| Message ID | 20100331181340.17466c86@atalante.iwm-kmrc.de |
|---|---|
| State | New |
| Headers | show |
On Wed, 31 Mar 2010 18:13:40 +0200 Torsten Kurbad <samba-technical@tk-webart.de> wrote: Thanks for the patch. FWIW, it would be preferable to base this on the git tree and generate the patch using git-format-patch. Comments inline... > diff -urN cifs-utils-4.1.orig//cifs.upcall.c cifs-utils-4.1//cifs.upcall.c > --- cifs-utils-4.1.orig//cifs.upcall.c 2010-03-23 14:47:07.000000000 +0100 > +++ cifs-utils-4.1//cifs.upcall.c 2010-03-31 17:53:39.425556256 +0200 > @@ -31,7 +31,11 @@ > > #include <string.h> > #include <getopt.h> > +#ifdef HAVE_KRB5_KRB5_H > #include <krb5/krb5.h> > +#elif defined(HAVE_KRB5_H) > +#include <krb5.h> > +#endif ^^^^ I think it would be better to munge the CFLAGS so that -I/usr/include/krb5 precedes the other paths if HAVE_KRB5_KRB5_H is set. That would leave cifs.upcall.c with less #ifdef goop. > #include <syslog.h> > #include <dirent.h> > #include <sys/types.h> > @@ -275,7 +279,8 @@ > goto out_free_principal; > } > > - in_creds.keyblock.enctype = 0; > + /* Removed to support Heimdal */ > + // in_creds.keyblock.enctype = 0; */ ^^^^ Just remove those lines -- no need to comment them out. > ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds); > krb5_free_principal(context, in_creds.server); > if (ret) { > @@ -294,7 +299,11 @@ > goto out_free_creds; > } > > +#ifdef HAVE_KRB5_AUTH_CON_GETSENDSUBKEY > ret = krb5_auth_con_getsendsubkey(context, auth_context, &tokb); > +#else > + ret = krb5_auth_con_getlocalsubkey(context, auth_context, &tokb); > +#endif > if (ret) { > syslog(LOG_DEBUG, "%s: unable to get session key for %s", > __func__, principal); > @@ -302,7 +311,12 @@ > } > > *mechtoken = data_blob(apreq_pkt.data, apreq_pkt.length); > + > +#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ > + *sess_key = data_blob(tokb->keyvalue.data, tokb->keyvalue.length); > +#else /* MIT */ > *sess_key = data_blob(tokb->contents, tokb->length); > +#endif > I think it would be better to declare the same macros that samba uses: KRB5_KEY_DATA KRB5_KEY_LENGTH ...you could put them in replace.h and have them do something different based on HAVE_KRB5_KEYBLOCK_KEYVALUE. That makes the code look cleaner and makes it easier to get this sort of thing right if we need to do this in the future. > krb5_free_keyblock(context, tokb); > out_free_creds: > diff -urN cifs-utils-4.1.orig//configure.ac cifs-utils-4.1//configure.ac > --- cifs-utils-4.1.orig//configure.ac 2010-03-23 14:47:07.000000000 +0100 > +++ cifs-utils-4.1//configure.ac 2010-03-31 17:54:31.847532077 +0200 > @@ -25,15 +25,39 @@ > AC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h limits.h mntent.h netdb.h stddef.h stdint.h stdlib.h string.h strings.h sys/mount.h sys/param.h sys/socket.h sys/time.h syslog.h unistd.h], , [AC_MSG_ERROR([necessary header(s) not found])]) > > if test $enable_cifsupcall != "no"; then > - AC_CHECK_HEADERS([krb5/krb5.h], ,[ > - if test "$enable_cifsupcall" = "yes"; then > - AC_MSG_ERROR([krb5/krb5.h not found, consider installing krb5-libs-devel.]) > - else > - AC_MSG_WARN([krb5/krb5.h not found, consider installing krb5-libs-devel. Disabling cifs.upcall.]) > - enable_cifsupcall="no" > - fi > - ]) > + AC_CHECK_HEADERS([krb5.h krb5/krb5.h]) > + if test x$ac_cv_header_krb5_krb5_h != xyes ; then > + if test x$ac_cv_header_krb5_h != xyes ; then > + if test "$enable_cifsupcall" = "yes"; then > + AC_MSG_ERROR([krb5.h not found, consider installing krb5-libs-devel.]) > + else > + AC_MSG_WARN([krb5.h not found, consider installing krb5-libs-devel. Disabling cifs.upcall.]) > + enable_cifsupcall="no" > + fi > + fi > + fi > +fi > + > +if test $enable_cifsupcall != "no"; then > + if test x$ac_cv_header_krb5_krb5_h = xyes ; then > + krb5_include="#include <krb5/krb5.h>" > + fi > + if test x$ac_cv_header_krb5_h = xyes ; then > + krb5_include="#include <krb5.h>" > + fi > + > + AC_CACHE_CHECK([for keyvalue in krb5_keyblock], > + [ac_cv_have_krb5_keyblock_keyvalue],[ > + AC_TRY_COMPILE([$krb5_include], > + [krb5_keyblock key; key.keyvalue.data = NULL;], > + ac_cv_have_krb5_keyblock_keyvalue=yes, > + ac_cv_have_krb5_keyblock_keyvalue=no)]) > + if test x"$ac_cv_have_krb5_keyblock_keyvalue" = x"yes" ; then > + AC_DEFINE(HAVE_KRB5_KEYBLOCK_KEYVALUE,1, > + [Whether the krb5_keyblock struct has a keyvalue property]) > + fi > fi > + > if test $enable_cifsupcall != "no"; then > AC_CHECK_HEADERS([talloc.h], , [ > if test "$enable_cifsupcall" = "yes"; then > @@ -55,6 +79,10 @@ > ]) > fi > > +if test $enable_cifsupcall != "no"; then > + AC_CHECK_LIB([krb5], [krb5_init_context]) > +fi > + > # Checks for typedefs, structures, and compiler characteristics. > AC_HEADER_STDBOOL > AC_TYPE_UID_T > @@ -73,6 +101,11 @@ > # check for required functions > AC_CHECK_FUNCS([alarm atexit endpwent getmntent getpass gettimeofday inet_ntop memset realpath setenv strchr strdup strerror strncasecmp strndup strpbrk strrchr strstr strtol strtoul uname], , [AC_MSG_ERROR([necessary functions(s) not found])]) > > +# determine whether we can use MIT's new 'krb5_auth_con_getsendsubkey' to extract the signing key > +if test $enable_cifsupcall != "no"; then > + AC_CHECK_FUNCS([krb5_auth_con_getsendsubkey]) > +fi > + > # non-critical functions (we have workarounds for these) > if test $enable_cifsupcall != "no"; then > AC_CHECK_FUNCS([krb5_principal_get_realm krb5_free_unparsed_name]) I think the rest of the patch looks ok. Thanks,
diff -urN cifs-utils-4.1.orig//cifs.upcall.c cifs-utils-4.1//cifs.upcall.c --- cifs-utils-4.1.orig//cifs.upcall.c 2010-03-23 14:47:07.000000000 +0100 +++ cifs-utils-4.1//cifs.upcall.c 2010-03-31 17:53:39.425556256 +0200 @@ -31,7 +31,11 @@ #include <string.h> #include <getopt.h> +#ifdef HAVE_KRB5_KRB5_H #include <krb5/krb5.h> +#elif defined(HAVE_KRB5_H) +#include <krb5.h> +#endif #include <syslog.h> #include <dirent.h> #include <sys/types.h> @@ -275,7 +279,8 @@ goto out_free_principal; } - in_creds.keyblock.enctype = 0; + /* Removed to support Heimdal */ + // in_creds.keyblock.enctype = 0; */ ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds); krb5_free_principal(context, in_creds.server); if (ret) { @@ -294,7 +299,11 @@ goto out_free_creds; } +#ifdef HAVE_KRB5_AUTH_CON_GETSENDSUBKEY ret = krb5_auth_con_getsendsubkey(context, auth_context, &tokb); +#else + ret = krb5_auth_con_getlocalsubkey(context, auth_context, &tokb); +#endif if (ret) { syslog(LOG_DEBUG, "%s: unable to get session key for %s", __func__, principal); @@ -302,7 +311,12 @@ } *mechtoken = data_blob(apreq_pkt.data, apreq_pkt.length); + +#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ + *sess_key = data_blob(tokb->keyvalue.data, tokb->keyvalue.length); +#else /* MIT */ *sess_key = data_blob(tokb->contents, tokb->length); +#endif krb5_free_keyblock(context, tokb); out_free_creds: diff -urN cifs-utils-4.1.orig//configure.ac cifs-utils-4.1//configure.ac --- cifs-utils-4.1.orig//configure.ac 2010-03-23 14:47:07.000000000 +0100 +++ cifs-utils-4.1//configure.ac 2010-03-31 17:54:31.847532077 +0200 @@ -25,15 +25,39 @@ AC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h limits.h mntent.h netdb.h stddef.h stdint.h stdlib.h string.h strings.h sys/mount.h sys/param.h sys/socket.h sys/time.h syslog.h unistd.h], , [AC_MSG_ERROR([necessary header(s) not found])]) if test $enable_cifsupcall != "no"; then - AC_CHECK_HEADERS([krb5/krb5.h], ,[ - if test "$enable_cifsupcall" = "yes"; then - AC_MSG_ERROR([krb5/krb5.h not found, consider installing krb5-libs-devel.]) - else - AC_MSG_WARN([krb5/krb5.h not found, consider installing krb5-libs-devel. Disabling cifs.upcall.]) - enable_cifsupcall="no" - fi - ]) + AC_CHECK_HEADERS([krb5.h krb5/krb5.h]) + if test x$ac_cv_header_krb5_krb5_h != xyes ; then + if test x$ac_cv_header_krb5_h != xyes ; then + if test "$enable_cifsupcall" = "yes"; then + AC_MSG_ERROR([krb5.h not found, consider installing krb5-libs-devel.]) + else + AC_MSG_WARN([krb5.h not found, consider installing krb5-libs-devel. Disabling cifs.upcall.]) + enable_cifsupcall="no" + fi + fi + fi +fi + +if test $enable_cifsupcall != "no"; then + if test x$ac_cv_header_krb5_krb5_h = xyes ; then + krb5_include="#include <krb5/krb5.h>" + fi + if test x$ac_cv_header_krb5_h = xyes ; then + krb5_include="#include <krb5.h>" + fi + + AC_CACHE_CHECK([for keyvalue in krb5_keyblock], + [ac_cv_have_krb5_keyblock_keyvalue],[ + AC_TRY_COMPILE([$krb5_include], + [krb5_keyblock key; key.keyvalue.data = NULL;], + ac_cv_have_krb5_keyblock_keyvalue=yes, + ac_cv_have_krb5_keyblock_keyvalue=no)]) + if test x"$ac_cv_have_krb5_keyblock_keyvalue" = x"yes" ; then + AC_DEFINE(HAVE_KRB5_KEYBLOCK_KEYVALUE,1, + [Whether the krb5_keyblock struct has a keyvalue property]) + fi fi + if test $enable_cifsupcall != "no"; then AC_CHECK_HEADERS([talloc.h], , [ if test "$enable_cifsupcall" = "yes"; then @@ -55,6 +79,10 @@ ]) fi +if test $enable_cifsupcall != "no"; then + AC_CHECK_LIB([krb5], [krb5_init_context]) +fi + # Checks for typedefs, structures, and compiler characteristics. AC_HEADER_STDBOOL AC_TYPE_UID_T @@ -73,6 +101,11 @@ # check for required functions AC_CHECK_FUNCS([alarm atexit endpwent getmntent getpass gettimeofday inet_ntop memset realpath setenv strchr strdup strerror strncasecmp strndup strpbrk strrchr strstr strtol strtoul uname], , [AC_MSG_ERROR([necessary functions(s) not found])]) +# determine whether we can use MIT's new 'krb5_auth_con_getsendsubkey' to extract the signing key +if test $enable_cifsupcall != "no"; then + AC_CHECK_FUNCS([krb5_auth_con_getsendsubkey]) +fi + # non-critical functions (we have workarounds for these) if test $enable_cifsupcall != "no"; then AC_CHECK_FUNCS([krb5_principal_get_realm krb5_free_unparsed_name])