[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[patch] miscellaneous mechglue stuff
For whatever they're worth these are all of the changes I've made to
mechglue-branch so far. I won't go into detail but I'd be happy to
discuss them upon request.
Mike
--8<--
diff -r mechglue.orig/kdc/kstash.c mechglue/kdc/kstash.c
46c46
< int random_key;
---
> int random_key0; /* symbol clash */
57c57
< { "random-key", 0, arg_flag, &random_key, "generate a random master key" },
---
> { "random-key", 0, arg_flag, &random_key0, "generate a random master key" },
83c83
< if (master_key_fd != -1 && random_key)
---
> if (master_key_fd != -1 && random_key0)
105c105
< if (random_key) {
---
> if (random_key0) {
diff -r mechglue.orig/lib/gssapi/accept_sec_context.c mechglue/lib/gssapi/accept_sec_context.c
339c339,343
< ret = gssapi_krb5_verify_8003_checksum(minor_status,
---
> if (authenticator->cksum->cksumtype == CKSUMTYPE_RSA_MD5) {
> ret = krb5_verify_checksum(gssapi_krb5_context,
> NULL, 0, NULL, 0, authenticator->cksum);
> } else {
> ret = gssapi_krb5_verify_8003_checksum(minor_status,
343a348
> }
diff -r mechglue.orig/lib/gssapi/gssapi_krb5.h mechglue/lib/gssapi/gssapi_krb5.h
154a164,167
> /* Use w/req_flags for MD5 checksum in authenticator (for SMB auth)
> */
> #define GSS_C_KRB5_MD5_CHKSUM_FLAG 0x0400
>
diff -r mechglue.orig/lib/gssapi/init_sec_context.c mechglue/lib/gssapi/init_sec_context.c
365,366c365,370
<
< ret = gssapi_krb5_create_8003_checksum (minor_status,
---
>
> if (req_flags & GSS_C_KRB5_MD5_CHKSUM_FLAG) {
> ret = krb5_create_checksum(gssapi_krb5_context,
> NULL, 0, CKSUMTYPE_RSA_MD5, NULL, 0, &cksum);
> } else {
> ret = gssapi_krb5_create_8003_checksum (minor_status,
370a375,376
> }
>
diff -r mechglue.orig/lib/mechglue/g_accept_sec_context.c mechglue/lib/mechglue/g_accept_sec_context.c
68a69,70
> *minor_status = 0;
>
diff -r mechglue.orig/lib/mechglue/g_glue.c mechglue/lib/mechglue/g_glue.c
49a50,53
> if (__gss_mechs_array == NULL) {
> return NULL;
> }
>
diff -r mechglue.orig/lib/mechglue/g_initialize.c mechglue/lib/mechglue/g_initialize.c
47a48
> extern gss_mechanism gss_spnego_initialize();
146c147,155
<
---
> #ifdef ENABLE_STATIC_SPNEGO
> {
> gss_mechanism spnego_mech;
> spnego_mech = (gss_mechanism)gss_spnego_initialize();
> if (spnego_mech != NULL) {
> add_mechanism (spnego_mech, 1);
> }
> }
> #endif
diff -r mechglue.orig/lib/mechglue/gssapi.h mechglue/lib/mechglue/gssapi.h
691a692
> #include <gssapi_spnego.h>
diff -r mechglue.orig/lib/spnego/accept_sec_context.c mechglue/lib/spnego/accept_sec_context.c
207,210c207,208
<
< static OM_uint32
< send_supported_mechs (OM_uint32 *minor_status,
< gss_buffer_t output_token)
---
> OM_uint32
> make_NegHints (OM_uint32 *minor_status, NegTokenInit *ni)
212d209
< NegTokenInit ni;
219,235d215
< u_char *buf;
< size_t buf_size, buf_len;
< gss_buffer_desc data;
<
< memset(&ni, 0, sizeof(ni));
<
< ni.reqFlags = NULL;
< ni.mechToken = NULL;
< ni.negHints = NULL;
< ni.mechListMIC = NULL;
<
< ret = _gss_spnego_indicate_mechtypelist(minor_status, 1,
< GSS_C_NO_CREDENTIAL,
< &ni.mechTypes, NULL);
< if (ret != GSS_S_COMPLETE) {
< return ret;
< }
240d219
< free_NegTokenInit(&ni);
246c225
< *p = toupper(*p);
---
> *p = tolower(*p);
251c230
< name_buf.length = strlen(hostname);
---
> name_buf.length = p - hostname;
285,286c264,265
< ALLOC(ni.negHints, 1);
< if (ni.negHints == NULL) {
---
> ALLOC(ni->negHints, 1);
> if (ni->negHints == NULL) {
289d267
< free_NegTokenInit(&ni);
293,294c271,272
< ALLOC(ni.negHints->hintName, 1);
< if (ni.negHints->hintName == NULL) {
---
> ALLOC(ni->negHints->hintName, 1);
> if (ni->negHints->hintName == NULL) {
297d274
< free_NegTokenInit(&ni);
301c278
< *(ni.negHints->hintName) = name_buf.value;
---
> *(ni->negHints->hintName) = name_buf.value;
303c280,312
< ni.negHints->hintAddress = NULL;
---
> ni->negHints->hintAddress = NULL;
>
> return 0;
> }
> static OM_uint32
> send_supported_mechs (OM_uint32 *minor_status,
> gss_buffer_t output_token)
> {
> NegTokenInit ni;
> OM_uint32 ret;
> u_char *buf;
> size_t buf_size, buf_len;
> gss_buffer_desc data;
>
> memset(&ni, 0, sizeof(ni));
>
> ni.reqFlags = NULL;
> ni.mechToken = NULL;
> ni.negHints = NULL;
> ni.mechListMIC = NULL;
>
> ret = _gss_spnego_indicate_mechtypelist(minor_status, 1,
> GSS_C_NO_CREDENTIAL,
> &ni.mechTypes, NULL);
> if (ret != GSS_S_COMPLETE) {
> return ret;
> }
>
> ret = make_NegHints(minor_status, &ni);
> if (ret != GSS_S_COMPLETE) {
> free_NegTokenInit(&ni);
> return ret;
> }
426c435,439
< if (mech_token != GSS_C_NO_BUFFER && mech_token->length != 0) {
---
> /* miallen - If mutual is not requested MS will reply with a response token
> * that is empty (0x04 0x00 to mean an octet string of zero length). This
> * can be seen with smbclient against W2K3 as it does not request mutual.
> */
> if (mech_token != GSS_C_NO_BUFFER) {
630a644,645
> /* I think this is wrong - accept_sec_context only accepts NegTokenInits
> */
745a761
> *minor_status = minor;
752a769,783
> if (src_name && initialToken && ni.negHints) {
> char *hintName = *(ni.negHints->hintName);
> gss_buffer_desc name_buf;
>
> name_buf.length = strlen(hintName);
> name_buf.value = hintName;
> ret2 = gss_import_name(minor_status,
> &name_buf,
> GSS_C_NO_OID,
> src_name);
> if (ret2 != GSS_S_COMPLETE) {
> return ret2;
> }
> }
>
762c793
< if (mic != NULL)
---
> if (mic != NULL) {
763a795
> }
809c841,844
< require_response = 0;
---
> require_response = initialToken; /* Initial token always needs response
> * because client needs to see preferredMech and possibly
> * request MIC token.
> */
843c878
< if (src_name != NULL) {
---
> if (src_name != NULL && ctx->mech_src_name) {
diff -r mechglue.orig/lib/spnego/gssapi_spnego.h mechglue/lib/spnego/gssapi_spnego.h
53a54,55
> #define GSS_SPNEGO_NO_OPTIMISTIC_FLAG 2048
>
diff -r mechglue.orig/lib/spnego/init_sec_context.c mechglue/lib/spnego/init_sec_context.c
208,229c208,230
< /* generate optimistic token */
< sub = gss_init_sec_context(&minor,
< initiator_cred_handle ?
< initiator_cred_handle->negotiated_cred_id :
< GSS_C_NO_CREDENTIAL,
< &ctx->negotiated_ctx_id,
< target_name,
< GSS_C_NO_OID,
< req_flags,
< time_req,
< input_chan_bindings,
< input_token,
< &ctx->negotiated_mech_type,
< &mech_token,
< &ctx->mech_flags,
< &ctx->mech_time_rec);
< if (GSS_ERROR(sub)) {
< free_NegTokenInit(&ni);
< *minor_status = minor;
< _gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
< return sub;
< }
---
> if ((req_flags & GSS_SPNEGO_NO_OPTIMISTIC_FLAG) == 0) {
> /* generate optimistic token */
> sub = gss_init_sec_context(&minor,
> initiator_cred_handle ?
> initiator_cred_handle->negotiated_cred_id :
> GSS_C_NO_CREDENTIAL,
> &ctx->negotiated_ctx_id,
> target_name,
> GSS_C_NO_OID,
> req_flags,
> time_req,
> input_chan_bindings,
> input_token,
> &ctx->negotiated_mech_type,
> &mech_token,
> &ctx->mech_flags,
> &ctx->mech_time_rec);
> if (GSS_ERROR(sub)) {
> free_NegTokenInit(&ni);
> *minor_status = minor;
> _gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
> return sub;
> }
231,247c232,233
< if (mech_token.length != 0) {
< ALLOC(ni.mechToken, 1);
< if (ni.mechToken == NULL) {
< free_NegTokenInit(&ni);
< gss_release_buffer(&minor, &mech_token);
< _gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
< *minor_status = ENOMEM;
< return GSS_S_FAILURE;
< }
< ni.mechToken->length = mech_token.length;
< ni.mechToken->data = malloc(mech_token.length);
< if (ni.mechToken->data == NULL && mech_token.length != 0) {
< free_NegTokenInit(&ni);
< gss_release_buffer(&minor, &mech_token);
< *minor_status = ENOMEM;
< _gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
< return GSS_S_FAILURE;
---
> if (sub == GSS_S_COMPLETE) {
> ctx->open = 1;
249,252c235,264
< memcpy(ni.mechToken->data, mech_token.value, mech_token.length);
< gss_release_buffer(&minor, &mech_token);
< } else
< ni.mechToken = NULL;
---
>
> if (mech_token.length != 0) {
> ALLOC(ni.mechToken, 1);
> if (ni.mechToken == NULL) {
> free_NegTokenInit(&ni);
> gss_release_buffer(&minor, &mech_token);
> _gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
> *minor_status = ENOMEM;
> return GSS_S_FAILURE;
> }
> ni.mechToken->length = mech_token.length;
> ni.mechToken->data = malloc(mech_token.length);
> if (ni.mechToken->data == NULL && mech_token.length != 0) {
> free_NegTokenInit(&ni);
> gss_release_buffer(&minor, &mech_token);
> *minor_status = ENOMEM;
> _gss_spnego_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
> return GSS_S_FAILURE;
> }
> memcpy(ni.mechToken->data, mech_token.value, mech_token.length);
> gss_release_buffer(&minor, &mech_token);
> } else
> ni.mechToken = NULL;
> } else {
> ret = make_NegHints(minor_status, &ni);
> if (ret != GSS_S_COMPLETE) {
> free_NegTokenInit(&ni);
> return ret;
> }
> }
370a383,387
> if (input_token == GSS_C_NO_BUFFER) {
> *minor_status = EINVAL;
> return GSS_S_FAILURE;
> }
>
388c405
< || resp.supportedMech == NULL) {
---
> || resp.supportedMech == NULL) { /* is supportedMech always included? */
408c425
< if (resp.responseToken != NULL) {
---
> if (resp.responseToken != NULL && resp.responseToken->length != 0) {
diff -r mechglue.orig/lib/spnego/spnego_locl.h mechglue/lib/spnego/spnego_locl.h
85a89
> OM_uint32 make_NegHints (OM_uint32 *minor_status, NegTokenInit *ni);