OM_uint32 GSSAPI_CALLCONV
_gsskrb5_set_sec_context_option
(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
krb5_context context;
OM_uint32 maj_stat;
GSSAPI_KRB5_INIT (&context);
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) {
gsskrb5_ctx ctx;
int flag;
if (*context_handle == GSS_C_NO_CONTEXT) {
*minor_status = EINVAL;
return GSS_S_NO_CONTEXT;
}
maj_stat = get_bool(minor_status, value, &flag);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
ctx = (gsskrb5_ctx)*context_handle;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (flag)
ctx->more_flags |= COMPAT_OLD_DES3;
else
ctx->more_flags &= ~COMPAT_OLD_DES3;
ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DNS_CANONICALIZE_X)) {
int flag;
maj_stat = get_bool(minor_status, value, &flag);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
krb5_set_dns_canonicalize_hostname(context, flag);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
free(str);
return maj_stat;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
if (str == NULL) {
*minor_status = 0;
return GSS_S_CALL_INACCESSIBLE_READ;
}
krb5_set_default_realm(context, str);
free(str);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_CCACHE_NAME_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
if (str == NULL) {
*minor_status = 0;
return GSS_S_CALL_INACCESSIBLE_READ;
}
*minor_status = krb5_cc_set_default_name(context, str);
free(str);
if (*minor_status)
return GSS_S_FAILURE;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) {
OM_uint32 offset;
time_t t;
maj_stat = get_int32(minor_status, value, &offset);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
t = time(NULL) + offset;
krb5_set_real_time(context, t, 0);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) {
krb5_timestamp sec;
int32_t usec;
time_t t;
t = time(NULL);
krb5_us_timeofday (context, &sec, &usec);
maj_stat = set_int32(minor_status, value, sec - t);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_PLUGIN_REGISTER_X)) {
struct gsskrb5_krb5_plugin c;
if (value->length != sizeof(c)) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
memcpy(&c, value->value, sizeof(c));
krb5_plugin_register(context, c.type, c.name, c.symbol);
*minor_status = 0;
return GSS_S_COMPLETE;
}
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct tevent_context *ev,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
initialize_krb5_error_table();
tmp_ctx = talloc_new(parent_ctx);
*smb_krb5_context = talloc(tmp_ctx, struct smb_krb5_context);
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = smb_krb5_init_context_basic(tmp_ctx, ev, lp_ctx,
&(*smb_krb5_context)->krb5_context);
if (ret) {
DEBUG(1,("smb_krb5_context_init_basic failed (%s)\n",
error_message(ret)));
talloc_free(tmp_ctx);
return ret;
}
/* TODO: Should we have a different name here? */
ret = krb5_initlog((*smb_krb5_context)->krb5_context, "Samba", &(*smb_krb5_context)->logf);
if (ret) {
DEBUG(1,("krb5_initlog failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
krb5_free_context((*smb_krb5_context)->krb5_context);
talloc_free(tmp_ctx);
return ret;
}
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy);
ret = krb5_addlog_func((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf, 0 /* min */, -1 /* max */,
smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL);
if (ret) {
DEBUG(1,("krb5_addlog_func failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf);
/* Set use of our socket lib */
ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context,
smb_krb5_send_and_recv_func,
ev);
if (ret) {
DEBUG(1,("krb5_set_send_recv_func failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
/* Set options in kerberos */
krb5_set_dns_canonicalize_hostname((*smb_krb5_context)->krb5_context,
lp_parm_bool(lp_ctx, NULL, "krb5", "set_dns_canonicalize", false));
return 0;
}
OM_uint32
_gsskrb5_set_sec_context_option
(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
OM_uint32 maj_stat;
GSSAPI_KRB5_INIT ();
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) {
gsskrb5_ctx ctx;
int flag;
if (*context_handle == GSS_C_NO_CONTEXT) {
*minor_status = EINVAL;
return GSS_S_NO_CONTEXT;
}
maj_stat = get_bool(minor_status, value, &flag);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
ctx = (gsskrb5_ctx)*context_handle;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (flag)
ctx->more_flags |= COMPAT_OLD_DES3;
else
ctx->more_flags &= ~COMPAT_OLD_DES3;
ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DNS_CANONICALIZE_X)) {
int flag;
maj_stat = get_bool(minor_status, value, &flag);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
krb5_set_dns_canonicalize_hostname(_gsskrb5_context, flag);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) {
char *str;
if (value == NULL || value->length == 0) {
str = NULL;
} else {
str = malloc(value->length + 1);
if (str) {
*minor_status = 0;
return GSS_S_UNAVAILABLE;
}
memcpy(str, value->value, value->length);
str[value->length] = '\0';
}
_gsskrb5_register_acceptor_identity(str);
free(str);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;
if (value == NULL || value->length == 0) {
*minor_status = 0;
return GSS_S_CALL_INACCESSIBLE_READ;
}
str = malloc(value->length + 1);
if (str) {
*minor_status = 0;
return GSS_S_UNAVAILABLE;
}
memcpy(str, value->value, value->length);
str[value->length] = '\0';
krb5_set_default_realm(_gsskrb5_context, str);
free(str);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
if (value == NULL || value->length == 0) {
krb5_set_send_to_kdc_func(_gsskrb5_context, NULL, NULL);
} else {
struct gsskrb5_send_to_kdc c;
if (value->length != sizeof(c)) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
memcpy(&c, value->value, sizeof(c));
krb5_set_send_to_kdc_func(_gsskrb5_context,
(krb5_send_to_kdc_func)c.func,
c.ptr);
}
*minor_status = 0;
return GSS_S_COMPLETE;
}
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
krb5_context kctx;
#ifdef SAMBA4_USES_HEIMDAL
krb5_log_facility *logf;
#endif
initialize_krb5_error_table();
tmp_ctx = talloc_new(parent_ctx);
*smb_krb5_context = talloc_zero(tmp_ctx, struct smb_krb5_context);
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = smb_krb5_init_context_basic(tmp_ctx, lp_ctx, &kctx);
if (ret) {
DEBUG(1,("smb_krb5_context_init_basic failed (%s)\n",
error_message(ret)));
talloc_free(tmp_ctx);
return ret;
}
(*smb_krb5_context)->krb5_context = kctx;
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy);
#ifdef SAMBA4_USES_HEIMDAL
/* TODO: Should we have a different name here? */
ret = krb5_initlog(kctx, "Samba", &logf);
if (ret) {
DEBUG(1,("krb5_initlog failed (%s)\n",
smb_get_krb5_error_message(kctx, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
(*smb_krb5_context)->pvt_log_data = logf;
ret = krb5_addlog_func(kctx, logf, 0 /* min */, -1 /* max */,
smb_krb5_debug_wrapper,
smb_krb5_debug_close, NULL);
if (ret) {
DEBUG(1,("krb5_addlog_func failed (%s)\n",
smb_get_krb5_error_message(kctx, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
krb5_set_warn_dest(kctx, logf);
/* Set options in kerberos */
krb5_set_dns_canonicalize_hostname(kctx,
lpcfg_parm_bool(lp_ctx, NULL, "krb5",
"set_dns_canonicalize", false));
#endif
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
return 0;
}
