From f956ffa323ab8a88295f0b6b0ee772b62165534b Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Tue, 4 Mar 2003 20:45:32 +0000 Subject: [PATCH] GSS_C_NO_CREDENTIAL should accept any principal If a context is accepted with GSS_C_NO_CREDENTIAL or if a credential is acquired with GSS_C_NO_NAME as the acceptor name then allow any principal in the keytab to be used as the acceptor name. This means that gss_inquire_cred can return GSS_C_NO_NAME from a credential. ticket: new Tags: enhancement cc: nicolas.williams@sun.com cc: krbdev@mit.edu git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15218 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/ChangeLog | 22 +++++++++++ src/lib/gssapi/krb5/accept_sec_context.c | 10 +++-- src/lib/gssapi/krb5/acquire_cred.c | 49 +++++++++--------------- src/lib/gssapi/krb5/add_cred.c | 18 ++++++--- src/lib/gssapi/krb5/inq_cred.c | 3 +- src/lib/krb5/krb/ChangeLog | 6 +++ src/lib/krb5/krb/rd_req.c | 3 ++ src/lib/krb5/krb/srv_rcache.c | 6 ++- 8 files changed, 75 insertions(+), 42 deletions(-) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index b85af053e..e6f06e2a1 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,25 @@ +2003-03-02 Sam Hartman + + * accept_sec_context.c (krb5_gss_accept_sec_context): Deal with + creds without rcache available. They will be slower. + + * add_cred.c (krb5_gss_add_cred): Deal with princ being null + + * accept_sec_context.c (krb5_gss_accept_sec_context): Populate + ctx->here from ticket->server instead of cred->princ. If + cred->princ exists it will be the same, but the previous change + may make it null + + * inq_cred.c (krb5_gss_inquire_cred): Allow for null princ + component of credentials + + * acquire_cred.c: When acquiring acceptor credentials, allow + GSS_C_NO_NAME to mean that we accept any credential. In this case + we do not look to see if the principal is found in the keytab and + we leave princ null in the context. This means you get + GSS_C_NO_NAME out from inquire_cred. If cred->princ is null + don't set up a rcache + 2003-03-01 Tom Yu * accept_sec_context.c (krb5_gss_accept_sec_context): Don't diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index be212b526..899ca5a2f 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -360,9 +360,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle, } krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); - if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { - major_status = GSS_S_FAILURE; - goto fail; + if (cred->rcache) { + if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { + major_status = GSS_S_FAILURE; + goto fail; + } } if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) { major_status = GSS_S_FAILURE; @@ -580,7 +582,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } - if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) { + if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) { major_status = GSS_S_FAILURE; goto fail; } diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index daa900a31..23a17b863 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -108,42 +108,31 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) return(GSS_S_CRED_UNAVAIL); } - /* figure out what principal to use. If the default name is - requested, use the default sn2princ output */ - - if (desired_name == (gss_name_t) NULL) { - if ((code = krb5_sname_to_principal(context, NULL, NULL, KRB5_NT_SRV_HST, - &princ))) { - (void) krb5_kt_close(context, kt); - *minor_status = code; - return(GSS_S_FAILURE); - } - *output_princ = princ; - } else { - princ = (krb5_principal) desired_name; - } - - if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) { +if (desired_name != GSS_C_NO_NAME) { + princ = (krb5_principal) desired_name; + if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) { (void) krb5_kt_close(context, kt); if (code == KRB5_KT_NOTFOUND) - *minor_status = KG_KEYTAB_NOMATCH; + *minor_status = KG_KEYTAB_NOMATCH; else - *minor_status = code; + *minor_status = code; return(GSS_S_CRED_UNAVAIL); - } - krb5_kt_free_entry(context, &entry); + } + krb5_kt_free_entry(context, &entry); - /* hooray. we made it */ + /* Open the replay cache for this principal. */ + if ((code = krb5_get_server_rcache(context, + krb5_princ_component(context, princ, 0), + &cred->rcache))) { + *minor_status = code; + return(GSS_S_FAILURE); + } - cred->keytab = kt; +} - /* Open the replay cache for this principal. */ - if ((code = krb5_get_server_rcache(context, - krb5_princ_component(context, princ, 0), - &cred->rcache))) { - *minor_status = code; - return(GSS_S_FAILURE); - } +/* hooray. we made it */ + + cred->keytab = kt; return(GSS_S_COMPLETE); } @@ -413,7 +402,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req, /* if the princ wasn't filled in already, fill it in now */ - if (!cred->princ) + if (!cred->princ && (desired_name != GSS_C_NO_CREDENTIAL)) if ((code = krb5_copy_principal(context, (krb5_principal) desired_name, &(cred->princ)))) { if (cred->ccache) diff --git a/src/lib/gssapi/krb5/add_cred.c b/src/lib/gssapi/krb5/add_cred.c index 4bbee5ef3..254abfe06 100644 --- a/src/lib/gssapi/krb5/add_cred.c +++ b/src/lib/gssapi/krb5/add_cred.c @@ -181,7 +181,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, new_cred->rfc_mech = cred->rfc_mech; new_cred->tgt_expire = cred->tgt_expire; - code = krb5_copy_principal(context, cred->princ, &new_cred->princ); + if (cred->princ) + code = krb5_copy_principal(context, cred->princ, &new_cred->princ); if (code) { xfree(new_cred); @@ -192,7 +193,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, if (cred->keytab) { kttype = krb5_kt_get_type(context, cred->keytab); if ((strlen(kttype)+2) > sizeof(ktboth)) { - krb5_free_principal(context, new_cred->princ); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); xfree(new_cred); *minor_status = ENOMEM; @@ -207,7 +209,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, ktboth+strlen(ktboth), sizeof(ktboth)-strlen(ktboth)); if (code) { - krb5_free_principal(context, new_cred->princ); + if(new_cred->princ) + krb5_free_principal(context, new_cred->princ); xfree(new_cred); *minor_status = code; @@ -216,6 +219,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle, code = krb5_kt_resolve(context, ktboth, &new_cred->keytab); if (code) { + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); xfree(new_cred); @@ -233,7 +237,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, &new_cred->rcache))) { if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); - krb5_free_principal(context, new_cred->princ); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); xfree(new_cred); *minor_status = code; @@ -252,6 +257,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle, krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); xfree(new_cred); @@ -270,7 +276,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); - krb5_free_principal(context, new_cred->princ); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); xfree(new_cred); *minor_status = code; @@ -289,6 +296,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle, krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); xfree(new_cred); diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c index 88001ff4e..a79034d9e 100644 --- a/src/lib/gssapi/krb5/inq_cred.c +++ b/src/lib/gssapi/krb5/inq_cred.c @@ -129,7 +129,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, lifetime = GSS_C_INDEFINITE; if (name) { - if ((code = krb5_copy_principal(context, cred->princ, &ret_name))) { + if (cred->princ && + (code = krb5_copy_principal(context, cred->princ, &ret_name))) { *minor_status = code; return(GSS_S_FAILURE); } diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 036e8ed51..55cf03d5c 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,9 @@ +2003-03-02 Sam Hartman + + * srv_rcache.c (krb5_get_server_rcache): If punctuation or graphic characters in replay ccache name then use escaping + + * rd_req.c (krb5_rd_req): Allow initializing the replay cache from the ticket + 2003-02-25 Tom Yu * gic_pwd.c (krb5_get_init_creds_password): Don't pass a NULL diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index bc4586e28..f844e3cd6 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -79,6 +79,9 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_da *auth_context = new_auth_context; } + if (!server) { + server = request->ticket->server; + } /* Get an rcache if necessary. */ if (((*auth_context)->rcache == NULL) && server) { if ((retval = krb5_get_server_rcache(context, diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index e6abcfb90..290f869e5 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -31,6 +31,8 @@ #include #include +/* Macro for valid RC name characters*/ +#define isinvalidrcname(x) (isgraph(x)||ispunct(x)) krb5_error_code KRB5_CALLCONV krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache *rcptr) { @@ -58,7 +60,7 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache for (i = 0; i < piece->length; i++) { if (piece->data[i] == '\\') len++; - else if (!isgraph((int) piece->data[i])) + else if (!isinvalidrcname((int) piece->data[i])) len += 3; } @@ -81,7 +83,7 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache cachename[p++] = '\\'; continue; } - if (!isgraph((int) piece->data[i])) { + if (!isinvalidrcname((int) piece->data[i])) { sprintf(tmp, "%03o", piece->data[i]); cachename[p++] = '\\'; cachename[p++] = tmp[0]; -- 2.26.2