summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-10-20 07:36:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:03 -0500
commita9f15bb83eedfacca0b2bef788dc3418bcb664be (patch)
tree8c63638cbbfbc4e2cbb5abe0c222eb5e9370a200
parent7514f906c2e491dbd807833d6b536081d7665d37 (diff)
downloadsamba-a9f15bb83eedfacca0b2bef788dc3418bcb664be.tar.gz
samba-a9f15bb83eedfacca0b2bef788dc3418bcb664be.tar.bz2
samba-a9f15bb83eedfacca0b2bef788dc3418bcb664be.zip
r11212: Enable sealing of data with raw krb5, consolidate some code into the
main gensec_krb5_start and always ask for sequence numbers. Andrew Bartlett (This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
-rw-r--r--source4/auth/gensec/gensec_krb5.c124
1 files changed, 63 insertions, 61 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index d999559a49..eff30bbfd1 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -84,9 +84,12 @@ static int gensec_krb5_destroy(void *ptr)
static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
{
+ krb5_error_code ret;
struct gensec_krb5_state *gensec_krb5_state;
+ struct cli_credentials *creds;
- if (!gensec_get_credentials(gensec_security)) {
+ creds = gensec_get_credentials(gensec_security);
+ if (!creds) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -96,7 +99,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
}
gensec_security->private_data = gensec_krb5_state;
-
gensec_krb5_state->smb_krb5_context = NULL;
gensec_krb5_state->auth_context = NULL;
gensec_krb5_state->ticket = NULL;
@@ -108,13 +110,37 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
+ if (cli_credentials_get_krb5_context(creds, &gensec_krb5_state->smb_krb5_context)) {
+ talloc_free(gensec_krb5_state);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
+ if (ret) {
+ DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
+ ret, gensec_krb5_state)));
+ talloc_free(gensec_krb5_state);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context,
+ gensec_krb5_state->auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+ if (ret) {
+ DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n",
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
+ ret, gensec_krb5_state)));
+ talloc_free(gensec_krb5_state);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
return NT_STATUS_OK;
}
static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status;
- krb5_error_code ret = 0;
struct gensec_krb5_state *gensec_krb5_state;
nt_status = gensec_krb5_start(gensec_security);
@@ -123,24 +149,6 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security
}
gensec_krb5_state = gensec_security->private_data;
-
- ret = smb_krb5_init_context(gensec_krb5_state,
- &gensec_krb5_state->smb_krb5_context);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
- error_message(ret)));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
- ret, gensec_krb5_state)));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
return NT_STATUS_OK;
@@ -167,6 +175,9 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
const char *hostname;
krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED;
+ char *principal;
+ krb5_data in_data;
+
hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
@@ -196,45 +207,31 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
return NT_STATUS_UNSUCCESSFUL;
}
- gensec_krb5_state->smb_krb5_context = talloc_reference(gensec_krb5_state, ccache_container->smb_krb5_context);
-
- ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
- ret, gensec_krb5_state)));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- if (ret == 0) {
- char *principal;
- krb5_data in_data;
- in_data.length = 0;
-
- principal = gensec_get_target_principal(gensec_security);
- if (principal && lp_client_use_spnego_principal()) {
- krb5_principal target_principal;
- ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
- &target_principal);
- if (ret == 0) {
- ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
- &gensec_krb5_state->auth_context,
- ap_req_options,
- target_principal,
- &in_data, ccache_container->ccache,
- &gensec_krb5_state->enc_ticket);
- krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
- target_principal);
- }
- } else {
- ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
- &gensec_krb5_state->auth_context,
- ap_req_options,
- gensec_get_target_service(gensec_security),
- hostname,
- &in_data, ccache_container->ccache,
- &gensec_krb5_state->enc_ticket);
+ in_data.length = 0;
+
+ principal = gensec_get_target_principal(gensec_security);
+ if (principal && lp_client_use_spnego_principal()) {
+ krb5_principal target_principal;
+ ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
+ &target_principal);
+ if (ret == 0) {
+ ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &gensec_krb5_state->auth_context,
+ ap_req_options,
+ target_principal,
+ &in_data, ccache_container->ccache,
+ &gensec_krb5_state->enc_ticket);
+ krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
+ target_principal);
}
+ } else {
+ ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &gensec_krb5_state->auth_context,
+ ap_req_options,
+ gensec_get_target_service(gensec_security),
+ hostname,
+ &in_data, ccache_container->ccache,
+ &gensec_krb5_state->enc_ticket);
}
switch (ret) {
case 0:
@@ -625,9 +622,14 @@ static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security,
static BOOL gensec_krb5_have_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
+ struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
if (feature & GENSEC_FEATURE_SESSION_KEY) {
return True;
}
+ if (!gensec_krb5_state->gssapi &&
+ (feature & GENSEC_FEATURE_SEAL)) {
+ return True;
+ }
return False;
}
@@ -649,8 +651,6 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
.session_key = gensec_krb5_session_key,
.session_info = gensec_krb5_session_info,
.have_feature = gensec_krb5_have_feature,
- .wrap = gensec_krb5_wrap,
- .unwrap = gensec_krb5_unwrap,
.enabled = False
};
@@ -662,6 +662,8 @@ static const struct gensec_security_ops gensec_krb5_security_ops = {
.session_key = gensec_krb5_session_key,
.session_info = gensec_krb5_session_info,
.have_feature = gensec_krb5_have_feature,
+ .wrap = gensec_krb5_wrap,
+ .unwrap = gensec_krb5_unwrap,
.enabled = True
};