From: Luke Howard Date: Wed, 26 Aug 2009 12:25:46 +0000 (+0000) Subject: fix some issues with client-set attributes X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b91fdd4e93e7a6a068337ec1d59b27a0f79c466;p=thirdparty%2Fkrb5.git fix some issues with client-set attributes git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22619 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index 4c615505ab..d67cd659a3 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -70,7 +70,7 @@ import_name_composite(krb5_context context, code = krb5_authdata_import_attributes(context, ad_context, - AD_USAGE_AP_REQ, + AD_USAGE_MASK, authdata); if (code != 0) { krb5_free_authdata(context, authdata); diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 1758fb0ea4..b612f63748 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -328,9 +328,9 @@ make_ap_req_v1(context, ctx, cred, k_cred, ad_context, mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_ETYPE_NEGOTIATION; krb5_auth_con_set_authdata_context(context, ctx->auth_context, ad_context); - code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags, checksum_data, k_cred, &ap_req); + krb5_auth_con_set_authdata_context(context, ctx->auth_context, NULL); krb5_free_data_contents(context, &cksum_struct.checksum_data); if (code) goto cleanup; @@ -375,7 +375,6 @@ make_ap_req_v1(context, ctx, cred, k_cred, ad_context, code = 0; cleanup: - krb5_auth_con_set_authdata_context(context, ctx->auth_context, NULL); if (checksum_data && checksum_data->data) krb5_free_data_contents(context, checksum_data); if (ap_req.data) diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c index 8703e98301..1bcda9f026 100644 --- a/src/lib/gssapi/krb5/naming_exts.c +++ b/src/lib/gssapi/krb5/naming_exts.c @@ -426,7 +426,7 @@ krb5_gss_set_name_attribute(OM_uint32 *minor_status, kattr.length = attr->length; kvalue.data = (char *)value->value; - kvalue.length = attr->length; + kvalue.length = value->length; code = krb5_authdata_set_attribute(context, kname->ad_context, @@ -674,7 +674,7 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status, code = krb5_authdata_export_attributes(context, kname->ad_context, - AD_USAGE_AP_REQ, + AD_USAGE_MASK, &authdata); if (code != 0) goto cleanup; diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index 7064ba31a5..83e2634843 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -361,6 +361,7 @@ static krb5_error_code k5_merge_data_list(krb5_data **dst, krb5_data *src, unsigned int *len) { unsigned int i; + krb5_data *d; if (src == NULL) return 0; @@ -368,15 +369,18 @@ k5_merge_data_list(krb5_data **dst, krb5_data *src, unsigned int *len) for (i = 0; src[i].data != NULL; i++) ; - *dst = realloc(*dst, (*len + i + 1) * sizeof(krb5_data)); - if (*dst == NULL) + d = realloc(*dst, (*len + i + 1) * sizeof(krb5_data)); + if (d == NULL) return ENOMEM; - memcpy(&(*dst)[*len], src, i * sizeof(krb5_data)); + memcpy(&d[*len], src, i * sizeof(krb5_data)); *len += i; - (*dst)[*len].data = NULL; + d[*len].data = NULL; + d[*len].length = 0; + + *dst = d; return 0; } @@ -391,7 +395,8 @@ krb5_authdata_get_attribute_types(krb5_context kcontext, krb5_error_code code; krb5_data *asserted = NULL; krb5_data *verified = NULL; - unsigned int len = 0; + unsigned int asserted_len = 0; + unsigned int verified_len = 0; for (i = 0; i < context->n_modules; i++) { struct _krb5_authdata_context_module *module = &context->modules[i]; @@ -411,7 +416,7 @@ krb5_authdata_get_attribute_types(krb5_context kcontext, continue; if (asserted_attrs != NULL) { - code = k5_merge_data_list(&asserted, asserted2, &len); + code = k5_merge_data_list(&asserted, asserted2, &asserted_len); if (code != 0) { krb5int_free_data_list(kcontext, asserted2); break; @@ -421,7 +426,7 @@ krb5_authdata_get_attribute_types(krb5_context kcontext, } if (verified_attrs != NULL) { - code = k5_merge_data_list(&verified, verified2, &len); + code = k5_merge_data_list(&verified, verified2, &verified_len); if (code != 0) { krb5int_free_data_list(kcontext, verified2); break; @@ -454,6 +459,15 @@ krb5_authdata_get_attribute(krb5_context kcontext, int i; krb5_error_code code = ENOENT; + *authenticated = FALSE; + *complete = FALSE; + + value->data = NULL; + value->length = 0; + + display_value->data = NULL; + display_value->length = 0; + /* * NB at present a module is presumed to be authoritative for * an attribute; not sure how to federate "more" across module @@ -489,7 +503,8 @@ krb5_authdata_set_attribute(krb5_context kcontext, const krb5_data *value) { int i; - krb5_error_code code = ENOENT; + krb5_error_code code = 0; + int found = 0; for (i = 0; i < context->n_modules; i++) { struct _krb5_authdata_context_module *module = &context->modules[i]; @@ -503,12 +518,18 @@ krb5_authdata_set_attribute(krb5_context kcontext, complete, attribute, value); - if (code != 0 && code != ENOENT) + if (code == ENOENT) + code = 0; + else if (code == 0) + found++; + else break; } - return code; + if (code == 0 && found == 0) + code = ENOENT; + return code; } krb5_error_code KRB5_CALLCONV @@ -518,6 +539,7 @@ krb5_authdata_delete_attribute(krb5_context kcontext, { int i; krb5_error_code code = ENOENT; + int found = 0; for (i = 0; i < context->n_modules; i++) { struct _krb5_authdata_context_module *module = &context->modules[i]; @@ -529,10 +551,17 @@ krb5_authdata_delete_attribute(krb5_context kcontext, module->plugin_context, *(module->request_context_pp), attribute); - if (code != 0 && code != ENOENT) + if (code == ENOENT) + code = 0; + else if (code == 0) + found++; + else break; } + if (code == 0 && found == 0) + code = ENOENT; + return code; } @@ -565,7 +594,9 @@ krb5_authdata_export_attributes(krb5_context kcontext, *(module->request_context_pp), flags, &authdata2); - if (code != 0 && code != ENOENT) + if (code == ENOENT) + code = 0; + else if (code != 0) break; if (authdata2 == NULL) diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 2adf4bbf18..752c86b91a 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -945,7 +945,7 @@ mspac_flags(krb5_context context, krb5_authdatatype ad_type, krb5_flags *flags) { - *flags = AD_USAGE_AP_REQ; + *flags = AD_USAGE_KDC_ISSUED; } static void @@ -1362,10 +1362,12 @@ mspac_copy_context(krb5_context context, if (code != 0) return code; - code = k5_pac_copy(context, srcctx->pac, &dstctx->pac); - if (code != 0) { - free(dstctx); - return code; + if (srcctx->pac != NULL) { + code = k5_pac_copy(context, srcctx->pac, &dstctx->pac); + if (code != 0) { + free(dstctx); + return code; + } } *dst_request_context = dstctx; diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 49df0a5b36..6edf6d7600 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -399,7 +399,7 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, goto cleanup; if ((retval = krb5int_authdata_verify(context, (*auth_context)->ad_context, - AD_USAGE_AP_REQ, + AD_USAGE_MASK, auth_context, &decrypt_key, req)))