq_send; g_order_init(&(ctx->seqstate), ctx->seq_recv, - (req_flags & GSS_C_REPLAY_FLAG) != 0, - (req_flags & GSS_C_SEQUENCE_FLAG) != 0); + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0); ctx->established = 1; /* fall through to GSS_S_COMPLETE */ } @@ -477,7 +482,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, if ((ctx->established) || (((gss_cred_id_t) cred) != claimant_cred_handle) || - ((req_flags & GSS_C_MUTUAL_FLAG) == 0)) { + ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) { (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); /* XXX this minor status is wrong if an arg was changed */ @@ -534,8 +539,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, /* store away the sequence number */ ctx->seq_recv = ap_rep_data->seq_number; g_order_init(&(ctx->seqstate), ctx->seq_recv, - (req_flags & GSS_C_REPLAY_FLAG) != 0, - (req_flags & GSS_C_SEQUENCE_FLAG) !=0); + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0); /* free the ap_rep_data */ krb5_free_ap_rep_enc_part(context, ap_rep_data); diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index 259cce5b8..22b5c367c 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -515,7 +515,7 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->endtime, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->flags, + (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags, &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->seq_send, &bp, &remain); @@ -632,7 +632,7 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->endtime = (krb5_timestamp) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->flags = (krb5_flags) ibuf; + ctx->krb_flags = (krb5_flags) ibuf; (void) krb5_ser_unpack_int32(&ctx->seq_send, &bp, &remain); (void) krb5_ser_unpack_int32(&ctx->seq_recv, &bp, &remain); (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); diff --git a/src/lib/gssapi/mechglue/ChangeLog b/src/lib/gssapi/mechglue/ChangeLog index 97558b1a2..9f8fb1bc4 100644 --- a/src/lib/gssapi/mechglue/ChangeLog +++ b/src/lib/gssapi/mechglue/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:43:54 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Shared library version number to 1.0. [krb5-libs/201] + Wed Jun 12 00:50:32 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * Makefile.in: Remove include of config/windows.in; that's done diff --git a/src/lib/gssapi/mechglue/configure.in b/src/lib/gssapi/mechglue/configure.in index 73cf30efd..bd9b4db21 100644 --- a/src/lib/gssapi/mechglue/configure.in +++ b/src/lib/gssapi/mechglue/configure.in @@ -13,7 +13,7 @@ case $host in *-*-aix*) # don't build libgssapi.a on AIX ;; *) - V5_MAKE_SHARED_LIB(libgssapi,0.1,.., ./mechglue) + V5_MAKE_SHARED_LIB(libgssapi,1.0,.., ./mechglue) AppendRule([install:: libgssapi.[$](LIBEXT) [$](INSTALL_DATA) libgssapi.[$](LIBEXT) [$](DESTDIR)[$](KRB5_LIBDIR)[$](S)libgssapi.[$](LIBEXT)]) LinkFileDir([$](TOPLIBD)/libgssapi.[$](LIBEXT),libgssapi.[$](LIBEXT),./gssapi/mechglue) |