diff options
author | Gerald Carter <jerry@samba.org> | 2003-07-16 05:34:56 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-07-16 05:34:56 +0000 |
commit | 4a090ba06a54f5da179ac02bb307cc03d08831bf (patch) | |
tree | ed652ef36be7f16682c358816334f969a22f1c27 /source3/libads/kerberos_verify.c | |
parent | 95fe82670032a3a43571b46d7bbf2c26bc8cdcd9 (diff) | |
download | samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.gz samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.bz2 samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.zip |
trying to get HEAD building again. If you want the code
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
Diffstat (limited to 'source3/libads/kerberos_verify.c')
-rw-r--r-- | source3/libads/kerberos_verify.c | 99 |
1 files changed, 78 insertions, 21 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 35d429ca2a..25b7f9d948 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -33,21 +33,32 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, DATA_BLOB *ap_rep, uint8 session_key[16]) { - krb5_context context; + NTSTATUS sret = NT_STATUS_LOGON_FAILURE; + krb5_context context = NULL; krb5_auth_context auth_context = NULL; krb5_keytab keytab = NULL; krb5_data packet; krb5_ticket *tkt = NULL; + krb5_rcache rcache = NULL; int ret, i; - krb5_keyblock * key; + krb5_keyblock *key = NULL; krb5_principal host_princ; - char *host_princ_s; + char *host_princ_s = NULL; fstring myname; - char *password_s; + char *password_s = NULL; krb5_data password; krb5_enctype *enctypes = NULL; +#if 0 + krb5_address local_addr; + krb5_address remote_addr; +#endif BOOL auth_ok = False; + ZERO_STRUCT(packet); + ZERO_STRUCT(password); + ZERO_STRUCTP(auth_data); + ZERO_STRUCTP(ap_rep); + if (!secrets_init()) { DEBUG(1,("secrets_init failed\n")); return NT_STATUS_LOGON_FAILURE; @@ -71,35 +82,63 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ret = krb5_set_default_realm(context, ads->auth.realm); if (ret) { DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret))); - return NT_STATUS_LOGON_FAILURE; + sret = NT_STATUS_LOGON_FAILURE; + goto out; } - /* this whole process is far more complex than I would + /* This whole process is far more complex than I would like. We have to go through all this to allow us to store the secret internally, instead of using /etc/krb5.keytab */ + ret = krb5_auth_con_init(context, &auth_context); if (ret) { DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret))); - return NT_STATUS_LOGON_FAILURE; + sret = NT_STATUS_LOGON_FAILURE; + goto out; } fstrcpy(myname, global_myname()); - strlower(myname); + strlower_m(myname); asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm()); ret = krb5_parse_name(context, host_princ_s, &host_princ); if (ret) { DEBUG(1,("krb5_parse_name(%s) failed (%s)\n", host_princ_s, error_message(ret))); - return NT_STATUS_LOGON_FAILURE; + sret = NT_STATUS_LOGON_FAILURE; + goto out; } + /* + * JRA. We must set the rcache and the allowed addresses in the auth_context + * here. This will prevent replay attacks and ensure the client has got a key from + * the correct IP address. + */ + + ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache); + if (ret) { + DEBUG(1,("krb5_get_server_rcache failed (%s)\n", error_message(ret))); + sret = NT_STATUS_LOGON_FAILURE; + goto out; + } + + ret = krb5_auth_con_setrcache(context, auth_context, rcache); + if (ret) { + DEBUG(1,("krb5_auth_con_setrcache failed (%s)\n", error_message(ret))); + sret = NT_STATUS_LOGON_FAILURE; + goto out; + } + + /* Now we need to add the addresses.... JRA. */ + if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) { - return NT_STATUS_NO_MEMORY; + sret = NT_STATUS_NO_MEMORY; + goto out; } if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) { DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", error_message(ret))); - return NT_STATUS_LOGON_FAILURE; + sret = NT_STATUS_LOGON_FAILURE; + goto out; } /* we need to setup a auth context with each possible encoding type in turn */ @@ -124,23 +163,26 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, if (!auth_ok) { DEBUG(3,("krb5_rd_req with auth failed (%s)\n", error_message(ret))); - return NT_STATUS_LOGON_FAILURE; + sret = NT_STATUS_LOGON_FAILURE; + goto out; } ret = krb5_mk_rep(context, auth_context, &packet); if (ret) { DEBUG(3,("Failed to generate mutual authentication reply (%s)\n", error_message(ret))); - krb5_auth_con_free(context, auth_context); - return NT_STATUS_LOGON_FAILURE; + sret = NT_STATUS_LOGON_FAILURE; + goto out; } *ap_rep = data_blob(packet.data, packet.length); free(packet.data); - krb5_get_smb_session_key(context, auth_context, session_key); - DEBUG(0,("SMB session key (from ticket) follows:\n")); - dump_data(0, session_key, 16); + get_krb5_smb_session_key(context, auth_context, session_key); +#ifdef DEBUG_PASSWORD + DEBUG(10,("SMB session key (from ticket) follows:\n")); + dump_data(10, session_key, 16); +#endif #if 0 file_save("/tmp/ticket.dat", ticket->data, ticket->length); @@ -165,15 +207,30 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, principal))) { DEBUG(3,("krb5_unparse_name failed (%s)\n", error_message(ret))); + sret = NT_STATUS_LOGON_FAILURE; + goto out; + } + + sret = NT_STATUS_OK; + + out: + + if (!NT_STATUS_IS_OK(sret)) data_blob_free(auth_data); + + if (!NT_STATUS_IS_OK(sret)) data_blob_free(ap_rep); + + SAFE_FREE(host_princ_s); + SAFE_FREE(password_s); + + if (auth_context) krb5_auth_con_free(context, auth_context); - return NT_STATUS_LOGON_FAILURE; - } - krb5_auth_con_free(context, auth_context); + if (context) + krb5_free_context(context); - return NT_STATUS_OK; + return sret; } #endif /* HAVE_KRB5 */ |