summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth/gensec/gensec.h2
-rw-r--r--auth/gensec/gensec_util.c44
-rwxr-xr-x[-rw-r--r--]auth/gensec/wscript_build2
-rw-r--r--auth/kerberos/gssapi_parse.c20
-rw-r--r--libcli/auth/krb5_wrap.h1
-rw-r--r--source3/librpc/crypto/gse.c22
-rw-r--r--source4/auth/gensec/gensec_gssapi.c24
-rw-r--r--source4/auth/gensec/gensec_krb5.c22
8 files changed, 51 insertions, 86 deletions
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index f88da2227d..0b0689fbce 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -350,5 +350,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
struct auth_session_info **session_info);
+NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
+ const DATA_BLOB *blob);
#endif /* __GENSEC_H__ */
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index cdd615fb60..d732213551 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "auth/gensec/gensec.h"
#include "auth/common_auth.h"
+#include "../lib/util/asn1.h"
NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
@@ -180,3 +181,46 @@ NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
}
return NT_STATUS_OK;
}
+
+/*
+ magic check a GSS-API wrapper packet for an Kerberos OID
+*/
+static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
+{
+ bool ret;
+ struct asn1_data *data = asn1_init(NULL);
+
+ if (!data) return false;
+
+ asn1_load(data, *blob);
+ asn1_start_tag(data, ASN1_APPLICATION(0));
+ asn1_check_OID(data, oid);
+
+ ret = !data->has_error;
+
+ asn1_free(data);
+
+ return ret;
+}
+
+/**
+ * Check if the packet is one for the KRB5 mechansim
+ *
+ * NOTE: This is a helper that can be employed by multiple mechanisms, do
+ * not make assumptions about the private_data
+ *
+ * @param gensec_security GENSEC state, unused
+ * @param in The request, as a DATA_BLOB
+ * @return Error, INVALID_PARAMETER if it's not a packet for us
+ * or NT_STATUS_OK if the packet is ok.
+ */
+
+NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
+ const DATA_BLOB *blob)
+{
+ if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
+ return NT_STATUS_OK;
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+}
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
index 7ca3cab003..fcd74a3a9d 100644..100755
--- a/auth/gensec/wscript_build
+++ b/auth/gensec/wscript_build
@@ -3,7 +3,7 @@ bld.SAMBA_LIBRARY('gensec',
source='gensec.c gensec_start.c gensec_util.c',
pc_files='gensec.pc',
autoproto='gensec_toplevel_proto.h',
- public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util',
+ public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util asn1util',
public_headers='gensec.h',
deps='com_err',
vnum='0.0.1'
diff --git a/auth/kerberos/gssapi_parse.c b/auth/kerberos/gssapi_parse.c
index dadc58b4f8..f58bf3b070 100644
--- a/auth/kerberos/gssapi_parse.c
+++ b/auth/kerberos/gssapi_parse.c
@@ -95,23 +95,3 @@ bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, D
}
-/*
- check a GSS-API wrapper packet givin an expected OID
-*/
-bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
-{
- bool ret;
- struct asn1_data *data = asn1_init(NULL);
-
- if (!data) return false;
-
- asn1_load(data, *blob);
- asn1_start_tag(data, ASN1_APPLICATION(0));
- asn1_check_OID(data, oid);
-
- ret = !data->has_error;
-
- asn1_free(data);
-
- return ret;
-}
diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h
index 01ea6acd07..997c2fbb3f 100644
--- a/libcli/auth/krb5_wrap.h
+++ b/libcli/auth/krb5_wrap.h
@@ -96,4 +96,3 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2]);
bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2]);
-bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index e2a84c19b5..b14829b6cc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -803,26 +803,6 @@ static NTSTATUS gensec_gse_server_start(struct gensec_security *gensec_security)
}
/**
- * Check if the packet is one for this mechansim
- *
- * @param gensec_security GENSEC state
- * @param in The request, as a DATA_BLOB
- * @return Error, INVALID_PARAMETER if it's not a packet for us
- * or NT_STATUS_OK if the packet is ok.
- */
-
-static NTSTATUS gensec_gse_magic(struct gensec_security *gensec_security,
- const DATA_BLOB *in)
-{
- if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
- return NT_STATUS_OK;
- } else {
- return NT_STATUS_INVALID_PARAMETER;
- }
-}
-
-
-/**
* Next state function for the GSE GENSEC mechanism
*
* @param gensec_gse_state GSE State
@@ -1163,7 +1143,7 @@ const struct gensec_security_ops gensec_gse_krb5_security_ops = {
.oid = gensec_gse_krb5_oids,
.client_start = gensec_gse_client_start,
.server_start = gensec_gse_server_start,
- .magic = gensec_gse_magic,
+ .magic = gensec_magic_check_krb5_oid,
.update = gensec_gse_update,
.session_key = gensec_gse_session_key,
.session_info = gensec_gse_session_info,
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 29f1e469e5..c6d4fb5fd5 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -394,26 +394,6 @@ static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_s
/**
- * Check if the packet is one for this mechansim
- *
- * @param gensec_security GENSEC state
- * @param in The request, as a DATA_BLOB
- * @return Error, INVALID_PARAMETER if it's not a packet for us
- * or NT_STATUS_OK if the packet is ok.
- */
-
-static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security,
- const DATA_BLOB *in)
-{
- if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
- return NT_STATUS_OK;
- } else {
- return NT_STATUS_INVALID_PARAMETER;
- }
-}
-
-
-/**
* Next state function for the GSSAPI GENSEC mechanism
*
* @param gensec_gssapi_state GSSAPI State
@@ -1470,7 +1450,7 @@ static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
.oid = gensec_gssapi_spnego_oids,
.client_start = gensec_gssapi_client_start,
.server_start = gensec_gssapi_server_start,
- .magic = gensec_gssapi_magic,
+ .magic = gensec_magic_check_krb5_oid,
.update = gensec_gssapi_update,
.session_key = gensec_gssapi_session_key,
.session_info = gensec_gssapi_session_info,
@@ -1493,7 +1473,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
.oid = gensec_gssapi_krb5_oids,
.client_start = gensec_gssapi_client_start,
.server_start = gensec_gssapi_server_start,
- .magic = gensec_gssapi_magic,
+ .magic = gensec_magic_check_krb5_oid,
.update = gensec_gssapi_update,
.session_key = gensec_gssapi_session_key,
.session_info = gensec_gssapi_session_info,
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 573a4c9a67..9939105ad5 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -393,26 +393,6 @@ static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gen
}
/**
- * Check if the packet is one for this mechansim
- *
- * @param gensec_security GENSEC state
- * @param in The request, as a DATA_BLOB
- * @return Error, INVALID_PARAMETER if it's not a packet for us
- * or NT_STATUS_OK if the packet is ok.
- */
-
-static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security,
- const DATA_BLOB *in)
-{
- if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
- return NT_STATUS_OK;
- } else {
- return NT_STATUS_INVALID_PARAMETER;
- }
-}
-
-
-/**
* Next state function for the Krb5 GENSEC mechanism
*
* @param gensec_krb5_state KRB5 State
@@ -807,7 +787,7 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
.client_start = gensec_fake_gssapi_krb5_client_start,
.server_start = gensec_fake_gssapi_krb5_server_start,
.update = gensec_krb5_update,
- .magic = gensec_fake_gssapi_krb5_magic,
+ .magic = gensec_magic_check_krb5_oid,
.session_key = gensec_krb5_session_key,
.session_info = gensec_krb5_session_info,
.have_feature = gensec_krb5_have_feature,