Merge 2610c05b5b95cc7036b3d6dfb894c6cfbdb68483 as Samba-4.0alpha16

author: Andrew Bartlett <abartlet@samba.org> 2011-06-24 16:26:23 +1000
committer: Andrew Bartlett <abartlet@samba.org> 2011-06-24 16:26:23 +1000
commit: 6da26870e0ae5acd6ff49a30ec2f6886b44d095e (patch)
tree: 850c71039563c16a5d563c47e7ba2ab645baf198 /source3/librpc/crypto/gse.c
parent: 6925a799d04c6fa59dd2ddef1f5510f9bb7d17d1 (diff)
parent: 2610c05b5b95cc7036b3d6dfb894c6cfbdb68483 (diff)
download: samba-6da26870e0ae5acd6ff49a30ec2f6886b44d095e.tar.gz
samba-6da26870e0ae5acd6ff49a30ec2f6886b44d095e.tar.bz2
samba-6da26870e0ae5acd6ff49a30ec2f6886b44d095e.zip
1 files changed, 61 insertions, 74 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 0d9eead082..c311c774d4 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -27,12 +27,6 @@
 #include "smb_krb5.h"
 #include "gse_krb5.h"
 
-#include <gssapi/gssapi.h>
-#include <gssapi/gssapi_krb5.h>
-#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
-#include <gssapi/gssapi_ext.h>
-#endif
-
 #ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
@@ -62,16 +56,6 @@ gss_OID_desc gse_authz_data_oid = {
 	(void *)GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID
 };
 
-#ifndef GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
-#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
-#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
-#endif
-
-gss_OID_desc gse_authtime_oid = {
-	GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH,
-	(void *)GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
-};
-
 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
 
 struct gse_context {
@@ -95,6 +79,24 @@ struct gse_context {
 	bool authenticated;
 };
 
+#ifndef HAVE_GSS_OID_EQUAL
+
+static bool gss_oid_equal(const gss_OID o1, const gss_OID o2)
+{
+	if (o1 == o2) {
+		return true;
+	}
+	if ((o1 == NULL && o2 != NULL) || (o1 != NULL && o2 == NULL)) {
+		return false;
+	}
+	if (o1->length != o2->length) {
+		return false;
+	}
+	return memcmp(o1->elements, o2->elements, o1->length) == false;
+}
+
+#endif
+
 /* free non talloc dependent contexts */
 static int gse_context_destructor(void *ptr)
 {
@@ -135,10 +137,19 @@ static int gse_context_destructor(void *ptr)
 		gss_maj = gss_release_cred(&gss_min,
 					   &gse_ctx->delegated_creds);
 	}
-	if (gse_ctx->ret_mech) {
-		gss_maj = gss_release_oid(&gss_min,
-					  &gse_ctx->ret_mech);
-	}
+
+	/* MIT and Heimdal differ as to if you can call
+	 * gss_release_oid() on this OID, generated by
+	 * gss_{accept,init}_sec_context().  However, as long as the
+	 * oid is gss_mech_krb5 (which it always is at the moment),
+	 * then this is a moot point, as both declare this particular
+	 * OID static, and so no memory is lost.  This assert is in
+	 * place to ensure that the programmer who wishes to extend
+	 * this code to EAP or other GSS mechanisms determines an
+	 * implementation-dependent way of releasing any dynamically
+	 * allocated OID */
+	SMB_ASSERT(gss_oid_equal(&gse_ctx->gss_mech, GSS_C_NO_OID) || gss_oid_equal(&gse_ctx->gss_mech, gss_mech_krb5));
+
 	return 0;
 }
 
@@ -348,8 +359,6 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
 	OM_uint32 gss_maj, gss_min;
 	krb5_error_code ret;
 	NTSTATUS status;
-	const char *ktname;
-	gss_OID_set_desc mech_set;
 
 	status = gse_context_init(mem_ctx, do_sign, do_seal,
 				  NULL, add_gss_c_flags, &gse_ctx);
@@ -379,24 +388,27 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
 	 * This call sets the default keytab for the whole server, not
 	 * just for this context. Need to find a way that does not alter
 	 * the state of the whole server ... */
+	{
+		const char *ktname;
+		gss_OID_set_desc mech_set;
 
-	ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
+		ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
 				   gse_ctx->keytab, &ktname);
-	if (ret) {
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
-	}
+		if (ret) {
+			status = NT_STATUS_INTERNAL_ERROR;
+			goto done;
+		}
 
-	ret = gsskrb5_register_acceptor_identity(ktname);
-	if (ret) {
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
-	}
+		ret = gsskrb5_register_acceptor_identity(ktname);
+		if (ret) {
+			status = NT_STATUS_INTERNAL_ERROR;
+			goto done;
+		}
 
-	mech_set.count = 1;
-	mech_set.elements = &gse_ctx->gss_mech;
-	
-	gss_maj = gss_acquire_cred(&gss_min,
+		mech_set.count = 1;
+		mech_set.elements = &gse_ctx->gss_mech;
+
+		gss_maj = gss_acquire_cred(&gss_min,
 				   GSS_C_NO_NAME,
 				   GSS_C_INDEFINITE,
 				   &mech_set,
@@ -404,11 +416,12 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
 				   &gse_ctx->creds,
 				   NULL, NULL);
 
-	if (gss_maj) {
-		DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
-			  gse_errstr(gse_ctx, gss_maj, gss_min)));
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
+		if (gss_maj) {
+			DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
+				  gse_errstr(gse_ctx, gss_maj, gss_min)));
+			status = NT_STATUS_INTERNAL_ERROR;
+			goto done;
+		}
 	}
 #endif
 	status = NT_STATUS_OK;
@@ -692,42 +705,15 @@ NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
+NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
+			  TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
 {
-	OM_uint32 gss_min, gss_maj;
-	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
-	int32_t	tkttime;
-
 	if (!gse_ctx->authenticated) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	gss_maj = gss_inquire_sec_context_by_oid(
-				&gss_min, gse_ctx->gss_ctx,
-				&gse_authtime_oid, &set);
-	if (gss_maj) {
-		DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
-			  gse_errstr(talloc_tos(), gss_maj, gss_min)));
-		return NT_STATUS_NOT_FOUND;
-	}
-
-	if ((set == GSS_C_NO_BUFFER_SET) || (set->count != 1) != 0) {
-		DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
-			  "data in results.\n"));
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	if (set->elements[0].length != sizeof(int32_t)) {
-		DEBUG(0, ("Invalid authtime size!\n"));
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	tkttime = *((int32_t *)set->elements[0].value);
-
-	gss_maj = gss_release_buffer_set(&gss_min, &set);
-
-	*authtime = (time_t)tkttime;
-	return NT_STATUS_OK;
+	return gssapi_obtain_pac_blob(mem_ctx, gse_ctx->gss_ctx,
+					gse_ctx->client_name, pac_blob);
 }
 
 size_t gse_get_signature_length(struct gse_context *gse_ctx,
@@ -982,7 +968,8 @@ NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
+NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
+			  TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
 {
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
@@ -1017,4 +1004,4 @@ NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-#endif /* HAVE_KRB5 && HAVE_GSSAPI_EXT_H && HAVE_GSS_WRAP_IOV */
+#endif /* HAVE_KRB5 && HAVE_GSS_WRAP_IOV */
author	Andrew Bartlett <abartlet@samba.org>	2011-06-24 16:26:23 +1000
committer	Andrew Bartlett <abartlet@samba.org>	2011-06-24 16:26:23 +1000
commit	6da26870e0ae5acd6ff49a30ec2f6886b44d095e (patch)
tree	850c71039563c16a5d563c47e7ba2ab645baf198 /source3/librpc/crypto/gse.c
parent	6925a799d04c6fa59dd2ddef1f5510f9bb7d17d1 (diff)
parent	2610c05b5b95cc7036b3d6dfb894c6cfbdb68483 (diff)
download	samba-6da26870e0ae5acd6ff49a30ec2f6886b44d095e.tar.gz samba-6da26870e0ae5acd6ff49a30ec2f6886b44d095e.tar.bz2 samba-6da26870e0ae5acd6ff49a30ec2f6886b44d095e.zip