diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-02-17 13:36:35 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-02-17 17:36:38 +1100 |
commit | 674278d5b0d68e96d68f7beab2289a502efa6bc4 (patch) | |
tree | 2e34f2f291f6dc00cc284554eb74c665adbe8f4b /source3 | |
parent | a315350341d7090402fe8fe2991d18fa530d2398 (diff) | |
download | samba-674278d5b0d68e96d68f7beab2289a502efa6bc4.tar.gz samba-674278d5b0d68e96d68f7beab2289a502efa6bc4.tar.bz2 samba-674278d5b0d68e96d68f7beab2289a502efa6bc4.zip |
auth/kerberos: Move gse_get_session_key() to common code and use in gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.
Andrew Bartlett
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/smb_krb5.h | 12 | ||||
-rw-r--r-- | source3/librpc/crypto/gse.c | 116 |
2 files changed, 3 insertions, 125 deletions
diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h index bc9996c541..152652512d 100644 --- a/source3/include/smb_krb5.h +++ b/source3/include/smb_krb5.h @@ -66,18 +66,6 @@ typedef struct { #endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */ } smb_krb5_addresses; -#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ -#define KRB5_KEY_TYPE(k) ((k)->keytype) -#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) -#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) -#define KRB5_KEY_DATA_CAST void -#else /* MIT */ -#define KRB5_KEY_TYPE(k) ((k)->enctype) -#define KRB5_KEY_LENGTH(k) ((k)->length) -#define KRB5_KEY_DATA(k) ((k)->contents) -#define KRB5_KEY_DATA_CAST krb5_octet -#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ - #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */ #define KRB5_KT_KEY(k) (&(k)->key) #elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index d8f3af0897..1ce3761ae7 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -35,26 +35,6 @@ #include "smb_krb5.h" #include "gse_krb5.h" -#ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID -#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 -#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" -#endif - -gss_OID_desc gse_sesskey_inq_oid = { - GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH, - (void *)GSS_KRB5_INQ_SSPI_SESSION_KEY_OID -}; - -#ifndef GSS_KRB5_SESSION_KEY_ENCTYPE_OID -#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10 -#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04" -#endif - -gss_OID_desc gse_sesskeytype_oid = { - GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH, - (void *)GSS_KRB5_SESSION_KEY_ENCTYPE_OID -}; - static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min); struct gse_context { @@ -563,96 +543,6 @@ done: return errstr; } -static NTSTATUS gse_get_session_key(TALLOC_CTX *mem_ctx, - struct gse_context *gse_ctx, - DATA_BLOB *session_key, - uint32_t *keytype) -{ - OM_uint32 gss_min, gss_maj; - gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; - - gss_maj = gss_inquire_sec_context_by_oid( - &gss_min, gse_ctx->gssapi_context, - &gse_sesskey_inq_oid, &set); - if (gss_maj) { - DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n", - gse_errstr(talloc_tos(), gss_maj, gss_min))); - return NT_STATUS_NO_USER_SESSION_KEY; - } - - if ((set == GSS_C_NO_BUFFER_SET) || - (set->count == 0)) { -#ifdef HAVE_GSSKRB5_GET_SUBKEY - krb5_keyblock *subkey; - gss_maj = gsskrb5_get_subkey(&gss_min, - gse_ctx->gssapi_context, - &subkey); - if (gss_maj != 0) { - DEBUG(1, ("NO session key for this mech\n")); - return NT_STATUS_NO_USER_SESSION_KEY; - } - if (session_key) { - *session_key = data_blob_talloc(mem_ctx, - KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); - } - if (keytype) { - *keytype = KRB5_KEY_TYPE(subkey); - } - krb5_free_keyblock(NULL /* should be krb5_context */, subkey); - return NT_STATUS_OK; -#else - DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown " - "OID for data in results:\n")); - dump_data(1, (uint8_t *)set->elements[1].value, - set->elements[1].length); - return NT_STATUS_NO_USER_SESSION_KEY; -#endif - } - - if (session_key) { - *session_key = data_blob_talloc(mem_ctx, set->elements[0].value, - set->elements[0].length); - } - - if (keytype) { - char *oid; - char *p, *q = NULL; - - if (set->count < 2 - || memcmp(set->elements[1].value, - gse_sesskeytype_oid.elements, - gse_sesskeytype_oid.length) != 0) { - /* Perhaps a non-krb5 session key */ - *keytype = 0; - gss_maj = gss_release_buffer_set(&gss_min, &set); - return NT_STATUS_OK; - } - if (!ber_read_OID_String(talloc_tos(), - data_blob_const(set->elements[1].value, - set->elements[1].length), &oid)) { - TALLOC_FREE(oid); - gss_maj = gss_release_buffer_set(&gss_min, &set); - return NT_STATUS_INVALID_PARAMETER; - } - p = strrchr(oid, '.'); - if (!p) { - TALLOC_FREE(oid); - gss_maj = gss_release_buffer_set(&gss_min, &set); - return NT_STATUS_INVALID_PARAMETER; - } else { - p++; - *keytype = strtoul(p, &q, 10); - if (q == NULL || *q != '\0') { - return NT_STATUS_INVALID_PARAMETER; - } - } - TALLOC_FREE(oid); - } - - gss_maj = gss_release_buffer_set(&gss_min, &set); - return NT_STATUS_OK; -} - static size_t gse_get_signature_length(struct gse_context *gse_ctx, bool seal, size_t payload_size) { @@ -1125,8 +1015,8 @@ static bool gensec_gse_have_feature(struct gensec_security *gensec_security, return false; } - status = gse_get_session_key(talloc_tos(), - gse_ctx, NULL, &keytype); + status = gssapi_get_session_key(talloc_tos(), + gse_ctx->gssapi_context, NULL, &keytype); /* * We should do a proper sig on the mechListMic unless * we know we have to be backwards compatible with @@ -1168,7 +1058,7 @@ static NTSTATUS gensec_gse_session_key(struct gensec_security *gensec_security, talloc_get_type_abort(gensec_security->private_data, struct gse_context); - return gse_get_session_key(mem_ctx, gse_ctx, session_key, NULL); + return gssapi_get_session_key(mem_ctx, gse_ctx->gssapi_context, session_key, NULL); } /* Get some basic (and authorization) information about the user on |