Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into v4-0-test

(This used to be commit f008c3b6ee324056fd9b63f6151ad6849640c959)
author: Andrew Tridgell <tridge@samba.org> 2008-08-30 07:38:02 +1000
committer: Andrew Tridgell <tridge@samba.org> 2008-08-30 07:38:02 +1000
commit: e82f2187325274d728ec7470990f971e7b3db13c (patch)
tree: 25ce940a5b2a57c6191265664fad0e70aee951fa /source4/auth/gensec
parent: 9817f3d785ceb67819a9def0e8030272e4ba9e14 (diff)
parent: 81dcc99e9acb9a7e4c2358e5e44998e4718dc658 (diff)
download: samba-e82f2187325274d728ec7470990f971e7b3db13c.tar.gz
samba-e82f2187325274d728ec7470990f971e7b3db13c.tar.bz2
samba-e82f2187325274d728ec7470990f971e7b3db13c.zip
2 files changed, 110 insertions, 131 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 20d08078be..1334e799ae 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -38,49 +38,7 @@
 #include "auth/session_proto.h"
 #include <gssapi/gssapi.h>
 #include <gssapi/gssapi_krb5.h>
-
-enum gensec_gssapi_sasl_state 
-{
-	STAGE_GSS_NEG,
-	STAGE_SASL_SSF_NEG,
-	STAGE_SASL_SSF_ACCEPT,
-	STAGE_DONE
-};
-
-#define NEG_SEAL 0x4
-#define NEG_SIGN 0x2
-#define NEG_NONE 0x1
-
-struct gensec_gssapi_state {
-	gss_ctx_id_t gssapi_context;
-	struct gss_channel_bindings_struct *input_chan_bindings;
-	gss_name_t server_name;
-	gss_name_t client_name;
-	OM_uint32 want_flags, got_flags;
-	gss_OID gss_oid;
-
-	DATA_BLOB session_key;
-	DATA_BLOB pac;
-
-	struct smb_krb5_context *smb_krb5_context;
-	struct gssapi_creds_container *client_cred;
-	struct gssapi_creds_container *server_cred;
-	gss_krb5_lucid_context_v1_t *lucid;
-
-	gss_cred_id_t delegated_cred_handle;
-
-	bool sasl; /* We have two different mechs in this file: One
-		    * for SASL wrapped GSSAPI and another for normal
-		    * GSSAPI */
-	enum gensec_gssapi_sasl_state sasl_state;
-	uint8_t sasl_protection; /* What was negotiated at the SASL
-				  * layer, independent of the GSSAPI
-				  * layer... */
-
-	size_t max_wrap_buf_size;
-	int gss_exchange_count;
-	size_t sig_size;
-};
+#include "auth/gensec/gensec_gssapi.h"
 
 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
@@ -1263,14 +1221,8 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
 	struct auth_serversupplied_info *server_info = NULL;
 	struct auth_session_info *session_info = NULL;
-	struct PAC_LOGON_INFO *logon_info;
 	OM_uint32 maj_stat, min_stat;
-	gss_buffer_desc name_token;
 	gss_buffer_desc pac;
-	krb5_keyblock *keyblock;
-	time_t authtime;
-	krb5_principal principal;
-	char *principal_string;
 	DATA_BLOB pac_blob;
 	
 	if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
@@ -1283,28 +1235,6 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 	mem_ctx = talloc_named(gensec_gssapi_state, 0, "gensec_gssapi_session_info context"); 
 	NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 
-	maj_stat = gss_display_name (&min_stat,
-				     gensec_gssapi_state->client_name,
-				     &name_token,
-				     NULL);
-	if (GSS_ERROR(maj_stat)) {
-		DEBUG(1, ("GSS display_name failed: %s\n", 
-			  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-		talloc_free(mem_ctx);
-		return NT_STATUS_FOOBAR;
-	}
-
-	principal_string = talloc_strndup(mem_ctx, 
-					  (const char *)name_token.value, 
-					  name_token.length);
-
-	gss_release_buffer(&min_stat, &name_token);
-
-	if (!principal_string) {
-		talloc_free(mem_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, 
 							       gensec_gssapi_state->gssapi_context, 
 							       KRB5_AUTHDATA_WIN2K_PAC,
@@ -1324,82 +1254,63 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 	 * kind... 
 	 */
 	if (pac_blob.length) {
-		krb5_error_code ret;
-		union netr_Validation validation;
-
-		maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
-								     gensec_gssapi_state->gssapi_context, 
-								     &authtime);
-		
-		if (GSS_ERROR(maj_stat)) {
-			DEBUG(1, ("gsskrb5_extract_authtime_from_sec_context: %s\n", 
-				  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+		nt_status = kerberos_pac_blob_to_server_info(mem_ctx, 
+							     lp_iconv_convenience(gensec_security->lp_ctx),
+							     pac_blob, 
+							     gensec_gssapi_state->smb_krb5_context->krb5_context,
+							     &server_info);
+		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(mem_ctx);
-			return NT_STATUS_FOOBAR;
+			return nt_status;
 		}
+	} else {
+		gss_buffer_desc name_token;
+		char *principal_string;
 
-		maj_stat = gsskrb5_extract_service_keyblock(&min_stat, 
-							    gensec_gssapi_state->gssapi_context, 
-							    &keyblock);
-		
+		maj_stat = gss_display_name (&min_stat,
+					     gensec_gssapi_state->client_name,
+					     &name_token,
+					     NULL);
 		if (GSS_ERROR(maj_stat)) {
-			DEBUG(1, ("gsskrb5_copy_service_keyblock failed: %s\n", 
+			DEBUG(1, ("GSS display_name failed: %s\n", 
 				  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
 			talloc_free(mem_ctx);
 			return NT_STATUS_FOOBAR;
-		} 
-
-		ret = krb5_parse_name_flags(gensec_gssapi_state->smb_krb5_context->krb5_context,
-					    principal_string, 
-					    KRB5_PRINCIPAL_PARSE_MUST_REALM,
-					    &principal);
-		if (ret) {
-			krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
-					   keyblock);
-			talloc_free(mem_ctx);
-			return NT_STATUS_INVALID_PARAMETER;
 		}
 		
-		/* decode and verify the pac */
-		nt_status = kerberos_pac_logon_info(mem_ctx, lp_iconv_convenience(gensec_security->lp_ctx), &logon_info, pac_blob,
-						    gensec_gssapi_state->smb_krb5_context->krb5_context,
-						    NULL, keyblock, principal, authtime, NULL);
-		krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
-		krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
-				   keyblock);
-
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(mem_ctx);
-			return nt_status;
-		}
-		validation.sam3 = &logon_info->info3;
-		nt_status = make_server_info_netlogon_validation(gensec_gssapi_state, 
-								 NULL,
-								 3, &validation,
-								 &server_info); 
-		if (!NT_STATUS_IS_OK(nt_status)) {
+		principal_string = talloc_strndup(mem_ctx, 
+						  (const char *)name_token.value, 
+						  name_token.length);
+		
+		gss_release_buffer(&min_stat, &name_token);
+		
+		if (!principal_string) {
 			talloc_free(mem_ctx);
-			return nt_status;
+			return NT_STATUS_NO_MEMORY;
 		}
-	} else if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
-		DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
-			  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-		nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string,
-							  &server_info);
 
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(mem_ctx);
-			return nt_status;
+		if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
+			DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
+				  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+			nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, 
+								  gensec_security->lp_ctx, principal_string,
+								  &server_info);
+			
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				talloc_free(mem_ctx);
+				return nt_status;
+			}
+		} else {
+			DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
+				  principal_string,
+				  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+			return NT_STATUS_ACCESS_DENIED;
 		}
-	} else {
-		DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
-			  principal_string,
-			  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-		return NT_STATUS_ACCESS_DENIED;
 	}
 
 	/* references the server_info into the session_info */
-	nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info);
+	nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, 
+					       gensec_security->lp_ctx, server_info, &session_info);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
 		return nt_status;
diff --git a/source4/auth/gensec/gensec_gssapi.h b/source4/auth/gensec/gensec_gssapi.h
new file mode 100644
index 0000000000..b55b4391e0
--- /dev/null
+++ b/source4/auth/gensec/gensec_gssapi.h
@@ -0,0 +1,68 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Kerberos backend for GENSEC
+   
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+   Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* This structure described here, so the RPC-PAC test can get at the PAC provided */
+
+enum gensec_gssapi_sasl_state 
+{
+	STAGE_GSS_NEG,
+	STAGE_SASL_SSF_NEG,
+	STAGE_SASL_SSF_ACCEPT,
+	STAGE_DONE
+};
+
+#define NEG_SEAL 0x4
+#define NEG_SIGN 0x2
+#define NEG_NONE 0x1
+
+struct gensec_gssapi_state {
+	gss_ctx_id_t gssapi_context;
+	struct gss_channel_bindings_struct *input_chan_bindings;
+	gss_name_t server_name;
+	gss_name_t client_name;
+	OM_uint32 want_flags, got_flags;
+	gss_OID gss_oid;
+
+	DATA_BLOB session_key;
+	DATA_BLOB pac;
+
+	struct smb_krb5_context *smb_krb5_context;
+	struct gssapi_creds_container *client_cred;
+	struct gssapi_creds_container *server_cred;
+	gss_krb5_lucid_context_v1_t *lucid;
+
+	gss_cred_id_t delegated_cred_handle;
+
+	bool sasl; /* We have two different mechs in this file: One
+		    * for SASL wrapped GSSAPI and another for normal
+		    * GSSAPI */
+	enum gensec_gssapi_sasl_state sasl_state;
+	uint8_t sasl_protection; /* What was negotiated at the SASL
+				  * layer, independent of the GSSAPI
+				  * layer... */
+
+	size_t max_wrap_buf_size;
+	int gss_exchange_count;
+	size_t sig_size;
+};
+
author	Andrew Tridgell <tridge@samba.org>	2008-08-30 07:38:02 +1000
committer	Andrew Tridgell <tridge@samba.org>	2008-08-30 07:38:02 +1000
commit	e82f2187325274d728ec7470990f971e7b3db13c (patch)
tree	25ce940a5b2a57c6191265664fad0e70aee951fa /source4/auth/gensec
parent	9817f3d785ceb67819a9def0e8030272e4ba9e14 (diff)
parent	81dcc99e9acb9a7e4c2358e5e44998e4718dc658 (diff)
download	samba-e82f2187325274d728ec7470990f971e7b3db13c.tar.gz samba-e82f2187325274d728ec7470990f971e7b3db13c.tar.bz2 samba-e82f2187325274d728ec7470990f971e7b3db13c.zip