summaryrefslogtreecommitdiff
path: root/source3/librpc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-04-16 15:41:50 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-04-27 11:56:48 +1000
commit6ec4306f8c3fed7ec5b5bd164c5829b2661589b7 (patch)
tree5384aed4fe934eb82f7487cfc12f9c220ba5184d /source3/librpc
parente130dec97bb4e08b11f39c1c1382f0c8ad36ef67 (diff)
downloadsamba-6ec4306f8c3fed7ec5b5bd164c5829b2661589b7.tar.gz
samba-6ec4306f8c3fed7ec5b5bd164c5829b2661589b7.tar.bz2
samba-6ec4306f8c3fed7ec5b5bd164c5829b2661589b7.zip
auth/kerberos: Create common helper to get the verified PAC from GSSAPI
This only works for Heimdal and MIT Krb5 1.8, other versions will get an ACCESS_DEINED error. We no longer manually verify any details of the PAC in Samba for GSSAPI logins, as we never had the information to do it properly, and it is better to have the GSSAPI library handle it. Andrew Bartlett
Diffstat (limited to 'source3/librpc')
-rw-r--r--source3/librpc/crypto/gse.c47
-rw-r--r--source3/librpc/crypto/gse.h3
2 files changed, 7 insertions, 43 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 0d9eead082..42e9c942a9 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -62,16 +62,6 @@ gss_OID_desc gse_authz_data_oid = {
(void *)GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID
};
-#ifndef GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
-#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
-#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
-#endif
-
-gss_OID_desc gse_authtime_oid = {
- GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH,
- (void *)GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
-};
-
static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
struct gse_context {
@@ -692,42 +682,15 @@ NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
return NT_STATUS_OK;
}
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
+NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
+ TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
{
- OM_uint32 gss_min, gss_maj;
- gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
- int32_t tkttime;
-
if (!gse_ctx->authenticated) {
return NT_STATUS_ACCESS_DENIED;
}
- gss_maj = gss_inquire_sec_context_by_oid(
- &gss_min, gse_ctx->gss_ctx,
- &gse_authtime_oid, &set);
- if (gss_maj) {
- DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
- gse_errstr(talloc_tos(), gss_maj, gss_min)));
- return NT_STATUS_NOT_FOUND;
- }
-
- if ((set == GSS_C_NO_BUFFER_SET) || (set->count != 1) != 0) {
- DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
- "data in results.\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- if (set->elements[0].length != sizeof(int32_t)) {
- DEBUG(0, ("Invalid authtime size!\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- tkttime = *((int32_t *)set->elements[0].value);
-
- gss_maj = gss_release_buffer_set(&gss_min, &set);
-
- *authtime = (time_t)tkttime;
- return NT_STATUS_OK;
+ return gssapi_obtain_pac_blob(mem_ctx, gse_ctx->gss_ctx,
+ gse_ctx->client_name, pac_blob);
}
size_t gse_get_signature_length(struct gse_context *gse_ctx,
@@ -1017,4 +980,4 @@ NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
return NT_STATUS_NOT_IMPLEMENTED;
}
-#endif /* HAVE_KRB5 && HAVE_GSSAPI_EXT_H && HAVE_GSS_WRAP_IOV */
+#endif /* HAVE_KRB5 && HAVE_GSS_WRAP_IOV */
diff --git a/source3/librpc/crypto/gse.h b/source3/librpc/crypto/gse.h
index fbcf5b6e10..27cc2e9255 100644
--- a/source3/librpc/crypto/gse.h
+++ b/source3/librpc/crypto/gse.h
@@ -56,7 +56,8 @@ NTSTATUS gse_get_client_name(struct gse_context *gse_ctx,
TALLOC_CTX *mem_ctx, char **client_name);
NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
TALLOC_CTX *mem_ctx, DATA_BLOB *pac);
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime);
+NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
+ TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob);
size_t gse_get_signature_length(struct gse_context *gse_ctx,
int seal, size_t payload_size);