summaryrefslogtreecommitdiff
path: root/source4/libcli/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-07-12 09:11:13 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:57:32 -0500
commit88002b851bd30e3c03a5a9442baf3ced7aa6090f (patch)
tree8547a06b7e5af9c4cb5e73f6190035aefd7fd75c /source4/libcli/auth
parentb62e6f1ec13c6cad5a94a2a27dc14d3fdfdd4cfc (diff)
downloadsamba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.tar.gz
samba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.tar.bz2
samba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.zip
r1462: GENSEC Kerberos and SPENGO work:
- Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
Diffstat (limited to 'source4/libcli/auth')
-rw-r--r--source4/libcli/auth/config.mk3
-rw-r--r--source4/libcli/auth/gensec.mk5
-rw-r--r--source4/libcli/auth/gensec_krb5.c13
-rw-r--r--source4/libcli/auth/spnego.c122
4 files changed, 73 insertions, 70 deletions
diff --git a/source4/libcli/auth/config.mk b/source4/libcli/auth/config.mk
index 0c7586026b..a3bb3f1c78 100644
--- a/source4/libcli/auth/config.mk
+++ b/source4/libcli/auth/config.mk
@@ -3,8 +3,7 @@
[SUBSYSTEM::LIBCLI_AUTH]
ADD_OBJ_FILES = libcli/auth/schannel.o \
libcli/auth/credentials.o \
- libcli/auth/session.o \
- libcli/auth/ntlm_check.o
+ libcli/auth/session.o
REQUIRED_SUBSYSTEMS = \
AUTH SCHANNELDB GENSEC
# End SUBSYSTEM LIBCLI_AUTH
diff --git a/source4/libcli/auth/gensec.mk b/source4/libcli/auth/gensec.mk
index 7c2c21bafd..5c6a8260e5 100644
--- a/source4/libcli/auth/gensec.mk
+++ b/source4/libcli/auth/gensec.mk
@@ -3,7 +3,7 @@
[SUBSYSTEM::GENSEC]
INIT_OBJ_FILES = libcli/auth/gensec.o
REQUIRED_SUBSYSTEMS = \
- AUTH SCHANNELDB
+ SCHANNELDB
# End SUBSYSTEM GENSEC
#################################
@@ -14,7 +14,8 @@ INIT_OBJ_FILES = libcli/auth/gensec_krb5.o
ADD_OBJ_FILES = \
libcli/auth/clikrb5.o \
libcli/auth/kerberos.o \
- libcli/auth/kerberos_verify.o
+ libcli/auth/kerberos_verify.o \
+ libcli/auth/gssapi_parse.o
REQUIRED_SUBSYSTEMS = GENSEC
# End MODULE gensec_krb5
################################################
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index dbb2a10659..3a4f995937 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -42,6 +42,7 @@ struct gensec_krb5_state {
enum GENSEC_KRB5_STATE state_position;
krb5_context krb5_context;
krb5_auth_context krb5_auth_context;
+ krb5_ccache krb5_ccache;
};
static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
@@ -66,7 +67,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
initialize_krb5_error_table();
gensec_krb5_state->krb5_context = NULL;
gensec_krb5_state->krb5_auth_context = NULL;
- gensec_krb5_state->krb5_ccdef = NULL;
+ gensec_krb5_state->krb5_ccache = NULL;
gensec_krb5_state->session_key = data_blob(NULL, 0);
ret = krb5_init_context(&gensec_krb5_state->krb5_context);
@@ -111,7 +112,7 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security
static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state;
-
+ krb5_error_code ret;
NTSTATUS nt_status;
nt_status = gensec_krb5_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -121,7 +122,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
- ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->ccdef);
+ ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
error_message(ret)));
@@ -135,13 +136,13 @@ static void gensec_krb5_end(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
- if (gensec_krb5_state->krb5_ccdef) {
+ if (gensec_krb5_state->krb5_ccache) {
/* Removed by jra. They really need to fix their kerberos so we don't leak memory.
JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
SuSE 9.1 Pro
*/
#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
- krb5_cc_close(context, gensec_krb5_state->krb5_ccdef);
+ krb5_cc_close(context, gensec_krb5_state->krb5_ccache);
#endif
}
@@ -193,7 +194,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
&gensec_krb5_state->krb5_auth_context,
AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
gensec_security->target.principal,
- ccdef, &packet);
+ gensec_krb5_state->krb5_ccache, &packet);
if (ret) {
DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
error_message(ret)));
diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c
index 7e0cda42ba..32846cf580 100644
--- a/source4/libcli/auth/spnego.c
+++ b/source4/libcli/auth/spnego.c
@@ -48,7 +48,7 @@ struct spnego_state {
static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
{
struct spnego_state *spnego_state;
- TALLOC_CTX *mem_ctx = talloc_init("gensec_spengo_client_start");
+ TALLOC_CTX *mem_ctx = talloc_init("gensec_spnego_client_start");
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
@@ -151,12 +151,12 @@ static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_securit
/** Fallback to another GENSEC mechanism, based on magic strings
*
- * This is the 'fallback' case, where we don't get SPENGO, and have to
+ * This is the 'fallback' case, where we don't get SPNEGO, and have to
* try all the other options (and hope they all have a magic string
* they check)
*/
-static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec_security,
+static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
@@ -189,7 +189,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec
}
gensec_end(&spnego_state->sub_sec_security);
}
- DEBUG(1, ("Failed to parse SPENGO request\n"));
+ DEBUG(1, ("Failed to parse SPNEGO request\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -199,7 +199,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec
* This is the case, where the client is the first one who sends data
*/
-static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec_security,
+static NTSTATUS gensec_spnego_client_netTokenInit(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
@@ -266,7 +266,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n"));
+ DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -277,7 +277,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec
}
gensec_end(&spnego_state->sub_sec_security);
- DEBUG(1, ("Failed to setup SPENGO netTokenInit request\n"));
+ DEBUG(1, ("Failed to setup SPNEGO netTokenInit request\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -286,7 +286,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
{
struct spnego_state *spnego_state = gensec_security->private_data;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
- DATA_BLOB unwrapped_out;
+ DATA_BLOB unwrapped_out = data_blob(NULL, 0);
struct spnego_data spnego_out;
struct spnego_data spnego;
@@ -307,7 +307,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (in.length) {
len = spnego_read_data(in, &spnego);
if (len == -1) {
- return gensec_spengo_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out);
+ return gensec_spnego_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out);
} else {
/* client sent NegTargetInit */
}
@@ -328,7 +328,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (!in.length) {
/* client to produce negTokenInit */
- return gensec_spengo_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out);
+ return gensec_spnego_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out);
}
len = spnego_read_data(in, &spnego);
@@ -341,13 +341,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type,
+ DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, (const char *)in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ if (spnego.negTokenInit.targetPrincipal) {
+ nt_status = gensec_set_target_principal(gensec_security,
+ spnego.negTokenInit.targetPrincipal);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ }
+
mechType = spnego.negTokenInit.mechTypes;
for (i=0; mechType && mechType[i]; i++) {
nt_status = gensec_subcontext_start(gensec_security,
@@ -375,8 +383,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
null_data_blob,
&unwrapped_out);
}
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- DEBUG(1, ("SPENGO(%s) NEG_TOKEN_INIT failed: %s\n",
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
gensec_end(&spnego_state->sub_sec_security);
} else {
@@ -384,11 +392,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
}
if (!mechType || !mechType[i]) {
- DEBUG(1, ("SPENGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
+ DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
}
spnego_free_data(&spnego);
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
@@ -402,7 +410,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n"));
+ DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -410,7 +418,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
- return nt_status;
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
case SPNEGO_SERVER_TARG:
{
@@ -429,49 +437,47 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type,
+ DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, (const char *)in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
- if (spnego.negTokenTarg.responseToken.length) {
- nt_status = gensec_update(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego.negTokenTarg.responseToken,
- &unwrapped_out);
- } else {
- unwrapped_out = data_blob(NULL, 0);
- nt_status = NT_STATUS_OK;
- }
+ nt_status = gensec_update(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego.negTokenTarg.responseToken,
+ &unwrapped_out);
spnego_state->result = spnego.negTokenTarg.negResult;
spnego_free_data(&spnego);
+ /* compose reply */
+ spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+ spnego_out.negTokenTarg.supportedMech
+ = spnego_state->sub_sec_security->ops->oid;
+ spnego_out.negTokenTarg.responseToken = unwrapped_out;
+ spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- /* compose reply */
- spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
- spnego_out.negTokenTarg.supportedMech
- = spnego_state->sub_sec_security->ops->oid;
- spnego_out.negTokenTarg.responseToken = unwrapped_out;
- spnego_out.negTokenTarg.mechListMIC = null_data_blob;
-
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
spnego_state->state_position = SPNEGO_SERVER_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
spnego_state->state_position = SPNEGO_DONE;
} else {
- DEBUG(1, ("SPENGO(%s) login failed: %s\n",
+ spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
+ DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
- return nt_status;
+ spnego_state->state_position = SPNEGO_DONE;
}
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
return nt_status;
}
case SPNEGO_CLIENT_TARG:
@@ -501,16 +507,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
return NT_STATUS_ACCESS_DENIED;
}
-
- if (spnego.negTokenTarg.responseToken.length) {
- nt_status = gensec_update(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego.negTokenTarg.responseToken,
- &unwrapped_out);
- } else {
- unwrapped_out = data_blob(NULL, 0);
- nt_status = NT_STATUS_OK;
- }
+
+ nt_status = gensec_update(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego.negTokenTarg.responseToken,
+ &unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)
&& (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) {
@@ -521,27 +522,28 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_state->result = spnego.negTokenTarg.negResult;
spnego_free_data(&spnego);
+ spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+ spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
+ spnego_out.negTokenTarg.supportedMech = NULL;
+ spnego_out.negTokenTarg.responseToken = unwrapped_out;
+ spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* compose reply */
- spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
- spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
- spnego_out.negTokenTarg.supportedMech = NULL;
- spnego_out.negTokenTarg.responseToken = unwrapped_out;
- spnego_out.negTokenTarg.mechListMIC = null_data_blob;
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
spnego_state->state_position = SPNEGO_CLIENT_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->state_position = SPNEGO_DONE;
} else {
- DEBUG(1, ("SPENGO(%s) login failed: %s\n",
+ DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
return nt_status;
}
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
return nt_status;
}