|
|
ecf709 |
From aa309f35905951c6fdd12d286bb3aeeb61a62088 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
Date: Tue, 20 Sep 2016 22:03:30 +0200
|
|
|
ecf709 |
Subject: [PATCH 21/36] UTIL: krb5 principal (un)marshalling
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
The KCM responder needs to read the contents of the principal blob that
|
|
|
ecf709 |
the Kerberos library sends. Since libkrb5 doesn't export any API to do
|
|
|
ecf709 |
so, we need to implement marshalling and unmarshalling of the principal
|
|
|
ecf709 |
ourselves.
|
|
|
ecf709 |
|
|
|
ecf709 |
In future, when the KCM server also supports renewals, we will also need
|
|
|
ecf709 |
to unmarshall the credentials, but until that is not really needed, the
|
|
|
ecf709 |
credentials will be stored as a blob.
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
ecf709 |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/util/sss_krb5.c | 195 ++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
ecf709 |
src/util/sss_krb5.h | 9 +++
|
|
|
ecf709 |
2 files changed, 204 insertions(+)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
|
|
|
ecf709 |
index 4808a7703d07bb4eba91f14a7a515aadaec1774b..d461cf881566af37f31524c16f6a5f1511a5dc89 100644
|
|
|
ecf709 |
--- a/src/util/sss_krb5.c
|
|
|
ecf709 |
+++ b/src/util/sss_krb5.c
|
|
|
ecf709 |
@@ -24,6 +24,7 @@
|
|
|
ecf709 |
|
|
|
ecf709 |
#include "config.h"
|
|
|
ecf709 |
|
|
|
ecf709 |
+#include "util/sss_iobuf.h"
|
|
|
ecf709 |
#include "util/util.h"
|
|
|
ecf709 |
#include "util/sss_krb5.h"
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -1128,3 +1129,197 @@ done:
|
|
|
ecf709 |
|
|
|
ecf709 |
return res;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+static errno_t iobuf_read_uint32be(struct sss_iobuf *iobuf,
|
|
|
ecf709 |
+ uint32_t *_val)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ uint32_t beval;
|
|
|
ecf709 |
+ errno_t ret;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = sss_iobuf_read_uint32(iobuf, &beval);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ *_val = be32toh(beval);
|
|
|
ecf709 |
+ return EOK;
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+static errno_t iobuf_write_uint32be(struct sss_iobuf *iobuf,
|
|
|
ecf709 |
+ uint32_t val)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ uint32_t beval;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ beval = htobe32(val);
|
|
|
ecf709 |
+ return sss_iobuf_write_uint32(iobuf, beval);
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+static errno_t iobuf_get_len_bytes(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
+ struct sss_iobuf *iobuf,
|
|
|
ecf709 |
+ uint32_t *_nbytes,
|
|
|
ecf709 |
+ uint8_t **_bytes)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ errno_t ret;
|
|
|
ecf709 |
+ uint32_t nbytes;
|
|
|
ecf709 |
+ uint8_t *bytes = NULL;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = iobuf_read_uint32be(iobuf, &nbytes);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ bytes = talloc_zero_size(mem_ctx, nbytes);
|
|
|
ecf709 |
+ if (bytes == NULL) {
|
|
|
ecf709 |
+ return ENOMEM;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = sss_iobuf_read_len(iobuf, nbytes, bytes);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ talloc_free(bytes);
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ *_bytes = bytes;
|
|
|
ecf709 |
+ *_nbytes = nbytes;
|
|
|
ecf709 |
+ return EOK;
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+static errno_t get_krb5_data(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
+ struct sss_iobuf *iobuf,
|
|
|
ecf709 |
+ krb5_data *k5data)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ errno_t ret;
|
|
|
ecf709 |
+ uint32_t nbytes;
|
|
|
ecf709 |
+ uint8_t *bytes = NULL;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = iobuf_get_len_bytes(mem_ctx, iobuf, &nbytes, &bytes);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ talloc_free(bytes);
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ k5data->data = (char *) bytes; /* FIXME - the cast is ugly */
|
|
|
ecf709 |
+ k5data->length = nbytes;
|
|
|
ecf709 |
+ return EOK;
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+static errno_t set_krb5_data(struct sss_iobuf *iobuf,
|
|
|
ecf709 |
+ krb5_data *k5data)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ errno_t ret;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = iobuf_write_uint32be(iobuf, k5data->length);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (k5data->length > 0) {
|
|
|
ecf709 |
+ ret = sss_iobuf_write_len(iobuf,
|
|
|
ecf709 |
+ (uint8_t *) k5data->data,
|
|
|
ecf709 |
+ k5data->length);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ return EOK;
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+/* FIXME - it would be nice if Kerberos exported these APIs.. */
|
|
|
ecf709 |
+krb5_error_code sss_krb5_unmarshal_princ(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
+ struct sss_iobuf *iobuf,
|
|
|
ecf709 |
+ krb5_principal *_princ)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ krb5_principal princ = NULL;
|
|
|
ecf709 |
+ krb5_error_code ret;
|
|
|
ecf709 |
+ uint32_t ncomps;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (iobuf == NULL || _princ == NULL) {
|
|
|
ecf709 |
+ return EINVAL;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ princ = talloc_zero(mem_ctx, struct krb5_principal_data);
|
|
|
ecf709 |
+ if (princ == NULL) {
|
|
|
ecf709 |
+ return ENOMEM;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ princ->magic = KV5M_PRINCIPAL;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = iobuf_read_uint32be(iobuf, (uint32_t *) &princ->type);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ goto fail;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = iobuf_read_uint32be(iobuf, &ncomps);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ goto fail;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (ncomps > sss_iobuf_get_capacity(iobuf)) {
|
|
|
ecf709 |
+ /* Sanity check to avoid large allocations */
|
|
|
ecf709 |
+ ret = EINVAL;
|
|
|
ecf709 |
+ goto fail;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (ncomps != 0) {
|
|
|
ecf709 |
+ princ->data = talloc_zero_array(princ, krb5_data, ncomps);
|
|
|
ecf709 |
+ if (princ->data == NULL) {
|
|
|
ecf709 |
+ ret = ENOMEM;
|
|
|
ecf709 |
+ goto fail;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ princ->length = ncomps;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = get_krb5_data(princ, iobuf, &princ->realm);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ goto fail;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ for (size_t i = 0; i < ncomps; i++) {
|
|
|
ecf709 |
+ ret = get_krb5_data(princ->data, iobuf, &princ->data[i]);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ goto fail;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ *_princ = princ;
|
|
|
ecf709 |
+ return 0;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+fail:
|
|
|
ecf709 |
+ talloc_free(princ);
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+krb5_error_code sss_krb5_marshal_princ(krb5_principal princ,
|
|
|
ecf709 |
+ struct sss_iobuf *iobuf)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ krb5_error_code ret;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (iobuf == NULL || princ == NULL) {
|
|
|
ecf709 |
+ return EINVAL;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = iobuf_write_uint32be(iobuf, princ->type);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = iobuf_write_uint32be(iobuf, princ->length);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = set_krb5_data(iobuf, &princ->realm);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ for (int i = 0; i < princ->length; i++) {
|
|
|
ecf709 |
+ ret = set_krb5_data(iobuf, &princ->data[i]);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ return EOK;
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
|
|
|
ecf709 |
index ac0f6082c75a8878f72346733e592b7575d44089..0d9043be98749b1a21a1b74c68f07298fa27f230 100644
|
|
|
ecf709 |
--- a/src/util/sss_krb5.h
|
|
|
ecf709 |
+++ b/src/util/sss_krb5.h
|
|
|
ecf709 |
@@ -32,6 +32,7 @@
|
|
|
ecf709 |
#include <krb5.h>
|
|
|
ecf709 |
#endif
|
|
|
ecf709 |
|
|
|
ecf709 |
+#include "util/sss_iobuf.h"
|
|
|
ecf709 |
#include "util/util.h"
|
|
|
ecf709 |
|
|
|
ecf709 |
#define KRB5_CHILD_LOG_FILE "krb5_child"
|
|
|
ecf709 |
@@ -186,4 +187,12 @@ krb5_error_code sss_krb5_kt_have_content(krb5_context context,
|
|
|
ecf709 |
krb5_keytab keytab);
|
|
|
ecf709 |
|
|
|
ecf709 |
bool sss_krb5_realm_has_proxy(const char *realm);
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+krb5_error_code sss_krb5_marshal_princ(krb5_principal princ,
|
|
|
ecf709 |
+ struct sss_iobuf *iobuf);
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+krb5_error_code sss_krb5_unmarshal_princ(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
+ struct sss_iobuf *iobuf,
|
|
|
ecf709 |
+ krb5_principal *_princ);
|
|
|
ecf709 |
+
|
|
|
ecf709 |
#endif /* __SSS_KRB5_H__ */
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|