diff options
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 15 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/acquire_cred.c | 89 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 1 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/rel_cred.c | 1 | ||||
-rw-r--r-- | src/lib/krb5/ccache/cccursor.c | 57 | ||||
-rw-r--r-- | src/lib/krb5/libkrb5.exports | 1 | ||||
-rw-r--r-- | src/lib/krb5/os/sn2princ.c | 23 | ||||
-rw-r--r-- | src/lib/krb5_32.def | 1 |
8 files changed, 126 insertions, 62 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 75f071c..cb62a25 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -683,7 +683,6 @@ kg_accept_krb5(minor_status, context_handle, krb5_flags ap_req_options = 0; krb5_enctype negotiated_etype; krb5_authdata_context ad_context = NULL; - krb5_principal accprinc = NULL; krb5_ap_req *request = NULL; code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); @@ -849,17 +848,9 @@ kg_accept_krb5(minor_status, context_handle, } } - if (!cred->default_identity) { - if ((code = kg_acceptor_princ(context, cred->name, &accprinc))) { - major_status = GSS_S_FAILURE; - goto fail; - } - } - - code = krb5_rd_req_decoded(context, &auth_context, request, accprinc, - cred->keytab, &ap_req_options, NULL); - - krb5_free_principal(context, accprinc); + code = krb5_rd_req_decoded(context, &auth_context, request, + cred->acceptor_mprinc, cred->keytab, + &ap_req_options, NULL); if (code) { major_status = GSS_S_FAILURE; goto fail; diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 632ee7d..e226a02 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -123,11 +123,11 @@ gss_krb5int_register_acceptor_identity(OM_uint32 *minor_status, /* Try to verify that keytab contains at least one entry for name. Return 0 if * it does, KRB5_KT_NOTFOUND if it doesn't, or another error as appropriate. */ static krb5_error_code -check_keytab(krb5_context context, krb5_keytab kt, krb5_gss_name_t name) +check_keytab(krb5_context context, krb5_keytab kt, krb5_gss_name_t name, + krb5_principal mprinc) { krb5_error_code code; krb5_keytab_entry ent; - krb5_principal accprinc = NULL; char *princname; if (name->service == NULL) { @@ -141,21 +141,15 @@ check_keytab(krb5_context context, krb5_keytab kt, krb5_gss_name_t name) if (kt->ops->start_seq_get == NULL) return 0; - /* Get the partial principal for the acceptor name. */ - code = kg_acceptor_princ(context, name, &accprinc); - if (code) - return code; - - /* Scan the keytab for host-based entries matching accprinc. */ - code = k5_kt_have_match(context, kt, accprinc); + /* Scan the keytab for host-based entries matching mprinc. */ + code = k5_kt_have_match(context, kt, mprinc); if (code == KRB5_KT_NOTFOUND) { - if (krb5_unparse_name(context, accprinc, &princname) == 0) { + if (krb5_unparse_name(context, mprinc, &princname) == 0) { k5_setmsg(context, code, _("No key table entry found matching %s"), princname); free(princname); } } - krb5_free_principal(context, accprinc); return code; } @@ -202,8 +196,14 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status, } if (cred->name != NULL) { + code = kg_acceptor_princ(context, cred->name, &cred->acceptor_mprinc); + if (code) { + major = GSS_S_FAILURE; + goto cleanup; + } + /* Make sure we have keys matching the desired name in the keytab. */ - code = check_keytab(context, kt, cred->name); + code = check_keytab(context, kt, cred->name, cred->acceptor_mprinc); if (code) { if (code == KRB5_KT_NOTFOUND) { k5_change_error_message_code(context, code, KG_KEYTAB_NOMATCH); @@ -324,7 +324,6 @@ static krb5_boolean can_get_initial_creds(krb5_context context, krb5_gss_cred_id_rec *cred) { krb5_error_code code; - krb5_keytab_entry entry; if (cred->password != NULL) return TRUE; @@ -336,20 +335,21 @@ can_get_initial_creds(krb5_context context, krb5_gss_cred_id_rec *cred) if (cred->name == NULL) return !krb5_kt_have_content(context, cred->client_keytab); - /* Check if we have a keytab key for the client principal. */ - code = krb5_kt_get_entry(context, cred->client_keytab, cred->name->princ, - 0, 0, &entry); - if (code) { - krb5_clear_error_message(context); - return FALSE; - } - krb5_free_keytab_entry_contents(context, &entry); - return TRUE; + /* + * Check if we have a keytab key for the client principal. This is a bit + * more permissive than we really want because krb5_kt_have_match() + * supports wildcarding and obeys ignore_acceptor_hostname, but that should + * generally be harmless. + */ + code = k5_kt_have_match(context, cred->client_keytab, cred->name->princ); + return code == 0; } -/* Scan cred->ccache for name, expiry time, impersonator, refresh time. */ +/* Scan cred->ccache for name, expiry time, impersonator, refresh time. If + * check_name is true, verify the cache name against the credential name. */ static krb5_error_code -scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred) +scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred, + krb5_boolean check_name) { krb5_error_code code; krb5_ccache ccache = cred->ccache; @@ -365,23 +365,31 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred) if (code) return code; - /* Credentials cache principal must match the initiator name. */ code = krb5_cc_get_principal(context, ccache, &ccache_princ); if (code != 0) goto cleanup; - if (cred->name != NULL && - !krb5_principal_compare(context, ccache_princ, cred->name->princ)) { - code = KG_CCACHE_NOMATCH; - goto cleanup; - } - /* Save the ccache principal as the credential name if not already set. */ - if (!cred->name) { + if (cred->name == NULL) { + /* Save the ccache principal as the credential name. */ code = kg_init_name(context, ccache_princ, NULL, NULL, NULL, KG_INIT_NAME_NO_COPY, &cred->name); if (code) goto cleanup; ccache_princ = NULL; + } else { + /* Check against the desired name if needed. */ + if (check_name) { + if (!k5_sname_compare(context, cred->name->princ, ccache_princ)) { + code = KG_CCACHE_NOMATCH; + goto cleanup; + } + } + + /* Replace the credential name principal with the canonical client + * principal, retaining acceptor_mprinc if set. */ + krb5_free_principal(context, cred->name->princ); + cred->name->princ = ccache_princ; + ccache_princ = NULL; } assert(cred->name->princ != NULL); @@ -447,7 +455,7 @@ get_cache_for_name(krb5_context context, krb5_gss_cred_id_rec *cred) assert(cred->name != NULL && cred->ccache == NULL); #ifdef USE_LEASH code = get_ccache_leash(context, cred->name->princ, &cred->ccache); - return code ? code : scan_ccache(context, cred); + return code ? code : scan_ccache(context, cred, TRUE); #else /* Check first whether we can acquire tickets, to avoid overwriting the * extended error message from krb5_cc_cache_match. */ @@ -456,7 +464,7 @@ get_cache_for_name(krb5_context context, krb5_gss_cred_id_rec *cred) /* Look for an existing cache for the client principal. */ code = krb5_cc_cache_match(context, cred->name->princ, &cred->ccache); if (code == 0) - return scan_ccache(context, cred); + return scan_ccache(context, cred, FALSE); if (code != KRB5_CC_NOTFOUND || !can_get) return code; krb5_clear_error_message(context); @@ -633,6 +641,13 @@ get_initial_cred(krb5_context context, const struct verify_params *verify, kg_cred_set_initial_refresh(context, cred, &creds.times); cred->have_tgt = TRUE; cred->expire = creds.times.endtime; + + /* Steal the canonical client principal name from creds and save it in the + * credential name, retaining acceptor_mprinc if set. */ + krb5_free_principal(context, cred->name->princ); + cred->name->princ = creds.client; + creds.client = NULL; + krb5_free_cred_contents(context, &creds); cleanup: krb5_get_init_creds_opt_free(context, opt); @@ -721,7 +736,7 @@ acquire_init_cred(krb5_context context, OM_uint32 *minor_status, if (cred->ccache != NULL) { /* The caller specified a ccache; check what's in it. */ - code = scan_ccache(context, cred); + code = scan_ccache(context, cred, TRUE); if (code == KRB5_FCC_NOFILE) { /* See if we can get initial creds. If the caller didn't specify * a name, pick one from the client keytab. */ @@ -984,7 +999,7 @@ kg_cred_resolve(OM_uint32 *minor_status, krb5_context context, } } if (cred->ccache != NULL) { - code = scan_ccache(context, cred); + code = scan_ccache(context, cred, FALSE); if (code) goto kerr; } @@ -996,7 +1011,7 @@ kg_cred_resolve(OM_uint32 *minor_status, krb5_context context, code = krb5int_cc_default(context, &cred->ccache); if (code) goto kerr; - code = scan_ccache(context, cred); + code = scan_ccache(context, cred, FALSE); if (code == KRB5_FCC_NOFILE) { /* Default ccache doesn't exist; fall through to client keytab. */ krb5_cc_close(context, cred->ccache); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index a7e0e63..d8553e7 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -175,6 +175,7 @@ typedef struct _krb5_gss_cred_id_rec { /* name/type of credential */ gss_cred_usage_t usage; krb5_gss_name_t name; + krb5_principal acceptor_mprinc; krb5_principal impersonator; unsigned int default_identity : 1; unsigned int iakerb_mech : 1; diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c index a9515da..0da6c1b 100644 --- a/src/lib/gssapi/krb5/rel_cred.c +++ b/src/lib/gssapi/krb5/rel_cred.c @@ -72,6 +72,7 @@ krb5_gss_release_cred(minor_status, cred_handle) if (cred->name) kg_release_name(context, &cred->name); + krb5_free_principal(context, cred->acceptor_mprinc); krb5_free_principal(context, cred->impersonator); if (cred->req_enctypes) diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c index 8f58721..760216d 100644 --- a/src/lib/krb5/ccache/cccursor.c +++ b/src/lib/krb5/ccache/cccursor.c @@ -30,6 +30,7 @@ #include "cc-int.h" #include "../krb/int-proto.h" +#include "../os/os-proto.h" #include <assert.h> @@ -141,18 +142,18 @@ krb5_cccol_cursor_free(krb5_context context, return 0; } -krb5_error_code KRB5_CALLCONV -krb5_cc_cache_match(krb5_context context, krb5_principal client, - krb5_ccache *cache_out) +static krb5_error_code +match_caches(krb5_context context, krb5_const_principal client, + krb5_ccache *cache_out) { krb5_error_code ret; krb5_cccol_cursor cursor; krb5_ccache cache = NULL; krb5_principal princ; - char *name; krb5_boolean eq; *cache_out = NULL; + ret = krb5_cccol_cursor_new(context, &cursor); if (ret) return ret; @@ -169,20 +170,52 @@ krb5_cc_cache_match(krb5_context context, krb5_principal client, krb5_cc_close(context, cache); } krb5_cccol_cursor_free(context, &cursor); + if (ret) return ret; - if (cache == NULL) { - ret = krb5_unparse_name(context, client, &name); - if (ret == 0) { - k5_setmsg(context, KRB5_CC_NOTFOUND, + if (cache == NULL) + return KRB5_CC_NOTFOUND; + + *cache_out = cache; + return 0; +} + +krb5_error_code KRB5_CALLCONV +krb5_cc_cache_match(krb5_context context, krb5_principal client, + krb5_ccache *cache_out) +{ + krb5_error_code ret; + struct canonprinc iter = { client, .subst_defrealm = TRUE }; + krb5_const_principal canonprinc = NULL; + krb5_ccache cache = NULL; + char *name; + + *cache_out = NULL; + + while ((ret = k5_canonprinc(context, &iter, &canonprinc)) == 0 && + canonprinc != NULL) { + ret = match_caches(context, canonprinc, &cache); + if (ret != KRB5_CC_NOTFOUND) + break; + } + free_canonprinc(&iter); + + if (ret == 0 && canonprinc == NULL) { + ret = KRB5_CC_NOTFOUND; + if (krb5_unparse_name(context, client, &name) == 0) { + k5_setmsg(context, ret, _("Can't find client principal %s in cache collection"), name); krb5_free_unparsed_name(context, name); } - ret = KRB5_CC_NOTFOUND; - } else - *cache_out = cache; - return ret; + } + + TRACE_CC_CACHE_MATCH(context, client, ret); + if (ret) + return ret; + + *cache_out = cache; + return 0; } /* Store the error state for code from context into errsave, but only if code diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index d5a0356..aab7f32 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -182,6 +182,7 @@ k5_size_authdata_context k5_size_context k5_size_keyblock k5_size_principal +k5_sname_compare k5_unmarshal_cred k5_unmarshal_princ k5_unwrap_cammac_svc diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c index 8b72141..c99b7da 100644 --- a/src/lib/krb5/os/sn2princ.c +++ b/src/lib/krb5/os/sn2princ.c @@ -277,7 +277,8 @@ k5_canonprinc(krb5_context context, struct canonprinc *iter, /* If we're not doing fallback, the input principal is canonical. */ if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK || - iter->princ->type != KRB5_NT_SRV_HST || iter->princ->length != 2) { + iter->princ->type != KRB5_NT_SRV_HST || iter->princ->length != 2 || + iter->princ->data[1].length == 0) { *princ_out = (step == 1) ? iter->princ : NULL; return 0; } @@ -288,6 +289,26 @@ k5_canonprinc(krb5_context context, struct canonprinc *iter, return canonicalize_princ(context, iter, step == 2, princ_out); } +krb5_boolean +k5_sname_compare(krb5_context context, krb5_const_principal sname, + krb5_const_principal princ) +{ + krb5_error_code ret; + struct canonprinc iter = { sname, .subst_defrealm = TRUE }; + krb5_const_principal canonprinc = NULL; + krb5_boolean match = FALSE; + + while ((ret = k5_canonprinc(context, &iter, &canonprinc)) == 0 && + canonprinc != NULL) { + if (krb5_principal_compare(context, canonprinc, princ)) { + match = TRUE; + break; + } + } + free_canonprinc(&iter); + return match; +} + krb5_error_code KRB5_CALLCONV krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, krb5_int32 type, diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index 60b8dd3..cf690db 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -507,3 +507,4 @@ EXPORTS ; new in 1.20 krb5_marshal_credentials @472 krb5_unmarshal_credentials @473 + k5_sname_compare @474 ; PRIVATE GSSAPI |