579 lines
23 KiB
Diff
579 lines
23 KiB
Diff
|
From e33835c4b6c6ce71757e9f659db03afa4bfd9a9a Mon Sep 17 00:00:00 2001
|
||
|
From: Greg Hudson <ghudson@mit.edu>
|
||
|
Date: Fri, 15 Jan 2021 13:51:34 -0500
|
||
|
Subject: [PATCH] Support host-based GSS initiator names
|
||
|
|
||
|
When checking if we can get initial credentials in the GSS krb5 mech,
|
||
|
use krb5_kt_have_match() to support fallback iteration. When scanning
|
||
|
the ccache or getting initial credentials, rewrite cred->name->princ
|
||
|
to the canonical client name. When a name check is necessary (such as
|
||
|
when the caller specifies both a name and ccache), use a new internal
|
||
|
API k5_sname_compare() to support fallback iteration. Add fallback
|
||
|
iteration to krb5_cc_cache_match() to allow host-based names to be
|
||
|
canonicalized against the cache collection.
|
||
|
|
||
|
Create and store the matching principal for acceptor names in
|
||
|
acquire_accept_cred() so that it isn't affected by changes in
|
||
|
cred->name->princ during acquire_init_cred().
|
||
|
|
||
|
ticket: 8978 (new)
|
||
|
(cherry picked from commit c374ab40dd059a5938ffc0440d87457ac5da3a46)
|
||
|
---
|
||
|
src/include/k5-int.h | 9 +++
|
||
|
src/include/k5-trace.h | 3 +
|
||
|
src/lib/gssapi/krb5/accept_sec_context.c | 15 +---
|
||
|
src/lib/gssapi/krb5/acquire_cred.c | 89 ++++++++++++++----------
|
||
|
src/lib/gssapi/krb5/gssapiP_krb5.h | 1 +
|
||
|
src/lib/gssapi/krb5/rel_cred.c | 1 +
|
||
|
src/lib/krb5/ccache/cccursor.c | 57 +++++++++++----
|
||
|
src/lib/krb5/libkrb5.exports | 1 +
|
||
|
src/lib/krb5/os/sn2princ.c | 23 +++++-
|
||
|
src/lib/krb5_32.def | 1 +
|
||
|
src/tests/gssapi/t_client_keytab.py | 44 ++++++++++++
|
||
|
src/tests/gssapi/t_credstore.py | 32 +++++++++
|
||
|
12 files changed, 214 insertions(+), 62 deletions(-)
|
||
|
|
||
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||
|
index efb523689..46f2ce2d3 100644
|
||
|
--- a/src/include/k5-int.h
|
||
|
+++ b/src/include/k5-int.h
|
||
|
@@ -2411,4 +2411,13 @@ void k5_change_error_message_code(krb5_context ctx, krb5_error_code oldcode,
|
||
|
#define k5_prependmsg krb5_prepend_error_message
|
||
|
#define k5_wrapmsg krb5_wrap_error_message
|
||
|
|
||
|
+/*
|
||
|
+ * Like krb5_principal_compare(), but with canonicalization of sname if
|
||
|
+ * fallback is enabled. This function should be avoided if multiple matches
|
||
|
+ * are required, since repeated canonicalization is inefficient.
|
||
|
+ */
|
||
|
+krb5_boolean
|
||
|
+k5_sname_compare(krb5_context context, krb5_const_principal sname,
|
||
|
+ krb5_const_principal princ);
|
||
|
+
|
||
|
#endif /* _KRB5_INT_H */
|
||
|
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
|
||
|
index b3e039dc8..79b5a7a85 100644
|
||
|
--- a/src/include/k5-trace.h
|
||
|
+++ b/src/include/k5-trace.h
|
||
|
@@ -105,6 +105,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
|
||
|
|
||
|
#endif /* DISABLE_TRACING */
|
||
|
|
||
|
+#define TRACE_CC_CACHE_MATCH(c, princ, ret) \
|
||
|
+ TRACE(c, "Matching {princ} in collection with result: {kerr}", \
|
||
|
+ princ, ret)
|
||
|
#define TRACE_CC_DESTROY(c, cache) \
|
||
|
TRACE(c, "Destroying ccache {ccache}", cache)
|
||
|
#define TRACE_CC_GEN_NEW(c, cache) \
|
||
|
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
||
|
index fcf2c2152..a1d7e0d96 100644
|
||
|
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
||
|
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
||
|
@@ -683,7 +683,6 @@ kg_accept_krb5(minor_status, context_handle,
|
||
|
krb5_flags ap_req_options = 0;
|
||
|
krb5_enctype negotiated_etype;
|
||
|
krb5_authdata_context ad_context = NULL;
|
||
|
- krb5_principal accprinc = NULL;
|
||
|
krb5_ap_req *request = NULL;
|
||
|
|
||
|
code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
|
||
|
@@ -849,17 +848,9 @@ kg_accept_krb5(minor_status, context_handle,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
- if (!cred->default_identity) {
|
||
|
- if ((code = kg_acceptor_princ(context, cred->name, &accprinc))) {
|
||
|
- major_status = GSS_S_FAILURE;
|
||
|
- goto fail;
|
||
|
- }
|
||
|
- }
|
||
|
-
|
||
|
- code = krb5_rd_req_decoded(context, &auth_context, request, accprinc,
|
||
|
- cred->keytab, &ap_req_options, NULL);
|
||
|
-
|
||
|
- krb5_free_principal(context, accprinc);
|
||
|
+ code = krb5_rd_req_decoded(context, &auth_context, request,
|
||
|
+ cred->acceptor_mprinc, cred->keytab,
|
||
|
+ &ap_req_options, NULL);
|
||
|
if (code) {
|
||
|
major_status = GSS_S_FAILURE;
|
||
|
goto fail;
|
||
|
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
|
||
|
index 632ee7def..e226a0269 100644
|
||
|
--- a/src/lib/gssapi/krb5/acquire_cred.c
|
||
|
+++ b/src/lib/gssapi/krb5/acquire_cred.c
|
||
|
@@ -123,11 +123,11 @@ gss_krb5int_register_acceptor_identity(OM_uint32 *minor_status,
|
||
|
/* Try to verify that keytab contains at least one entry for name. Return 0 if
|
||
|
* it does, KRB5_KT_NOTFOUND if it doesn't, or another error as appropriate. */
|
||
|
static krb5_error_code
|
||
|
-check_keytab(krb5_context context, krb5_keytab kt, krb5_gss_name_t name)
|
||
|
+check_keytab(krb5_context context, krb5_keytab kt, krb5_gss_name_t name,
|
||
|
+ krb5_principal mprinc)
|
||
|
{
|
||
|
krb5_error_code code;
|
||
|
krb5_keytab_entry ent;
|
||
|
- krb5_principal accprinc = NULL;
|
||
|
char *princname;
|
||
|
|
||
|
if (name->service == NULL) {
|
||
|
@@ -141,21 +141,15 @@ check_keytab(krb5_context context, krb5_keytab kt, krb5_gss_name_t name)
|
||
|
if (kt->ops->start_seq_get == NULL)
|
||
|
return 0;
|
||
|
|
||
|
- /* Get the partial principal for the acceptor name. */
|
||
|
- code = kg_acceptor_princ(context, name, &accprinc);
|
||
|
- if (code)
|
||
|
- return code;
|
||
|
-
|
||
|
- /* Scan the keytab for host-based entries matching accprinc. */
|
||
|
- code = k5_kt_have_match(context, kt, accprinc);
|
||
|
+ /* Scan the keytab for host-based entries matching mprinc. */
|
||
|
+ code = k5_kt_have_match(context, kt, mprinc);
|
||
|
if (code == KRB5_KT_NOTFOUND) {
|
||
|
- if (krb5_unparse_name(context, accprinc, &princname) == 0) {
|
||
|
+ if (krb5_unparse_name(context, mprinc, &princname) == 0) {
|
||
|
k5_setmsg(context, code, _("No key table entry found matching %s"),
|
||
|
princname);
|
||
|
free(princname);
|
||
|
}
|
||
|
}
|
||
|
- krb5_free_principal(context, accprinc);
|
||
|
return code;
|
||
|
}
|
||
|
|
||
|
@@ -202,8 +196,14 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status,
|
||
|
}
|
||
|
|
||
|
if (cred->name != NULL) {
|
||
|
+ code = kg_acceptor_princ(context, cred->name, &cred->acceptor_mprinc);
|
||
|
+ if (code) {
|
||
|
+ major = GSS_S_FAILURE;
|
||
|
+ goto cleanup;
|
||
|
+ }
|
||
|
+
|
||
|
/* Make sure we have keys matching the desired name in the keytab. */
|
||
|
- code = check_keytab(context, kt, cred->name);
|
||
|
+ code = check_keytab(context, kt, cred->name, cred->acceptor_mprinc);
|
||
|
if (code) {
|
||
|
if (code == KRB5_KT_NOTFOUND) {
|
||
|
k5_change_error_message_code(context, code, KG_KEYTAB_NOMATCH);
|
||
|
@@ -324,7 +324,6 @@ static krb5_boolean
|
||
|
can_get_initial_creds(krb5_context context, krb5_gss_cred_id_rec *cred)
|
||
|
{
|
||
|
krb5_error_code code;
|
||
|
- krb5_keytab_entry entry;
|
||
|
|
||
|
if (cred->password != NULL)
|
||
|
return TRUE;
|
||
|
@@ -336,20 +335,21 @@ can_get_initial_creds(krb5_context context, krb5_gss_cred_id_rec *cred)
|
||
|
if (cred->name == NULL)
|
||
|
return !krb5_kt_have_content(context, cred->client_keytab);
|
||
|
|
||
|
- /* Check if we have a keytab key for the client principal. */
|
||
|
- code = krb5_kt_get_entry(context, cred->client_keytab, cred->name->princ,
|
||
|
- 0, 0, &entry);
|
||
|
- if (code) {
|
||
|
- krb5_clear_error_message(context);
|
||
|
- return FALSE;
|
||
|
- }
|
||
|
- krb5_free_keytab_entry_contents(context, &entry);
|
||
|
- return TRUE;
|
||
|
+ /*
|
||
|
+ * Check if we have a keytab key for the client principal. This is a bit
|
||
|
+ * more permissive than we really want because krb5_kt_have_match()
|
||
|
+ * supports wildcarding and obeys ignore_acceptor_hostname, but that should
|
||
|
+ * generally be harmless.
|
||
|
+ */
|
||
|
+ code = k5_kt_have_match(context, cred->client_keytab, cred->name->princ);
|
||
|
+ return code == 0;
|
||
|
}
|
||
|
|
||
|
-/* Scan cred->ccache for name, expiry time, impersonator, refresh time. */
|
||
|
+/* Scan cred->ccache for name, expiry time, impersonator, refresh time. If
|
||
|
+ * check_name is true, verify the cache name against the credential name. */
|
||
|
static krb5_error_code
|
||
|
-scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred)
|
||
|
+scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
|
||
|
+ krb5_boolean check_name)
|
||
|
{
|
||
|
krb5_error_code code;
|
||
|
krb5_ccache ccache = cred->ccache;
|
||
|
@@ -365,23 +365,31 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred)
|
||
|
if (code)
|
||
|
return code;
|
||
|
|
||
|
- /* Credentials cache principal must match the initiator name. */
|
||
|
code = krb5_cc_get_principal(context, ccache, &ccache_princ);
|
||
|
if (code != 0)
|
||
|
goto cleanup;
|
||
|
- if (cred->name != NULL &&
|
||
|
- !krb5_principal_compare(context, ccache_princ, cred->name->princ)) {
|
||
|
- code = KG_CCACHE_NOMATCH;
|
||
|
- goto cleanup;
|
||
|
- }
|
||
|
|
||
|
- /* Save the ccache principal as the credential name if not already set. */
|
||
|
- if (!cred->name) {
|
||
|
+ if (cred->name == NULL) {
|
||
|
+ /* Save the ccache principal as the credential name. */
|
||
|
code = kg_init_name(context, ccache_princ, NULL, NULL, NULL,
|
||
|
KG_INIT_NAME_NO_COPY, &cred->name);
|
||
|
if (code)
|
||
|
goto cleanup;
|
||
|
ccache_princ = NULL;
|
||
|
+ } else {
|
||
|
+ /* Check against the desired name if needed. */
|
||
|
+ if (check_name) {
|
||
|
+ if (!k5_sname_compare(context, cred->name->princ, ccache_princ)) {
|
||
|
+ code = KG_CCACHE_NOMATCH;
|
||
|
+ goto cleanup;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Replace the credential name principal with the canonical client
|
||
|
+ * principal, retaining acceptor_mprinc if set. */
|
||
|
+ krb5_free_principal(context, cred->name->princ);
|
||
|
+ cred->name->princ = ccache_princ;
|
||
|
+ ccache_princ = NULL;
|
||
|
}
|
||
|
|
||
|
assert(cred->name->princ != NULL);
|
||
|
@@ -447,7 +455,7 @@ get_cache_for_name(krb5_context context, krb5_gss_cred_id_rec *cred)
|
||
|
assert(cred->name != NULL && cred->ccache == NULL);
|
||
|
#ifdef USE_LEASH
|
||
|
code = get_ccache_leash(context, cred->name->princ, &cred->ccache);
|
||
|
- return code ? code : scan_ccache(context, cred);
|
||
|
+ return code ? code : scan_ccache(context, cred, TRUE);
|
||
|
#else
|
||
|
/* Check first whether we can acquire tickets, to avoid overwriting the
|
||
|
* extended error message from krb5_cc_cache_match. */
|
||
|
@@ -456,7 +464,7 @@ get_cache_for_name(krb5_context context, krb5_gss_cred_id_rec *cred)
|
||
|
/* Look for an existing cache for the client principal. */
|
||
|
code = krb5_cc_cache_match(context, cred->name->princ, &cred->ccache);
|
||
|
if (code == 0)
|
||
|
- return scan_ccache(context, cred);
|
||
|
+ return scan_ccache(context, cred, FALSE);
|
||
|
if (code != KRB5_CC_NOTFOUND || !can_get)
|
||
|
return code;
|
||
|
krb5_clear_error_message(context);
|
||
|
@@ -633,6 +641,13 @@ get_initial_cred(krb5_context context, const struct verify_params *verify,
|
||
|
kg_cred_set_initial_refresh(context, cred, &creds.times);
|
||
|
cred->have_tgt = TRUE;
|
||
|
cred->expire = creds.times.endtime;
|
||
|
+
|
||
|
+ /* Steal the canonical client principal name from creds and save it in the
|
||
|
+ * credential name, retaining acceptor_mprinc if set. */
|
||
|
+ krb5_free_principal(context, cred->name->princ);
|
||
|
+ cred->name->princ = creds.client;
|
||
|
+ creds.client = NULL;
|
||
|
+
|
||
|
krb5_free_cred_contents(context, &creds);
|
||
|
cleanup:
|
||
|
krb5_get_init_creds_opt_free(context, opt);
|
||
|
@@ -721,7 +736,7 @@ acquire_init_cred(krb5_context context, OM_uint32 *minor_status,
|
||
|
|
||
|
if (cred->ccache != NULL) {
|
||
|
/* The caller specified a ccache; check what's in it. */
|
||
|
- code = scan_ccache(context, cred);
|
||
|
+ code = scan_ccache(context, cred, TRUE);
|
||
|
if (code == KRB5_FCC_NOFILE) {
|
||
|
/* See if we can get initial creds. If the caller didn't specify
|
||
|
* a name, pick one from the client keytab. */
|
||
|
@@ -984,7 +999,7 @@ kg_cred_resolve(OM_uint32 *minor_status, krb5_context context,
|
||
|
}
|
||
|
}
|
||
|
if (cred->ccache != NULL) {
|
||
|
- code = scan_ccache(context, cred);
|
||
|
+ code = scan_ccache(context, cred, FALSE);
|
||
|
if (code)
|
||
|
goto kerr;
|
||
|
}
|
||
|
@@ -996,7 +1011,7 @@ kg_cred_resolve(OM_uint32 *minor_status, krb5_context context,
|
||
|
code = krb5int_cc_default(context, &cred->ccache);
|
||
|
if (code)
|
||
|
goto kerr;
|
||
|
- code = scan_ccache(context, cred);
|
||
|
+ code = scan_ccache(context, cred, FALSE);
|
||
|
if (code == KRB5_FCC_NOFILE) {
|
||
|
/* Default ccache doesn't exist; fall through to client keytab. */
|
||
|
krb5_cc_close(context, cred->ccache);
|
||
|
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||
|
index 3bacdcd35..fd7abbd77 100644
|
||
|
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||
|
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||
|
@@ -175,6 +175,7 @@ typedef struct _krb5_gss_cred_id_rec {
|
||
|
/* name/type of credential */
|
||
|
gss_cred_usage_t usage;
|
||
|
krb5_gss_name_t name;
|
||
|
+ krb5_principal acceptor_mprinc;
|
||
|
krb5_principal impersonator;
|
||
|
unsigned int default_identity : 1;
|
||
|
unsigned int iakerb_mech : 1;
|
||
|
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
|
||
|
index a9515daf7..0da6c1b95 100644
|
||
|
--- a/src/lib/gssapi/krb5/rel_cred.c
|
||
|
+++ b/src/lib/gssapi/krb5/rel_cred.c
|
||
|
@@ -72,6 +72,7 @@ krb5_gss_release_cred(minor_status, cred_handle)
|
||
|
if (cred->name)
|
||
|
kg_release_name(context, &cred->name);
|
||
|
|
||
|
+ krb5_free_principal(context, cred->acceptor_mprinc);
|
||
|
krb5_free_principal(context, cred->impersonator);
|
||
|
|
||
|
if (cred->req_enctypes)
|
||
|
diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c
|
||
|
index 8f5872116..760216d05 100644
|
||
|
--- a/src/lib/krb5/ccache/cccursor.c
|
||
|
+++ b/src/lib/krb5/ccache/cccursor.c
|
||
|
@@ -30,6 +30,7 @@
|
||
|
|
||
|
#include "cc-int.h"
|
||
|
#include "../krb/int-proto.h"
|
||
|
+#include "../os/os-proto.h"
|
||
|
|
||
|
#include <assert.h>
|
||
|
|
||
|
@@ -141,18 +142,18 @@ krb5_cccol_cursor_free(krb5_context context,
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
-krb5_error_code KRB5_CALLCONV
|
||
|
-krb5_cc_cache_match(krb5_context context, krb5_principal client,
|
||
|
- krb5_ccache *cache_out)
|
||
|
+static krb5_error_code
|
||
|
+match_caches(krb5_context context, krb5_const_principal client,
|
||
|
+ krb5_ccache *cache_out)
|
||
|
{
|
||
|
krb5_error_code ret;
|
||
|
krb5_cccol_cursor cursor;
|
||
|
krb5_ccache cache = NULL;
|
||
|
krb5_principal princ;
|
||
|
- char *name;
|
||
|
krb5_boolean eq;
|
||
|
|
||
|
*cache_out = NULL;
|
||
|
+
|
||
|
ret = krb5_cccol_cursor_new(context, &cursor);
|
||
|
if (ret)
|
||
|
return ret;
|
||
|
@@ -169,20 +170,52 @@ krb5_cc_cache_match(krb5_context context, krb5_principal client,
|
||
|
krb5_cc_close(context, cache);
|
||
|
}
|
||
|
krb5_cccol_cursor_free(context, &cursor);
|
||
|
+
|
||
|
if (ret)
|
||
|
return ret;
|
||
|
- if (cache == NULL) {
|
||
|
- ret = krb5_unparse_name(context, client, &name);
|
||
|
- if (ret == 0) {
|
||
|
- k5_setmsg(context, KRB5_CC_NOTFOUND,
|
||
|
+ if (cache == NULL)
|
||
|
+ return KRB5_CC_NOTFOUND;
|
||
|
+
|
||
|
+ *cache_out = cache;
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
+krb5_error_code KRB5_CALLCONV
|
||
|
+krb5_cc_cache_match(krb5_context context, krb5_principal client,
|
||
|
+ krb5_ccache *cache_out)
|
||
|
+{
|
||
|
+ krb5_error_code ret;
|
||
|
+ struct canonprinc iter = { client, .subst_defrealm = TRUE };
|
||
|
+ krb5_const_principal canonprinc = NULL;
|
||
|
+ krb5_ccache cache = NULL;
|
||
|
+ char *name;
|
||
|
+
|
||
|
+ *cache_out = NULL;
|
||
|
+
|
||
|
+ while ((ret = k5_canonprinc(context, &iter, &canonprinc)) == 0 &&
|
||
|
+ canonprinc != NULL) {
|
||
|
+ ret = match_caches(context, canonprinc, &cache);
|
||
|
+ if (ret != KRB5_CC_NOTFOUND)
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ free_canonprinc(&iter);
|
||
|
+
|
||
|
+ if (ret == 0 && canonprinc == NULL) {
|
||
|
+ ret = KRB5_CC_NOTFOUND;
|
||
|
+ if (krb5_unparse_name(context, client, &name) == 0) {
|
||
|
+ k5_setmsg(context, ret,
|
||
|
_("Can't find client principal %s in cache collection"),
|
||
|
name);
|
||
|
krb5_free_unparsed_name(context, name);
|
||
|
}
|
||
|
- ret = KRB5_CC_NOTFOUND;
|
||
|
- } else
|
||
|
- *cache_out = cache;
|
||
|
- return ret;
|
||
|
+ }
|
||
|
+
|
||
|
+ TRACE_CC_CACHE_MATCH(context, client, ret);
|
||
|
+ if (ret)
|
||
|
+ return ret;
|
||
|
+
|
||
|
+ *cache_out = cache;
|
||
|
+ return 0;
|
||
|
}
|
||
|
|
||
|
/* Store the error state for code from context into errsave, but only if code
|
||
|
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
|
||
|
index adbfa332b..df6e2ffbe 100644
|
||
|
--- a/src/lib/krb5/libkrb5.exports
|
||
|
+++ b/src/lib/krb5/libkrb5.exports
|
||
|
@@ -181,6 +181,7 @@ k5_size_authdata_context
|
||
|
k5_size_context
|
||
|
k5_size_keyblock
|
||
|
k5_size_principal
|
||
|
+k5_sname_compare
|
||
|
k5_unmarshal_cred
|
||
|
k5_unmarshal_princ
|
||
|
k5_unwrap_cammac_svc
|
||
|
diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
|
||
|
index 8b7214189..c99b7da17 100644
|
||
|
--- a/src/lib/krb5/os/sn2princ.c
|
||
|
+++ b/src/lib/krb5/os/sn2princ.c
|
||
|
@@ -277,7 +277,8 @@ k5_canonprinc(krb5_context context, struct canonprinc *iter,
|
||
|
|
||
|
/* If we're not doing fallback, the input principal is canonical. */
|
||
|
if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK ||
|
||
|
- iter->princ->type != KRB5_NT_SRV_HST || iter->princ->length != 2) {
|
||
|
+ iter->princ->type != KRB5_NT_SRV_HST || iter->princ->length != 2 ||
|
||
|
+ iter->princ->data[1].length == 0) {
|
||
|
*princ_out = (step == 1) ? iter->princ : NULL;
|
||
|
return 0;
|
||
|
}
|
||
|
@@ -288,6 +289,26 @@ k5_canonprinc(krb5_context context, struct canonprinc *iter,
|
||
|
return canonicalize_princ(context, iter, step == 2, princ_out);
|
||
|
}
|
||
|
|
||
|
+krb5_boolean
|
||
|
+k5_sname_compare(krb5_context context, krb5_const_principal sname,
|
||
|
+ krb5_const_principal princ)
|
||
|
+{
|
||
|
+ krb5_error_code ret;
|
||
|
+ struct canonprinc iter = { sname, .subst_defrealm = TRUE };
|
||
|
+ krb5_const_principal canonprinc = NULL;
|
||
|
+ krb5_boolean match = FALSE;
|
||
|
+
|
||
|
+ while ((ret = k5_canonprinc(context, &iter, &canonprinc)) == 0 &&
|
||
|
+ canonprinc != NULL) {
|
||
|
+ if (krb5_principal_compare(context, canonprinc, princ)) {
|
||
|
+ match = TRUE;
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ free_canonprinc(&iter);
|
||
|
+ return match;
|
||
|
+}
|
||
|
+
|
||
|
krb5_error_code KRB5_CALLCONV
|
||
|
krb5_sname_to_principal(krb5_context context, const char *hostname,
|
||
|
const char *sname, krb5_int32 type,
|
||
|
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
|
||
|
index 60b8dd311..cf690dbe4 100644
|
||
|
--- a/src/lib/krb5_32.def
|
||
|
+++ b/src/lib/krb5_32.def
|
||
|
@@ -507,3 +507,4 @@ EXPORTS
|
||
|
; new in 1.20
|
||
|
krb5_marshal_credentials @472
|
||
|
krb5_unmarshal_credentials @473
|
||
|
+ k5_sname_compare @474 ; PRIVATE GSSAPI
|
||
|
diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
|
||
|
index 7847b3ecd..9a61d53b8 100755
|
||
|
--- a/src/tests/gssapi/t_client_keytab.py
|
||
|
+++ b/src/tests/gssapi/t_client_keytab.py
|
||
|
@@ -141,5 +141,49 @@ msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
|
||
|
'/Matching credential not found')
|
||
|
realm.run(['./t_ccselect', phost], expected_code=1,
|
||
|
expected_msg='Ticket expired', expected_trace=msgs)
|
||
|
+realm.run([kdestroy, '-A'])
|
||
|
+
|
||
|
+# Test 19: host-based initiator name
|
||
|
+mark('host-based initiator name')
|
||
|
+hsvc = 'h:svc@' + hostname
|
||
|
+svcprinc = 'svc/%s@%s' % (hostname, realm.realm)
|
||
|
+realm.addprinc(svcprinc)
|
||
|
+realm.extract_keytab(svcprinc, realm.client_keytab)
|
||
|
+# On the first run we match against the keytab while getting tickets,
|
||
|
+# substituting the default realm.
|
||
|
+msgs = ('/Can\'t find client principal svc/%s@ in' % hostname,
|
||
|
+ 'Getting initial credentials for svc/%s@' % hostname,
|
||
|
+ 'Found entries for %s in keytab' % svcprinc,
|
||
|
+ 'Retrieving %s from FILE:%s' % (svcprinc, realm.client_keytab),
|
||
|
+ 'Storing %s -> %s in' % (svcprinc, realm.krbtgt_princ),
|
||
|
+ 'Retrieving %s -> %s from' % (svcprinc, realm.krbtgt_princ),
|
||
|
+ 'authenticator for %s -> %s' % (svcprinc, realm.host_princ))
|
||
|
+realm.run(['./t_ccselect', phost, hsvc], expected_trace=msgs)
|
||
|
+# On the second run we match against the collection.
|
||
|
+msgs = ('Matching svc/%s@ in collection with result: 0' % hostname,
|
||
|
+ 'Getting credentials %s -> %s' % (svcprinc, realm.host_princ),
|
||
|
+ 'authenticator for %s -> %s' % (svcprinc, realm.host_princ))
|
||
|
+realm.run(['./t_ccselect', phost, hsvc], expected_trace=msgs)
|
||
|
+realm.run([kdestroy, '-A'])
|
||
|
+
|
||
|
+# Test 20: host-based initiator name with fallback
|
||
|
+mark('host-based fallback initiator name')
|
||
|
+canonname = canonicalize_hostname(hostname)
|
||
|
+if canonname != hostname:
|
||
|
+ hfsvc = 'h:fsvc@' + hostname
|
||
|
+ canonprinc = 'fsvc/%s@%s' % (canonname, realm.realm)
|
||
|
+ realm.addprinc(canonprinc)
|
||
|
+ realm.extract_keytab(canonprinc, realm.client_keytab)
|
||
|
+ msgs = ('/Can\'t find client principal fsvc/%s@ in' % hostname,
|
||
|
+ 'Found entries for %s in keytab' % canonprinc,
|
||
|
+ 'authenticator for %s -> %s' % (canonprinc, realm.host_princ))
|
||
|
+ realm.run(['./t_ccselect', phost, hfsvc], expected_trace=msgs)
|
||
|
+ msgs = ('Matching fsvc/%s@ in collection with result: 0' % hostname,
|
||
|
+ 'Getting credentials %s -> %s' % (canonprinc, realm.host_princ))
|
||
|
+ realm.run(['./t_ccselect', phost, hfsvc], expected_trace=msgs)
|
||
|
+ realm.run([kdestroy, '-A'])
|
||
|
+else:
|
||
|
+ skipped('GSS initiator name fallback test',
|
||
|
+ '%s does not canonicalize to a different name' % hostname)
|
||
|
|
||
|
success('Client keytab tests')
|
||
|
diff --git a/src/tests/gssapi/t_credstore.py b/src/tests/gssapi/t_credstore.py
|
||
|
index c11975bf5..9be57bb82 100644
|
||
|
--- a/src/tests/gssapi/t_credstore.py
|
||
|
+++ b/src/tests/gssapi/t_credstore.py
|
||
|
@@ -15,6 +15,38 @@ msgs = ('Storing %s -> %s in %s' % (service_cs, realm.krbtgt_princ,
|
||
|
realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache,
|
||
|
'keytab', servicekeytab], expected_trace=msgs)
|
||
|
|
||
|
+mark('matching')
|
||
|
+scc = 'FILE:' + os.path.join(realm.testdir, 'service_cache')
|
||
|
+realm.kinit(realm.host_princ, flags=['-k', '-c', scc])
|
||
|
+realm.run(['./t_credstore', '-i', 'p:' + realm.host_princ, 'ccache', scc])
|
||
|
+realm.run(['./t_credstore', '-i', 'h:host', 'ccache', scc])
|
||
|
+realm.run(['./t_credstore', '-i', 'h:host@' + hostname, 'ccache', scc])
|
||
|
+realm.run(['./t_credstore', '-i', 'p:wrong', 'ccache', scc],
|
||
|
+ expected_code=1, expected_msg='does not match desired name')
|
||
|
+realm.run(['./t_credstore', '-i', 'h:host@-nomatch-', 'ccache', scc],
|
||
|
+ expected_code=1, expected_msg='does not match desired name')
|
||
|
+realm.run(['./t_credstore', '-i', 'h:svc', 'ccache', scc],
|
||
|
+ expected_code=1, expected_msg='does not match desired name')
|
||
|
+
|
||
|
+mark('matching (fallback)')
|
||
|
+canonname = canonicalize_hostname(hostname)
|
||
|
+if canonname != hostname:
|
||
|
+ canonprinc = 'host/%s@%s' % (canonname, realm.realm)
|
||
|
+ realm.addprinc(canonprinc)
|
||
|
+ realm.extract_keytab(canonprinc, realm.keytab)
|
||
|
+ realm.kinit(canonprinc, flags=['-k', '-c', scc])
|
||
|
+ realm.run(['./t_credstore', '-i', 'h:host', 'ccache', scc])
|
||
|
+ realm.run(['./t_credstore', '-i', 'h:host@' + hostname, 'ccache', scc])
|
||
|
+ realm.run(['./t_credstore', '-i', 'h:host@' + canonname, 'ccache', scc])
|
||
|
+ realm.run(['./t_credstore', '-i', 'p:' + canonprinc, 'ccache', scc])
|
||
|
+ realm.run(['./t_credstore', '-i', 'p:' + realm.host_princ, 'ccache', scc],
|
||
|
+ expected_code=1, expected_msg='does not match desired name')
|
||
|
+ realm.run(['./t_credstore', '-i', 'h:host@-nomatch-', 'ccache', scc],
|
||
|
+ expected_code=1, expected_msg='does not match desired name')
|
||
|
+else:
|
||
|
+ skipped('fallback matching test',
|
||
|
+ '%s does not canonicalize to a different name' % hostname)
|
||
|
+
|
||
|
mark('rcache')
|
||
|
# t_credstore -r should produce a replay error normally, but not with
|
||
|
# rcache set to "none:".
|