diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-05-15 22:21:34 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:16:44 -0500 |
commit | 50da9ed856dec40964cecdc57185643428de306f (patch) | |
tree | 31d2441ca9318470011052f75a55efda5d8acb1b /source4 | |
parent | 5b18cf22680c76abb1262a6b75a30b8a37899467 (diff) | |
download | samba-50da9ed856dec40964cecdc57185643428de306f.tar.gz samba-50da9ed856dec40964cecdc57185643428de306f.tar.bz2 samba-50da9ed856dec40964cecdc57185643428de306f.zip |
r6796: Remove the gensec_gsskrb5 module, which had had all of it's special
features merged back into gensec_gssapi.
(Removed because I've made some API changes, and it isn't worth
'fixing' the rudundent code to cope with changes)
Andrew Bartlett
(This used to be commit e8cf3d58ec956e41fc8d3e38363db3d5d838fe1d)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/gensec/gensec.mk | 10 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gsskrb5.c | 584 |
2 files changed, 0 insertions, 594 deletions
diff --git a/source4/auth/gensec/gensec.mk b/source4/auth/gensec/gensec.mk index 2c4ce8b7fd..f8d1928585 100644 --- a/source4/auth/gensec/gensec.mk +++ b/source4/auth/gensec/gensec.mk @@ -30,16 +30,6 @@ REQUIRED_SUBSYSTEMS = EXT_LIB_KRB5 AUTH ################################################ ################################################ -# Start MODULE gensec_gsskrb5 -[MODULE::gensec_gsskrb5] -SUBSYSTEM = GENSEC -INIT_FUNCTION = gensec_gsskrb5_init -INIT_OBJ_FILES = auth/gensec/gensec_gsskrb5.o -REQUIRED_SUBSYSTEMS = EXT_LIB_KRB5 -# End MODULE gensec_gsskrb5 -################################################ - -################################################ # Start MODULE gensec_spnego [MODULE::gensec_spnego] SUBSYSTEM = GENSEC diff --git a/source4/auth/gensec/gensec_gsskrb5.c b/source4/auth/gensec/gensec_gsskrb5.c deleted file mode 100644 index 89f7f9e36a..0000000000 --- a/source4/auth/gensec/gensec_gsskrb5.c +++ /dev/null @@ -1,584 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - GSSAPI KRB5 backend for GENSEC - - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 - Copyright (C) Stefan Metzmacher <metze@samba.org> 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" -#include "system/kerberos.h" -#include "system/time.h" -#include "auth/kerberos/kerberos.h" -#include "auth/auth.h" - -static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc = - {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; - -enum GENSEC_GSSKRB5_STATE { - GENSEC_GSSKRB5_CLIENT_START, - GENSEC_GSSKRB5_CLIENT_MUTUAL_AUTH, - GENSEC_GSSKRB5_CLIENT_DCE_STYLE, - GENSEC_GSSKRB5_DONE -}; - -struct gensec_gsskrb5_state { - enum GENSEC_GSSKRB5_STATE state_position; - gss_ctx_id_t gssapi_context; - struct gss_channel_bindings_struct *input_chan_bindings; - gss_name_t server_name; - gss_name_t client_name; - OM_uint32 want_flags, got_flags; -}; - -static int gensec_gsskrb5_destory(void *ptr) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = ptr; - OM_uint32 maj_stat, min_stat; - - if (gensec_gsskrb5_state->gssapi_context != GSS_C_NO_CONTEXT) { - maj_stat = gss_delete_sec_context (&min_stat, - &gensec_gsskrb5_state->gssapi_context, - GSS_C_NO_BUFFER); - } - - if (gensec_gsskrb5_state->server_name != GSS_C_NO_NAME) { - maj_stat = gss_release_name(&min_stat, &gensec_gsskrb5_state->server_name); - } - if (gensec_gsskrb5_state->client_name != GSS_C_NO_NAME) { - maj_stat = gss_release_name(&min_stat, &gensec_gsskrb5_state->client_name); - } - return 0; -} - -static NTSTATUS gensec_gsskrb5_start(struct gensec_security *gensec_security) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state; - - gensec_gsskrb5_state = talloc(gensec_security, struct gensec_gsskrb5_state); - if (!gensec_gsskrb5_state) { - return NT_STATUS_NO_MEMORY; - } - - gensec_security->private_data = gensec_gsskrb5_state; - - gensec_gsskrb5_state->gssapi_context = GSS_C_NO_CONTEXT; - gensec_gsskrb5_state->server_name = GSS_C_NO_NAME; - gensec_gsskrb5_state->client_name = GSS_C_NO_NAME; - - talloc_set_destructor(gensec_gsskrb5_state, gensec_gsskrb5_destory); - - /* TODO: Fill in channel bindings */ - gensec_gsskrb5_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS; - - gensec_gsskrb5_state->want_flags = GSS_C_MUTUAL_FLAG; - gensec_gsskrb5_state->got_flags = 0; - - if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { - /* GSSAPI won't give us the session keys */ - return NT_STATUS_INVALID_PARAMETER; - } - if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - gensec_gsskrb5_state->want_flags |= GSS_C_INTEG_FLAG; - } - if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { - gensec_gsskrb5_state->want_flags |= GSS_C_CONF_FLAG; - } - if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) { - gensec_gsskrb5_state->want_flags |= GSS_C_DCE_STYLE; - } - - return NT_STATUS_OK; -} - -static NTSTATUS gensec_gsskrb5_client_start(struct gensec_security *gensec_security) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state; - NTSTATUS nt_status; - gss_buffer_desc name_token; - OM_uint32 maj_stat, min_stat; - - gss_OID_desc hostbased = {10, - (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x04")}; - - nt_status = gensec_gsskrb5_start(gensec_security); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - gensec_gsskrb5_state = gensec_security->private_data; - - gensec_gsskrb5_state->state_position = GENSEC_GSSKRB5_CLIENT_START; - - name_token.value = talloc_asprintf(gensec_gsskrb5_state, "%s@%s", gensec_get_target_service(gensec_security), - gensec_get_target_hostname(gensec_security)); - DEBUG(0, ("name: %s\n", (char *)name_token.value)); - name_token.length = strlen(name_token.value); - - maj_stat = gss_import_name (&min_stat, - &name_token, - &hostbased, - &gensec_gsskrb5_state->server_name); - if (maj_stat) { - return NT_STATUS_UNSUCCESSFUL; - } - - return NT_STATUS_OK; -} - -/** - * Next state function for the GSSKRB5 GENSEC mechanism - * - * @param gensec_gsskrb5_state GSSAPI State - * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on - * @param in The request, as a DATA_BLOB - * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx - * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, - * or NT_STATUS_OK if the user is authenticated. - */ - -static NTSTATUS gensec_gsskrb5_update(struct gensec_security *gensec_security, - TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = gensec_security->private_data; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - OM_uint32 maj_stat, min_stat; - OM_uint32 min_stat2; - gss_buffer_desc input_token, output_token; - - *out = data_blob(NULL, 0); - - input_token.length = in.length; - input_token.value = in.data; - - switch (gensec_gsskrb5_state->state_position) { - case GENSEC_GSSKRB5_CLIENT_START: - { - maj_stat = gss_init_sec_context(&min_stat, - GSS_C_NO_CREDENTIAL, - &gensec_gsskrb5_state->gssapi_context, - gensec_gsskrb5_state->server_name, - discard_const_p(gss_OID_desc, &gensec_gss_krb5_mechanism_oid_desc), - gensec_gsskrb5_state->want_flags, - 0, - gensec_gsskrb5_state->input_chan_bindings, - &input_token, - NULL, - &output_token, - &gensec_gsskrb5_state->got_flags, /* ret flags */ - NULL); - *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length); - if (out->length != output_token.length) { - gss_release_buffer(&min_stat2, &output_token); - return NT_STATUS_NO_MEMORY; - } - gss_release_buffer(&min_stat2, &output_token); - - if (maj_stat == GSS_S_COMPLETE) { - gensec_gsskrb5_state->state_position = GENSEC_GSSKRB5_DONE; - return NT_STATUS_OK; - } else if (maj_stat == GSS_S_CONTINUE_NEEDED) { - gensec_gsskrb5_state->state_position = GENSEC_GSSKRB5_CLIENT_MUTUAL_AUTH; - return NT_STATUS_MORE_PROCESSING_REQUIRED; - } else { - gss_buffer_desc msg1, msg2; - OM_uint32 msg_ctx = 0; - - msg1.value = NULL; - msg2.value = NULL; - gss_display_status(&min_stat2, maj_stat, GSS_C_GSS_CODE, - GSS_C_NULL_OID, &msg_ctx, &msg1); - gss_display_status(&min_stat2, min_stat, GSS_C_MECH_CODE, - GSS_C_NULL_OID, &msg_ctx, &msg2); - DEBUG(1, ("gensec_gsskrb5_update: %s : %s\n", (char *)msg1.value, (char *)msg2.value)); - gss_release_buffer(&min_stat2, &msg1); - gss_release_buffer(&min_stat2, &msg2); - - return nt_status; - } - break; - } - case GENSEC_GSSKRB5_CLIENT_MUTUAL_AUTH: - { - maj_stat = gss_init_sec_context(&min_stat, - GSS_C_NO_CREDENTIAL, - &gensec_gsskrb5_state->gssapi_context, - gensec_gsskrb5_state->server_name, - discard_const_p(gss_OID_desc, &gensec_gss_krb5_mechanism_oid_desc), - gensec_gsskrb5_state->want_flags, - 0, - gensec_gsskrb5_state->input_chan_bindings, - &input_token, - NULL, - &output_token, - &gensec_gsskrb5_state->got_flags, /* ret flags */ - NULL); - *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length); - if (out->length != output_token.length) { - gss_release_buffer(&min_stat2, &output_token); - return NT_STATUS_NO_MEMORY; - } - gss_release_buffer(&min_stat2, &output_token); - - if (maj_stat == GSS_S_COMPLETE) { - if (gensec_gsskrb5_state->got_flags & GSS_C_DCE_STYLE) { - gensec_gsskrb5_state->state_position = GENSEC_GSSKRB5_CLIENT_DCE_STYLE; - return NT_STATUS_MORE_PROCESSING_REQUIRED; - } - gensec_gsskrb5_state->state_position = GENSEC_GSSKRB5_DONE; - return NT_STATUS_OK; - } else if (maj_stat == GSS_S_CONTINUE_NEEDED) { - gensec_gsskrb5_state->state_position = GENSEC_GSSKRB5_CLIENT_DCE_STYLE; - return NT_STATUS_MORE_PROCESSING_REQUIRED; - } else { - gss_buffer_desc msg1, msg2; - OM_uint32 msg_ctx = 0; - - msg1.value = NULL; - msg2.value = NULL; - gss_display_status(&min_stat2, maj_stat, GSS_C_GSS_CODE, - GSS_C_NULL_OID, &msg_ctx, &msg1); - gss_display_status(&min_stat2, min_stat, GSS_C_MECH_CODE, - GSS_C_NULL_OID, &msg_ctx, &msg2); - DEBUG(1, ("gensec_gsskrb5_update: %s : %s\n", (char *)msg1.value, (char *)msg2.value)); - gss_release_buffer(&min_stat2, &msg1); - gss_release_buffer(&min_stat2, &msg2); - - return nt_status; - } - break; - } - case GENSEC_GSSKRB5_CLIENT_DCE_STYLE: - { - gensec_gsskrb5_state->state_position = GENSEC_GSSKRB5_DONE; - return NT_STATUS_OK; - } - case GENSEC_GSSKRB5_DONE: - { - return NT_STATUS_OK; - } - default: - return NT_STATUS_INVALID_PARAMETER; - } - - return NT_STATUS_INVALID_PARAMETER; -} - -static NTSTATUS gensec_gsskrb5_wrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = gensec_security->private_data; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input_token, output_token; - int conf_state; - input_token.length = in->length; - input_token.value = in->data; - - maj_stat = gss_wrap(&min_stat, - gensec_gsskrb5_state->gssapi_context, - gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL), - GSS_C_QOP_DEFAULT, - &input_token, - &conf_state, - &output_token); - if (GSS_ERROR(maj_stat)) { - return NT_STATUS_ACCESS_DENIED; - } - *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length); - - gss_release_buffer(&min_stat, &output_token); - - if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) - && !conf_state) { - return NT_STATUS_ACCESS_DENIED; - } - return NT_STATUS_OK; -} - -static NTSTATUS gensec_gsskrb5_unwrap(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = gensec_security->private_data; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input_token, output_token; - int conf_state; - gss_qop_t qop_state; - input_token.length = in->length; - input_token.value = in->data; - - maj_stat = gss_unwrap(&min_stat, - gensec_gsskrb5_state->gssapi_context, - &input_token, - &output_token, - &conf_state, - &qop_state); - if (GSS_ERROR(maj_stat)) { - return NT_STATUS_ACCESS_DENIED; - } - *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length); - - gss_release_buffer(&min_stat, &output_token); - - if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) - && !conf_state) { - return NT_STATUS_ACCESS_DENIED; - } - return NT_STATUS_OK; -} - -static size_t gensec_gsskrb5_sig_size(struct gensec_security *gensec_security) -{ - /* not const but work for DCERPC packets and arcfour */ - return 45; -} - -static NTSTATUS gensec_gsskrb5_seal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = gensec_security->private_data; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input_token, output_token; - int conf_state; - ssize_t sig_length = 0; - - input_token.length = length; - input_token.value = data; - - maj_stat = gss_wrap(&min_stat, - gensec_gsskrb5_state->gssapi_context, - gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL), - GSS_C_QOP_DEFAULT, - &input_token, - &conf_state, - &output_token); - if (GSS_ERROR(maj_stat)) { - return NT_STATUS_ACCESS_DENIED; - } - - if (output_token.length < length) { - return NT_STATUS_INTERNAL_ERROR; - } - - sig_length = 45; - - memcpy(data, ((uint8_t *)output_token.value) + sig_length, length); - *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length); - -DEBUG(0,("gensec_gsskrb5_seal_packet: siglen: %d inlen: %d, wrap_len: %d\n", sig->length, length, output_token.length - sig_length)); -dump_data(0,sig->data, sig->length); -dump_data(0,data, length); -dump_data(0,((uint8_t *)output_token.value) + sig_length, output_token.length - sig_length); - - gss_release_buffer(&min_stat, &output_token); - - if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) - && !conf_state) { - return NT_STATUS_ACCESS_DENIED; - } - return NT_STATUS_OK; -} - -static NTSTATUS gensec_gsskrb5_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = gensec_security->private_data; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input_token, output_token; - int conf_state; - gss_qop_t qop_state; - DATA_BLOB in; - -DEBUG(0,("gensec_gsskrb5_unseal_packet: siglen: %d\n", sig->length)); -dump_data(0,sig->data, sig->length); - - in = data_blob_talloc(mem_ctx, NULL, sig->length + length); - - memcpy(in.data, sig->data, sig->length); - memcpy(in.data + sig->length, data, length); - - input_token.length = in.length; - input_token.value = in.data; - - maj_stat = gss_unwrap(&min_stat, - gensec_gsskrb5_state->gssapi_context, - &input_token, - &output_token, - &conf_state, - &qop_state); - if (GSS_ERROR(maj_stat)) { - return NT_STATUS_ACCESS_DENIED; - } - - if (output_token.length != length) { - return NT_STATUS_INTERNAL_ERROR; - } - - memcpy(data, output_token.value, length); - - gss_release_buffer(&min_stat, &output_token); - - if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) - && !conf_state) { - return NT_STATUS_ACCESS_DENIED; - } - return NT_STATUS_OK; -} - -static NTSTATUS gensec_gsskrb5_sign_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = gensec_security->private_data; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input_token, output_token; - int conf_state; - ssize_t sig_length = 0; - - input_token.length = length; - input_token.value = discard_const_p(uint8_t *, data); - - maj_stat = gss_wrap(&min_stat, - gensec_gsskrb5_state->gssapi_context, - 0, - GSS_C_QOP_DEFAULT, - &input_token, - &conf_state, - &output_token); - if (GSS_ERROR(maj_stat)) { - return NT_STATUS_ACCESS_DENIED; - } - - if (output_token.length < length) { - return NT_STATUS_INTERNAL_ERROR; - } - - sig_length = 45; - - /*memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);*/ - *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length); - -DEBUG(0,("gensec_gsskrb5_sign_packet: siglen: %d\n", sig->length)); -dump_data(0,sig->data, sig->length); - - gss_release_buffer(&min_stat, &output_token); - - return NT_STATUS_OK; -} - -static NTSTATUS gensec_gsskrb5_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = gensec_security->private_data; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input_token, output_token; - int conf_state; - gss_qop_t qop_state; - DATA_BLOB in; - -DEBUG(0,("gensec_gsskrb5_check_packet: siglen: %d\n", sig->length)); -dump_data(0,sig->data, sig->length); - - in = data_blob_talloc(mem_ctx, NULL, sig->length + length); - - memcpy(in.data, sig->data, sig->length); - memcpy(in.data + sig->length, data, length); - - input_token.length = in.length; - input_token.value = in.data; - - maj_stat = gss_unwrap(&min_stat, - gensec_gsskrb5_state->gssapi_context, - &input_token, - &output_token, - &conf_state, - &qop_state); - if (GSS_ERROR(maj_stat)) { - return NT_STATUS_ACCESS_DENIED; - } - - if (output_token.length != length) { - return NT_STATUS_INTERNAL_ERROR; - } - - /*memcpy(data, output_token.value, length);*/ - - gss_release_buffer(&min_stat, &output_token); - - return NT_STATUS_OK; -} - -static BOOL gensec_gsskrb5_have_feature(struct gensec_security *gensec_security, - uint32_t feature) -{ - struct gensec_gsskrb5_state *gensec_gsskrb5_state = gensec_security->private_data; - if (feature & GENSEC_FEATURE_SIGN) { - return gensec_gsskrb5_state->got_flags & GSS_C_INTEG_FLAG; - } - if (feature & GENSEC_FEATURE_SEAL) { - return gensec_gsskrb5_state->got_flags & GSS_C_CONF_FLAG; - } - return False; -} - -static const struct gensec_security_ops gensec_gsskrb5_security_ops = { - .name = "gsskrb5", - .auth_type = DCERPC_AUTH_TYPE_KRB5, - .oid = GENSEC_OID_KERBEROS5, - .client_start = gensec_gsskrb5_client_start, - .update = gensec_gsskrb5_update, - .sig_size = gensec_gsskrb5_sig_size, - .sign_packet = gensec_gsskrb5_sign_packet, - .check_packet = gensec_gsskrb5_check_packet, - .seal_packet = gensec_gsskrb5_seal_packet, - .unseal_packet = gensec_gsskrb5_unseal_packet, - .wrap = gensec_gsskrb5_wrap, - .unwrap = gensec_gsskrb5_unwrap, - .have_feature = gensec_gsskrb5_have_feature, - .enabled = False -}; - -NTSTATUS gensec_gsskrb5_init(void) -{ - NTSTATUS ret; - - ret = gensec_register(&gensec_gsskrb5_security_ops); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(0,("Failed to register '%s' gensec backend!\n", - gensec_gsskrb5_security_ops.name)); - return ret; - } - - return ret; -} |