svn commit: samba r25133 - in branches: SAMBA_3_2/source/libads
SAMBA_3_2_0/source/libads
gd at samba.org
gd at samba.org
Thu Sep 13 15:59:47 GMT 2007
Author: gd
Date: 2007-09-13 15:59:46 +0000 (Thu, 13 Sep 2007)
New Revision: 25133
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=25133
Log:
Fix sasl wrapping (for ldap sign&seal).
The gss_import_name() broke as we switched from the internal MIT OID
"gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from
passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE*
bug") to pass the string principal directly.
Jerry, Jeremy, neither I could figure out the need of passing in a
krb5_principal at all nor could I reproduce the crash you were seeing.
I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6,
1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1.
Guenther
Modified:
branches/SAMBA_3_2/source/libads/sasl.c
branches/SAMBA_3_2_0/source/libads/sasl.c
Changeset:
Modified: branches/SAMBA_3_2/source/libads/sasl.c
===================================================================
--- branches/SAMBA_3_2/source/libads/sasl.c 2007-09-13 15:10:36 UTC (rev 25132)
+++ branches/SAMBA_3_2/source/libads/sasl.c 2007-09-13 15:59:46 UTC (rev 25133)
@@ -607,9 +607,7 @@
#ifdef HAVE_KRB5
struct ads_service_principal {
- krb5_context ctx;
char *string;
- krb5_principal principal;
#ifdef HAVE_GSSAPI
gss_name_t name;
#endif
@@ -625,14 +623,6 @@
gss_release_name(&minor_status, &p->name);
}
#endif
- if (p->principal) {
- krb5_free_principal(p->ctx, p->principal);
- }
-
- if (p->ctx) {
- krb5_free_context(p->ctx);
- }
-
ZERO_STRUCTP(p);
}
@@ -641,15 +631,10 @@
struct ads_service_principal *p)
{
ADS_STATUS status;
- krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
- ENCTYPE_ARCFOUR_HMAC,
-#endif
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_NULL};
#ifdef HAVE_GSSAPI
gss_buffer_desc input_name;
- gss_OID_desc nt_principal =
+ /* GSS_KRB5_NT_PRINCIPAL_NAME */
+ gss_OID_desc nt_principal =
{10, CONST_DISCARD(char *, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")};
uint32 minor_status;
int gss_rc;
@@ -678,35 +663,9 @@
}
}
- initialize_krb5_error_table();
- status = ADS_ERROR_KRB5(krb5_init_context(&p->ctx));
- if (!ADS_ERR_OK(status)) {
- ads_free_service_principal(p);
- return status;
- }
- status = ADS_ERROR_KRB5(krb5_set_default_tgs_ktypes(p->ctx, enc_types));
- if (!ADS_ERR_OK(status)) {
- ads_free_service_principal(p);
- return status;
- }
- status = ADS_ERROR_KRB5(smb_krb5_parse_name(p->ctx, p->string, &p->principal));
- if (!ADS_ERR_OK(status)) {
- ads_free_service_principal(p);
- return status;
- }
-
#ifdef HAVE_GSSAPI
- /*
- * The MIT libraries have a *HORRIBLE* bug - input_value.value needs
- * to point to the *address* of the krb5_principal, and the gss libraries
- * to a shallow copy of the krb5_principal pointer - so we need to keep
- * the krb5_principal around until we do the gss_release_name. MIT *SUCKS* !
- * Just one more way in which MIT engineers screwed me over.... JRA.
- *
- * That's the reason for principal not beeing a local var in this function
- */
- input_name.value = &p->principal;
- input_name.length = sizeof(p->principal);
+ input_name.value = p->string;
+ input_name.length = strlen(p->string);
gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &p->name);
if (gss_rc) {
@@ -715,7 +674,7 @@
}
#endif
- return status;
+ return ADS_SUCCESS;
}
/*
Modified: branches/SAMBA_3_2_0/source/libads/sasl.c
===================================================================
--- branches/SAMBA_3_2_0/source/libads/sasl.c 2007-09-13 15:10:36 UTC (rev 25132)
+++ branches/SAMBA_3_2_0/source/libads/sasl.c 2007-09-13 15:59:46 UTC (rev 25133)
@@ -607,9 +607,7 @@
#ifdef HAVE_KRB5
struct ads_service_principal {
- krb5_context ctx;
char *string;
- krb5_principal principal;
#ifdef HAVE_GSSAPI
gss_name_t name;
#endif
@@ -625,14 +623,6 @@
gss_release_name(&minor_status, &p->name);
}
#endif
- if (p->principal) {
- krb5_free_principal(p->ctx, p->principal);
- }
-
- if (p->ctx) {
- krb5_free_context(p->ctx);
- }
-
ZERO_STRUCTP(p);
}
@@ -641,15 +631,10 @@
struct ads_service_principal *p)
{
ADS_STATUS status;
- krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
- ENCTYPE_ARCFOUR_HMAC,
-#endif
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_NULL};
#ifdef HAVE_GSSAPI
gss_buffer_desc input_name;
- gss_OID_desc nt_principal =
+ /* GSS_KRB5_NT_PRINCIPAL_NAME */
+ gss_OID_desc nt_principal =
{10, CONST_DISCARD(char *, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")};
uint32 minor_status;
int gss_rc;
@@ -678,35 +663,9 @@
}
}
- initialize_krb5_error_table();
- status = ADS_ERROR_KRB5(krb5_init_context(&p->ctx));
- if (!ADS_ERR_OK(status)) {
- ads_free_service_principal(p);
- return status;
- }
- status = ADS_ERROR_KRB5(krb5_set_default_tgs_ktypes(p->ctx, enc_types));
- if (!ADS_ERR_OK(status)) {
- ads_free_service_principal(p);
- return status;
- }
- status = ADS_ERROR_KRB5(smb_krb5_parse_name(p->ctx, p->string, &p->principal));
- if (!ADS_ERR_OK(status)) {
- ads_free_service_principal(p);
- return status;
- }
-
#ifdef HAVE_GSSAPI
- /*
- * The MIT libraries have a *HORRIBLE* bug - input_value.value needs
- * to point to the *address* of the krb5_principal, and the gss libraries
- * to a shallow copy of the krb5_principal pointer - so we need to keep
- * the krb5_principal around until we do the gss_release_name. MIT *SUCKS* !
- * Just one more way in which MIT engineers screwed me over.... JRA.
- *
- * That's the reason for principal not beeing a local var in this function
- */
- input_name.value = &p->principal;
- input_name.length = sizeof(p->principal);
+ input_name.value = p->string;
+ input_name.length = strlen(p->string);
gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &p->name);
if (gss_rc) {
@@ -715,7 +674,7 @@
}
#endif
- return status;
+ return ADS_SUCCESS;
}
/*
More information about the samba-cvs
mailing list