Revert "kgssapi: Fix the kgssapi so that it can use MIT Kerberos"
This broke the build and will have to wait for cy@'s commit.
This reverts commit 554651ebf1.
This commit is contained in:
@@ -140,9 +140,7 @@ SUBDIR.${MK_FLOPPY}+= fdformat
|
||||
SUBDIR.${MK_FLOPPY}+= fdread
|
||||
SUBDIR.${MK_FLOPPY}+= fdwrite
|
||||
SUBDIR.${MK_FREEBSD_UPDATE}+= freebsd-update
|
||||
.if ${MK_KERBEROS_SUPPORT} != "no"
|
||||
SUBDIR.${MK_GSSAPI}+= gssd
|
||||
.endif
|
||||
SUBDIR.${MK_GPIO}+= gpioctl
|
||||
SUBDIR.${MK_HYPERV}+= hyperv
|
||||
SUBDIR.${MK_INET6}+= ip6addrctl
|
||||
|
||||
@@ -9,13 +9,18 @@ SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c
|
||||
CFLAGS+= -I.
|
||||
WARNS?= 1
|
||||
|
||||
LIBADD= gssapi
|
||||
.if ${MK_KERBEROS_SUPPORT} != "no"
|
||||
.if ${MK_MITKRB5} != "no"
|
||||
# MIT KRB5
|
||||
LIBADD= krb5 k5crypto krb5profile krb5support gssapi_krb5
|
||||
LIBADD+= krb5 k5crypto krb5profile krb5support
|
||||
CFLAGS+= -DMK_MITKRB5=yes
|
||||
.else
|
||||
# Heimdal
|
||||
LIBADD= gssapi krb5 roken
|
||||
LIBADD+= krb5 roken
|
||||
.endif
|
||||
.else
|
||||
CFLAGS+= -DWITHOUT_KERBEROS
|
||||
.endif
|
||||
|
||||
CLEANFILES= gssd_svc.c gssd_xdr.c gssd.h
|
||||
|
||||
+32
-474
@@ -39,7 +39,9 @@
|
||||
#include <dirent.h>
|
||||
#include <err.h>
|
||||
#include <errno.h>
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
#include <krb5.h>
|
||||
#endif
|
||||
#include <netdb.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
@@ -51,9 +53,6 @@
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in.h>
|
||||
#include <gssapi/gssapi.h>
|
||||
#ifdef MK_MITKRB5
|
||||
#include <gssapi/gssapi_krb5.h>
|
||||
#endif
|
||||
#include <rpc/rpc.h>
|
||||
#include <rpc/rpc_com.h>
|
||||
|
||||
@@ -78,6 +77,7 @@ static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1];
|
||||
static char pref_realm[1024];
|
||||
static int verbose;
|
||||
static int hostbased_initiator_cred;
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
/* 1.2.752.43.13.14 */
|
||||
static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
|
||||
{6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"};
|
||||
@@ -87,13 +87,16 @@ static gss_OID_desc gss_krb5_mech_oid_x_desc =
|
||||
{9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
|
||||
static gss_OID GSS_KRB5_MECH_OID_X =
|
||||
&gss_krb5_mech_oid_x_desc;
|
||||
#endif
|
||||
|
||||
static void gssd_load_mech(void);
|
||||
static int find_ccache_file(const char *, uid_t, char *);
|
||||
static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *);
|
||||
static void gssd_verbose_out(const char *, ...);
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
static krb5_error_code gssd_get_cc_from_keytab(const char *);
|
||||
static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *);
|
||||
#endif
|
||||
void gssd_terminate(int);
|
||||
|
||||
extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp);
|
||||
@@ -125,22 +128,32 @@ main(int argc, char **argv)
|
||||
debug_level++;
|
||||
break;
|
||||
case 'h':
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
/*
|
||||
* Enable use of a host based initiator credential
|
||||
* in the default keytab file.
|
||||
*/
|
||||
hostbased_initiator_cred = 1;
|
||||
#else
|
||||
errx(1, "This option not available when built"
|
||||
" without MK_KERBEROS\n");
|
||||
#endif
|
||||
break;
|
||||
case 'v':
|
||||
verbose = 1;
|
||||
break;
|
||||
case 's':
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
/*
|
||||
* Set the directory search list. This enables use of
|
||||
* find_ccache_file() to search the directories for a
|
||||
* suitable credentials cache file.
|
||||
*/
|
||||
strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist));
|
||||
#else
|
||||
errx(1, "This option not available when built"
|
||||
" without MK_KERBEROS\n");
|
||||
#endif
|
||||
break;
|
||||
case 'c':
|
||||
/*
|
||||
@@ -322,7 +335,6 @@ gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp)
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
#ifndef MK_MITKRB5
|
||||
bool_t
|
||||
gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
@@ -332,10 +344,12 @@ gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *r
|
||||
char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
|
||||
int gotone, gotcred;
|
||||
OM_uint32 min_stat;
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
gss_buffer_desc principal_desc;
|
||||
char enctype[sizeof(uint32_t)];
|
||||
int key_enctype;
|
||||
OM_uint32 maj_stat;
|
||||
#endif
|
||||
|
||||
memset(result, 0, sizeof(*result));
|
||||
if (hostbased_initiator_cred != 0 && argp->cred != 0 &&
|
||||
@@ -444,35 +458,6 @@ gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *r
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
bool_t
|
||||
gssd_supports_lucid_1_svc(void *argp, supports_lucid_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
|
||||
gssd_verbose_out("gssd_lucid: done\n");
|
||||
result->major_status = GSS_S_UNAVAILABLE;
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
bool_t
|
||||
gssd_init_sec_context_lucid_v1_1_svc(init_sec_context_lucid_v1_args *argp,
|
||||
init_sec_context_lucid_v1_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
|
||||
gssd_verbose_out("gssd_init_sec_context_lucid_v1: Heimdal\n");
|
||||
result->major_status = GSS_S_UNAVAILABLE;
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
bool_t
|
||||
gssd_accept_sec_context_lucid_v1_1_svc(accept_sec_context_lucid_v1_args *argp,
|
||||
accept_sec_context_lucid_v1_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
|
||||
gssd_verbose_out("gssd_accept_sec_context_lucid_v1: Heimdal\n");
|
||||
result->major_status = GSS_S_UNAVAILABLE;
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
bool_t
|
||||
gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
@@ -523,446 +508,6 @@ gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_
|
||||
|
||||
return (TRUE);
|
||||
}
|
||||
#else /* MK_MITKRB5 */
|
||||
bool_t
|
||||
gssd_supports_lucid_1_svc(void *argp, supports_lucid_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
|
||||
gssd_verbose_out("gssd_lucid: done\n");
|
||||
result->vers = 1;
|
||||
result->major_status = GSS_S_COMPLETE;
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
bool_t
|
||||
gssd_init_sec_context_1_svc(init_sec_context_args *argp,
|
||||
init_sec_context_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
|
||||
gssd_verbose_out("gssd_init_sec_context: MIT\n");
|
||||
result->major_status = GSS_S_UNAVAILABLE;
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
bool_t
|
||||
gssd_accept_sec_context_1_svc(accept_sec_context_args *argp,
|
||||
accept_sec_context_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
|
||||
gssd_verbose_out("gssd_accept_sec_context: MIT\n");
|
||||
result->major_status = GSS_S_UNAVAILABLE;
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
bool_t
|
||||
gssd_init_sec_context_lucid_v1_1_svc(init_sec_context_lucid_v1_args *argp,
|
||||
init_sec_context_lucid_v1_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
|
||||
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
|
||||
gss_name_t name = GSS_C_NO_NAME;
|
||||
char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
|
||||
int gotone, gotcred;
|
||||
OM_uint32 min_stat;
|
||||
gss_buffer_desc principal_desc;
|
||||
char enctype[sizeof(uint32_t)];
|
||||
int key_enctype;
|
||||
OM_uint32 maj_stat;
|
||||
|
||||
memset(result, 0, sizeof(*result));
|
||||
if (hostbased_initiator_cred != 0 && argp->cred != 0 &&
|
||||
argp->uid == 0) {
|
||||
/*
|
||||
* These credentials are for a host based initiator name
|
||||
* in a keytab file, which should now have credentials
|
||||
* in /tmp/krb5cc_gssd, because gss_acquire_cred() did
|
||||
* the equivalent of "kinit -k".
|
||||
*/
|
||||
snprintf(ccname, sizeof(ccname), "FILE:%s",
|
||||
GSSD_CREDENTIAL_CACHE_FILE);
|
||||
} else if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
|
||||
/*
|
||||
* For the "-s" case and no credentials provided as an
|
||||
* argument, search the directory list for an appropriate
|
||||
* credential cache file. If the search fails, return failure.
|
||||
*/
|
||||
gotone = 0;
|
||||
cp = ccfile_dirlist;
|
||||
do {
|
||||
cp2 = strchr(cp, ':');
|
||||
if (cp2 != NULL)
|
||||
*cp2 = '\0';
|
||||
gotone = find_ccache_file(cp, argp->uid, ccname);
|
||||
if (gotone != 0)
|
||||
break;
|
||||
if (cp2 != NULL)
|
||||
*cp2++ = ':';
|
||||
cp = cp2;
|
||||
} while (cp != NULL && *cp != '\0');
|
||||
if (gotone == 0) {
|
||||
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
|
||||
gssd_verbose_out("gssd_init_sec_context_plus: -s no"
|
||||
" credential cache file found for uid=%d\n",
|
||||
(int)argp->uid);
|
||||
return (TRUE);
|
||||
}
|
||||
} else {
|
||||
/*
|
||||
* If there wasn't a "-s" option or the credentials have
|
||||
* been provided as an argument, do it the old way.
|
||||
* When credentials are provided, the uid should be root.
|
||||
*/
|
||||
if (argp->cred != 0 && argp->uid != 0) {
|
||||
if (debug_level == 0)
|
||||
syslog(LOG_ERR, "gss_init_sec_context_plus:"
|
||||
" cred for non-root");
|
||||
else
|
||||
fprintf(stderr, "gss_init_sec_context_plus:"
|
||||
" cred for non-root\n");
|
||||
}
|
||||
snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
|
||||
(int) argp->uid);
|
||||
}
|
||||
setenv("KRB5CCNAME", ccname, TRUE);
|
||||
|
||||
if (argp->cred) {
|
||||
cred = gssd_find_resource(argp->cred);
|
||||
if (!cred) {
|
||||
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
|
||||
gssd_verbose_out("gssd_init_sec_context_plus: cred"
|
||||
" resource not found\n");
|
||||
return (TRUE);
|
||||
}
|
||||
}
|
||||
if (argp->ctx) {
|
||||
ctx = gssd_find_resource(argp->ctx);
|
||||
if (!ctx) {
|
||||
result->major_status = GSS_S_CONTEXT_EXPIRED;
|
||||
gssd_verbose_out("gssd_init_sec_context_plus: context"
|
||||
" resource not found\n");
|
||||
return (TRUE);
|
||||
}
|
||||
}
|
||||
if (argp->name) {
|
||||
name = gssd_find_resource(argp->name);
|
||||
if (!name) {
|
||||
result->major_status = GSS_S_BAD_NAME;
|
||||
gssd_verbose_out("gssd_init_sec_context_plus: name"
|
||||
" resource not found\n");
|
||||
return (TRUE);
|
||||
}
|
||||
}
|
||||
gotcred = 0;
|
||||
|
||||
result->major_status = gss_init_sec_context(&result->minor_status,
|
||||
cred, &ctx, name, argp->mech_type,
|
||||
argp->req_flags, argp->time_req, argp->input_chan_bindings,
|
||||
&argp->input_token, &result->actual_mech_type,
|
||||
&result->output_token, &result->ret_flags, &result->time_rec);
|
||||
gssd_verbose_out("gssd_init_sec_context_plus: done major=0x%x minor=%d"
|
||||
" uid=%d\n", (unsigned int)result->major_status,
|
||||
(int)result->minor_status, (int)argp->uid);
|
||||
if (gotcred != 0)
|
||||
gss_release_cred(&min_stat, &cred);
|
||||
|
||||
if (result->actual_mech_type) {
|
||||
/*
|
||||
* Just to keep the bogus "elements" pointer
|
||||
* from core dumping the daemon when linked to MIT
|
||||
* libraries. For some reason, the "elements" pointer
|
||||
* in actual_mech_type cannot be read.
|
||||
*/
|
||||
result->actual_mech_type = GSS_KRB5_MECH_OID_X;
|
||||
}
|
||||
|
||||
if (result->major_status == GSS_S_COMPLETE
|
||||
|| result->major_status == GSS_S_CONTINUE_NEEDED) {
|
||||
if (argp->ctx)
|
||||
result->ctx = argp->ctx;
|
||||
else
|
||||
result->ctx = gssd_make_resource(ctx);
|
||||
}
|
||||
|
||||
if (result->major_status == GSS_S_COMPLETE) {
|
||||
gss_krb5_lucid_context_v1_t *lctx;
|
||||
|
||||
result->major_status = gss_krb5_export_lucid_sec_context(
|
||||
&result->minor_status, &ctx, 1, (void *)&lctx);
|
||||
gssd_delete_resource(result->ctx);
|
||||
if (result->major_status == GSS_S_COMPLETE &&
|
||||
lctx != NULL) {
|
||||
result->lucid.initiate = lctx->initiate;
|
||||
result->lucid.endtime = lctx->endtime;
|
||||
result->lucid.send_seq = lctx->send_seq;
|
||||
result->lucid.recv_seq = lctx->recv_seq;
|
||||
result->lucid.protocol = lctx->protocol;
|
||||
if (lctx->protocol == 0) {
|
||||
result->lucid.rfc_sign =
|
||||
lctx->rfc1964_kd.sign_alg;
|
||||
result->lucid.rfc_seal =
|
||||
lctx->rfc1964_kd.seal_alg;
|
||||
result->lucid.ctx_type =
|
||||
lctx->rfc1964_kd.ctx_key.type;
|
||||
result->lucid.ctx_key.length =
|
||||
lctx->rfc1964_kd.ctx_key.length;
|
||||
result->lucid.ctx_key.value =
|
||||
mem_alloc(result->lucid.ctx_key.length);
|
||||
memcpy(result->lucid.ctx_key.value,
|
||||
lctx->rfc1964_kd.ctx_key.data,
|
||||
result->lucid.ctx_key.length);
|
||||
} else if (lctx->protocol == 1) {
|
||||
result->lucid.have_subkey =
|
||||
lctx->cfx_kd.have_acceptor_subkey;
|
||||
result->lucid.ctx_type =
|
||||
lctx->cfx_kd.ctx_key.type;
|
||||
result->lucid.ctx_key.length =
|
||||
lctx->cfx_kd.ctx_key.length;
|
||||
result->lucid.ctx_key.value =
|
||||
mem_alloc(result->lucid.ctx_key.length);
|
||||
memcpy(result->lucid.ctx_key.value,
|
||||
lctx->cfx_kd.ctx_key.data,
|
||||
result->lucid.ctx_key.length);
|
||||
if (result->lucid.have_subkey != 0) {
|
||||
result->lucid.subkey_type =
|
||||
lctx->cfx_kd.acceptor_subkey.type;
|
||||
result->lucid.subkey_key.length =
|
||||
lctx->cfx_kd.acceptor_subkey.length;
|
||||
result->lucid.subkey_key.value =
|
||||
mem_alloc(
|
||||
result->lucid.subkey_key.length);
|
||||
memcpy(result->lucid.subkey_key.value,
|
||||
lctx->cfx_kd.acceptor_subkey.data,
|
||||
result->lucid.subkey_key.length);
|
||||
} else {
|
||||
result->lucid.subkey_type = 0;
|
||||
result->lucid.subkey_key.length = 0;
|
||||
result->lucid.subkey_key.value = NULL;
|
||||
}
|
||||
}
|
||||
(void)gss_krb5_free_lucid_sec_context(&min_stat,
|
||||
(void *)lctx);
|
||||
} else {
|
||||
gssd_verbose_out("gss_krb5_export_lucid_set_context"
|
||||
" failed: major=0x%x minor=%d lctx=%p\n",
|
||||
result->major_status, result->minor_status, lctx);
|
||||
}
|
||||
}
|
||||
|
||||
return (TRUE);
|
||||
}
|
||||
|
||||
/*
|
||||
* Internal function to acquire unix credentials.
|
||||
*/
|
||||
static OM_uint32
|
||||
_gss_get_unix_cred(OM_uint32 *minor_stat, gss_name_t name, gss_OID mech,
|
||||
uid_t *uidp, gid_t *gidp, int *numgroups, gid_t *groups)
|
||||
{
|
||||
OM_uint32 major_stat;
|
||||
uid_t uid;
|
||||
char buf[1024], *bufp;
|
||||
struct passwd pwd, *pw;
|
||||
size_t buflen;
|
||||
int error;
|
||||
static size_t buflen_hint = 1024;
|
||||
|
||||
major_stat = gss_pname_to_uid(minor_stat, name, mech, &uid);
|
||||
if (major_stat == GSS_S_COMPLETE) {
|
||||
*uidp = uid;
|
||||
buflen = buflen_hint;
|
||||
for (;;) {
|
||||
pw = NULL;
|
||||
bufp = buf;
|
||||
if (buflen > sizeof(buf))
|
||||
bufp = malloc(buflen);
|
||||
if (bufp == NULL)
|
||||
break;
|
||||
error = getpwuid_r(uid, &pwd, bufp, buflen,
|
||||
&pw);
|
||||
if (error != ERANGE)
|
||||
break;
|
||||
if (buflen > sizeof(buf))
|
||||
free(bufp);
|
||||
buflen += 1024;
|
||||
if (buflen > buflen_hint)
|
||||
buflen_hint = buflen;
|
||||
}
|
||||
if (pw) {
|
||||
*gidp = pw->pw_gid;
|
||||
getgrouplist(pw->pw_name, pw->pw_gid,
|
||||
groups, numgroups);
|
||||
} else {
|
||||
major_stat = GSS_S_FAILURE;
|
||||
gssd_verbose_out("get_unix_cred: cannot find"
|
||||
" passwd entry\n");
|
||||
}
|
||||
if (bufp != NULL && buflen > sizeof(buf))
|
||||
free(bufp);
|
||||
} else if (major_stat != GSS_S_UNAVAILABLE) {
|
||||
gssd_verbose_out("gssd_pname_to_uid: failed major=0x%x"
|
||||
" minor=%d\n", major_stat, *minor_stat);
|
||||
}
|
||||
return (major_stat);
|
||||
}
|
||||
|
||||
bool_t
|
||||
gssd_accept_sec_context_lucid_v1_1_svc(accept_sec_context_lucid_v1_args *argp,
|
||||
accept_sec_context_lucid_v1_res *result, struct svc_req *rqstp)
|
||||
{
|
||||
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
|
||||
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
|
||||
gss_name_t src_name;
|
||||
gss_cred_id_t delegated_cred_handle;
|
||||
OM_uint32 min_stat;
|
||||
|
||||
memset(result, 0, sizeof(*result));
|
||||
if (argp->ctx) {
|
||||
ctx = gssd_find_resource(argp->ctx);
|
||||
if (!ctx) {
|
||||
result->major_status = GSS_S_CONTEXT_EXPIRED;
|
||||
gssd_verbose_out("gssd_accept_sec_context: ctx"
|
||||
" resource not found\n");
|
||||
return (TRUE);
|
||||
}
|
||||
}
|
||||
if (argp->cred) {
|
||||
cred = gssd_find_resource(argp->cred);
|
||||
if (!cred) {
|
||||
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
|
||||
gssd_verbose_out("gssd_accept_sec_context: cred"
|
||||
" resource not found\n");
|
||||
return (TRUE);
|
||||
}
|
||||
}
|
||||
|
||||
memset(result, 0, sizeof(*result));
|
||||
result->major_status = gss_accept_sec_context(&result->minor_status,
|
||||
&ctx, cred, &argp->input_token, argp->input_chan_bindings,
|
||||
&src_name, &result->mech_type, &result->output_token,
|
||||
&result->ret_flags, &result->time_rec,
|
||||
&delegated_cred_handle);
|
||||
gssd_verbose_out("gssd_accept_sec_context: done major=0x%x minor=%d\n",
|
||||
(unsigned int)result->major_status, (int)result->minor_status);
|
||||
|
||||
if (result->major_status == GSS_S_COMPLETE
|
||||
|| result->major_status == GSS_S_CONTINUE_NEEDED) {
|
||||
if (argp->ctx)
|
||||
result->ctx = argp->ctx;
|
||||
else
|
||||
result->ctx = gssd_make_resource(ctx);
|
||||
result->src_name = gssd_make_resource(src_name);
|
||||
result->delegated_cred_handle =
|
||||
gssd_make_resource(delegated_cred_handle);
|
||||
}
|
||||
|
||||
if (result->major_status == GSS_S_COMPLETE) {
|
||||
gss_krb5_lucid_context_v1_t *lctx;
|
||||
|
||||
/* Get the lucid context stuff. */
|
||||
result->major_status = gss_krb5_export_lucid_sec_context(
|
||||
&result->minor_status, &ctx, 1, (void *)&lctx);
|
||||
gssd_delete_resource(result->ctx);
|
||||
if (result->major_status == GSS_S_COMPLETE &&
|
||||
lctx != NULL) {
|
||||
result->lucid.initiate = lctx->initiate;
|
||||
result->lucid.endtime = lctx->endtime;
|
||||
result->lucid.send_seq = lctx->send_seq;
|
||||
result->lucid.recv_seq = lctx->recv_seq;
|
||||
result->lucid.protocol = lctx->protocol;
|
||||
if (lctx->protocol == 0) {
|
||||
result->lucid.rfc_sign =
|
||||
lctx->rfc1964_kd.sign_alg;
|
||||
result->lucid.rfc_seal =
|
||||
lctx->rfc1964_kd.seal_alg;
|
||||
result->lucid.ctx_type =
|
||||
lctx->rfc1964_kd.ctx_key.type;
|
||||
result->lucid.ctx_key.length =
|
||||
lctx->rfc1964_kd.ctx_key.length;
|
||||
result->lucid.ctx_key.value =
|
||||
mem_alloc(result->lucid.ctx_key.length);
|
||||
memcpy(result->lucid.ctx_key.value,
|
||||
lctx->rfc1964_kd.ctx_key.data,
|
||||
result->lucid.ctx_key.length);
|
||||
} else if (lctx->protocol == 1) {
|
||||
result->lucid.have_subkey =
|
||||
lctx->cfx_kd.have_acceptor_subkey;
|
||||
result->lucid.ctx_type =
|
||||
lctx->cfx_kd.ctx_key.type;
|
||||
result->lucid.ctx_key.length =
|
||||
lctx->cfx_kd.ctx_key.length;
|
||||
result->lucid.ctx_key.value =
|
||||
mem_alloc(result->lucid.ctx_key.length);
|
||||
memcpy(result->lucid.ctx_key.value,
|
||||
lctx->cfx_kd.ctx_key.data,
|
||||
result->lucid.ctx_key.length);
|
||||
if (result->lucid.have_subkey != 0) {
|
||||
result->lucid.subkey_type =
|
||||
lctx->cfx_kd.acceptor_subkey.type;
|
||||
result->lucid.subkey_key.length =
|
||||
lctx->cfx_kd.acceptor_subkey.length;
|
||||
result->lucid.subkey_key.value =
|
||||
mem_alloc(
|
||||
result->lucid.subkey_key.length);
|
||||
memcpy(result->lucid.subkey_key.value,
|
||||
lctx->cfx_kd.acceptor_subkey.data,
|
||||
result->lucid.subkey_key.length);
|
||||
} else {
|
||||
result->lucid.subkey_type = 0;
|
||||
result->lucid.subkey_key.length = 0;
|
||||
result->lucid.subkey_key.value = NULL;
|
||||
}
|
||||
}
|
||||
(void)gss_krb5_free_lucid_sec_context(&min_stat,
|
||||
(void *)lctx);
|
||||
} else {
|
||||
gssd_verbose_out("gss_krb5_export_lucid_set_context"
|
||||
" failed: major=0x%x minor=%d lctx=%p\n",
|
||||
result->major_status, result->minor_status, lctx);
|
||||
}
|
||||
|
||||
/* Now, get the exported name. */
|
||||
if (result->major_status == GSS_S_COMPLETE) {
|
||||
result->major_status = gss_export_name(
|
||||
&result->minor_status, src_name,
|
||||
&result->exported_name);
|
||||
gssd_verbose_out("gssd_accept_sec_context (name):"
|
||||
" done major=0x%x minor=%d\n",
|
||||
result->major_status, result->minor_status);
|
||||
}
|
||||
|
||||
/* Finally, get the unix credentials. */
|
||||
if (result->major_status == GSS_S_COMPLETE) {
|
||||
gid_t groups[NGROUPS];
|
||||
int i, len = NGROUPS;
|
||||
OM_uint32 major_stat, minor_stat;
|
||||
|
||||
major_stat = _gss_get_unix_cred(&minor_stat,
|
||||
src_name, result->mech_type,
|
||||
&result->uid, &result->gid, &len, groups);
|
||||
if (major_stat == GSS_S_COMPLETE) {
|
||||
result->gidlist.gidlist_len = len;
|
||||
result->gidlist.gidlist_val =
|
||||
mem_alloc(len * sizeof(uint32_t));
|
||||
/*
|
||||
* Just in case
|
||||
* sizeof(gid_t) != sizeof(uint32_t).
|
||||
*/
|
||||
for (i = 0; i < len; i++)
|
||||
result->gidlist.gidlist_val[i] =
|
||||
groups[i];
|
||||
} else {
|
||||
result->gid = 65534;
|
||||
result->gidlist.gidlist_len = 0;
|
||||
result->gidlist.gidlist_val = NULL;
|
||||
gssd_verbose_out("gssd_pname_to_uid: mapped"
|
||||
" to uid=%d, but no groups\n",
|
||||
(int)result->uid);
|
||||
}
|
||||
}
|
||||
}
|
||||
return (TRUE);
|
||||
}
|
||||
#endif /* !MK_MITKRB5 */
|
||||
|
||||
bool_t
|
||||
gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp)
|
||||
@@ -1213,9 +758,11 @@ gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struc
|
||||
gss_cred_id_t cred;
|
||||
char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
|
||||
int gotone;
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
gss_buffer_desc namebuf;
|
||||
uint32_t minstat;
|
||||
krb5_error_code kret;
|
||||
#endif
|
||||
|
||||
memset(result, 0, sizeof(*result));
|
||||
if (argp->desired_name) {
|
||||
@@ -1228,6 +775,7 @@ gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struc
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
if (hostbased_initiator_cred != 0 && argp->desired_name != 0 &&
|
||||
argp->uid == 0 && argp->cred_usage == GSS_C_INITIATE) {
|
||||
/* This is a host based initiator name in the keytab file. */
|
||||
@@ -1260,7 +808,9 @@ gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struc
|
||||
result->major_status = GSS_S_FAILURE;
|
||||
return (TRUE);
|
||||
}
|
||||
} else if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
|
||||
} else
|
||||
#endif /* !WITHOUT_KERBEROS */
|
||||
if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
|
||||
/*
|
||||
* For the "-s" case and no name provided as an
|
||||
* argument, search the directory list for an appropriate
|
||||
@@ -1504,6 +1054,7 @@ static int
|
||||
is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating,
|
||||
time_t *retexptime)
|
||||
{
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
krb5_context context;
|
||||
krb5_principal princ;
|
||||
krb5_ccache ccache;
|
||||
@@ -1603,8 +1154,12 @@ is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating,
|
||||
*retexptime = exptime;
|
||||
}
|
||||
return (ret);
|
||||
#else /* WITHOUT_KERBEROS */
|
||||
return (0);
|
||||
#endif /* !WITHOUT_KERBEROS */
|
||||
}
|
||||
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
/*
|
||||
* This function attempts to do essentially a "kinit -k" for the principal
|
||||
* name provided as the argument, so that there will be a TGT in the
|
||||
@@ -1707,12 +1262,15 @@ gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp)
|
||||
gss_release_oid_set(&min_stat, &mechlist);
|
||||
return (maj_stat);
|
||||
}
|
||||
#endif /* !WITHOUT_KERBEROS */
|
||||
|
||||
void gssd_terminate(int sig __unused)
|
||||
{
|
||||
|
||||
#ifndef WITHOUT_KERBEROS
|
||||
if (hostbased_initiator_cred != 0)
|
||||
unlink(GSSD_CREDENTIAL_CACHE_FILE);
|
||||
#endif
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user