diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-10-20 07:36:08 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:03 -0500 |
commit | a9f15bb83eedfacca0b2bef788dc3418bcb664be (patch) | |
tree | 8c63638cbbfbc4e2cbb5abe0c222eb5e9370a200 /source4 | |
parent | 7514f906c2e491dbd807833d6b536081d7665d37 (diff) | |
download | samba-a9f15bb83eedfacca0b2bef788dc3418bcb664be.tar.gz samba-a9f15bb83eedfacca0b2bef788dc3418bcb664be.tar.bz2 samba-a9f15bb83eedfacca0b2bef788dc3418bcb664be.zip |
r11212: Enable sealing of data with raw krb5, consolidate some code into the
main gensec_krb5_start and always ask for sequence numbers.
Andrew Bartlett
(This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 124 |
1 files changed, 63 insertions, 61 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index d999559a49..eff30bbfd1 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -84,9 +84,12 @@ static int gensec_krb5_destroy(void *ptr) static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) { + krb5_error_code ret; struct gensec_krb5_state *gensec_krb5_state; + struct cli_credentials *creds; - if (!gensec_get_credentials(gensec_security)) { + creds = gensec_get_credentials(gensec_security); + if (!creds) { return NT_STATUS_INVALID_PARAMETER; } @@ -96,7 +99,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) } gensec_security->private_data = gensec_krb5_state; - gensec_krb5_state->smb_krb5_context = NULL; gensec_krb5_state->auth_context = NULL; gensec_krb5_state->ticket = NULL; @@ -108,13 +110,37 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); + if (cli_credentials_get_krb5_context(creds, &gensec_krb5_state->smb_krb5_context)) { + talloc_free(gensec_krb5_state); + return NT_STATUS_INTERNAL_ERROR; + } + + ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context); + if (ret) { + DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", + smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, + ret, gensec_krb5_state))); + talloc_free(gensec_krb5_state); + return NT_STATUS_INTERNAL_ERROR; + } + + ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context, + gensec_krb5_state->auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); + if (ret) { + DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n", + smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, + ret, gensec_krb5_state))); + talloc_free(gensec_krb5_state); + return NT_STATUS_INTERNAL_ERROR; + } + return NT_STATUS_OK; } static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security) { NTSTATUS nt_status; - krb5_error_code ret = 0; struct gensec_krb5_state *gensec_krb5_state; nt_status = gensec_krb5_start(gensec_security); @@ -123,24 +149,6 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security } gensec_krb5_state = gensec_security->private_data; - - ret = smb_krb5_init_context(gensec_krb5_state, - &gensec_krb5_state->smb_krb5_context); - if (ret) { - DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", - error_message(ret))); - return NT_STATUS_INTERNAL_ERROR; - } - - ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context); - if (ret) { - DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, - ret, gensec_krb5_state))); - return NT_STATUS_INTERNAL_ERROR; - } - - gensec_krb5_state = gensec_security->private_data; gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START; return NT_STATUS_OK; @@ -167,6 +175,9 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security const char *hostname; krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED; + char *principal; + krb5_data in_data; + hostname = gensec_get_target_hostname(gensec_security); if (!hostname) { DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n")); @@ -196,45 +207,31 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security return NT_STATUS_UNSUCCESSFUL; } - gensec_krb5_state->smb_krb5_context = talloc_reference(gensec_krb5_state, ccache_container->smb_krb5_context); - - ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context); - if (ret) { - DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, - ret, gensec_krb5_state))); - return NT_STATUS_INTERNAL_ERROR; - } - - if (ret == 0) { - char *principal; - krb5_data in_data; - in_data.length = 0; - - principal = gensec_get_target_principal(gensec_security); - if (principal && lp_client_use_spnego_principal()) { - krb5_principal target_principal; - ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal, - &target_principal); - if (ret == 0) { - ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, - &gensec_krb5_state->auth_context, - ap_req_options, - target_principal, - &in_data, ccache_container->ccache, - &gensec_krb5_state->enc_ticket); - krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, - target_principal); - } - } else { - ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, - &gensec_krb5_state->auth_context, - ap_req_options, - gensec_get_target_service(gensec_security), - hostname, - &in_data, ccache_container->ccache, - &gensec_krb5_state->enc_ticket); + in_data.length = 0; + + principal = gensec_get_target_principal(gensec_security); + if (principal && lp_client_use_spnego_principal()) { + krb5_principal target_principal; + ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal, + &target_principal); + if (ret == 0) { + ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, + &gensec_krb5_state->auth_context, + ap_req_options, + target_principal, + &in_data, ccache_container->ccache, + &gensec_krb5_state->enc_ticket); + krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, + target_principal); } + } else { + ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, + &gensec_krb5_state->auth_context, + ap_req_options, + gensec_get_target_service(gensec_security), + hostname, + &in_data, ccache_container->ccache, + &gensec_krb5_state->enc_ticket); } switch (ret) { case 0: @@ -625,9 +622,14 @@ static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security, static BOOL gensec_krb5_have_feature(struct gensec_security *gensec_security, uint32_t feature) { + struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; if (feature & GENSEC_FEATURE_SESSION_KEY) { return True; } + if (!gensec_krb5_state->gssapi && + (feature & GENSEC_FEATURE_SEAL)) { + return True; + } return False; } @@ -649,8 +651,6 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = { .session_key = gensec_krb5_session_key, .session_info = gensec_krb5_session_info, .have_feature = gensec_krb5_have_feature, - .wrap = gensec_krb5_wrap, - .unwrap = gensec_krb5_unwrap, .enabled = False }; @@ -662,6 +662,8 @@ static const struct gensec_security_ops gensec_krb5_security_ops = { .session_key = gensec_krb5_session_key, .session_info = gensec_krb5_session_info, .have_feature = gensec_krb5_have_feature, + .wrap = gensec_krb5_wrap, + .unwrap = gensec_krb5_unwrap, .enabled = True }; |