summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/libcli/auth/gensec_krb5.c87
-rw-r--r--source4/libcli/auth/gssapi_parse.c88
2 files changed, 142 insertions, 33 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 2035a5bf9a..dbb2a10659 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -66,6 +66,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
initialize_krb5_error_table();
gensec_krb5_state->krb5_context = NULL;
gensec_krb5_state->krb5_auth_context = NULL;
+ gensec_krb5_state->krb5_ccdef = NULL;
gensec_krb5_state->session_key = data_blob(NULL, 0);
ret = krb5_init_context(&gensec_krb5_state->krb5_context);
@@ -120,6 +121,13 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
+ ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->ccdef);
+ if (ret) {
+ DEBUG(1,("krb5_cc_default failed (%s)\n",
+ error_message(ret)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
return NT_STATUS_OK;
}
@@ -127,6 +135,16 @@ static void gensec_krb5_end(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
+ if (gensec_krb5_state->krb5_ccdef) {
+ /* Removed by jra. They really need to fix their kerberos so we don't leak memory.
+ JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
+ SuSE 9.1 Pro
+ */
+#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
+ krb5_cc_close(context, gensec_krb5_state->krb5_ccdef);
+#endif
+ }
+
if (gensec_krb5_state->krb5_auth_context) {
krb5_auth_con_free(gensec_krb5_state->krb5_context,
gensec_krb5_state->krb5_auth_context);
@@ -164,7 +182,6 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
case GENSEC_KRB5_CLIENT_START:
{
krb5_data packet;
- krb5_ccache ccdef = NULL;
#if 0 /* When we get some way to input the time offset */
if (time_offset != 0) {
@@ -172,20 +189,9 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
}
#endif
- ret = krb5_cc_default(gensec_krb5_state->krb5_context, &ccdef);
- if (ret) {
- DEBUG(1,("krb5_cc_default failed (%s)\n",
- error_message(ret)));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
ret = ads_krb5_mk_req(gensec_krb5_state->krb5_context,
&gensec_krb5_state->krb5_auth_context,
- AP_OPTS_USE_SUBKEY
-#ifdef MUTUAL_AUTH
- | AP_OPTS_MUTUAL_REQUIRED
-#endif
- ,
+ AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
gensec_security->target.principal,
ccdef, &packet);
if (ret) {
@@ -193,28 +199,19 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
error_message(ret)));
nt_status = NT_STATUS_LOGON_FAILURE;
} else {
- *out = data_blob_talloc(out_mem_ctx, packet.data, packet.length);
+ DATA_BLOB unwrapped_out;
+ unwrapped_out = data_blob_talloc(out_mem_ctx, packet.data, packet.length);
+ /* wrap that up in a nice GSS-API wrapping */
+ *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
/* Hmm, heimdal dooesn't have this - what's the correct call? */
#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
krb5_free_data_contents(gensec_krb5_state->krb5_context, &packet);
#endif
-#ifdef MUTUAL_AUTH
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
-#else
- gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
- nt_status = NT_STATUS_OK;
-#endif
}
- /* Removed by jra. They really need to fix their kerberos so we don't leak memory.
- JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
- SuSE 9.1 Pro
- */
-#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
- krb5_cc_close(context, ccdef);
-#endif
return nt_status;
}
@@ -222,8 +219,16 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
{
krb5_data inbuf;
krb5_ap_rep_enc_part *repl = NULL;
- inbuf.data = in.data;
- inbuf.length = in.length;
+ uint8 tok_id[2];
+ DATA_BLOB unwrapped_in;
+
+ if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ /* TODO: check the tok_id */
+
+ inbuf.data = unwrapped_in.data;
+ inbuf.length = unwrapped_in.length;
ret = krb5_rd_rep(gensec_krb5_state->krb5_context,
gensec_krb5_state->krb5_auth_context,
&inbuf, &repl);
@@ -246,18 +251,34 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
case GENSEC_KRB5_SERVER_START:
{
char *principal;
+ DATA_BLOB unwrapped_in;
+ DATA_BLOB unwrapped_out;
+ uint8 tok_id[2];
+
+ /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
+ if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
+ nt_status = ads_verify_ticket(out_mem_ctx,
+ gensec_krb5_state->krb5_context,
+ gensec_krb5_state->krb5_auth_context,
+ lp_realm(), &in,
+ &principal, &pac, &unwrapped_out);
+ } else {
+ /* TODO: check the tok_id */
+ nt_status = ads_verify_ticket(out_mem_ctx,
+ gensec_krb5_state->krb5_context,
+ gensec_krb5_state->krb5_auth_context,
+ lp_realm(), &unwrapped_in,
+ &principal, &pac, &unwrapped_out);
+ }
- nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->krb5_context,
- gensec_krb5_state->krb5_auth_context,
- lp_realm(), &in,
- &principal, &pac, out);
gensec_krb5_state->pac = data_blob_talloc_steal(out_mem_ctx, gensec_krb5_state->mem_ctx,
&pac);
/* TODO: parse the pac */
if (NT_STATUS_IS_OK(nt_status)) {
gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
+ /* wrap that up in a nice GSS-API wrapping */
+ *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
}
SAFE_FREE(principal);
return nt_status;
diff --git a/source4/libcli/auth/gssapi_parse.c b/source4/libcli/auth/gssapi_parse.c
new file mode 100644
index 0000000000..4a80e1d799
--- /dev/null
+++ b/source4/libcli/auth/gssapi_parse.c
@@ -0,0 +1,88 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ simple GSSAPI wrappers
+
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+ Copyright (C) Luke Howard 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+/*
+ generate a krb5 GSS-API wrapper packet given a ticket
+*/
+DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8 tok_id[2])
+{
+ ASN1_DATA data;
+ DATA_BLOB ret;
+
+ ZERO_STRUCT(data);
+
+ asn1_push_tag(&data, ASN1_APPLICATION(0));
+ asn1_write_OID(&data, OID_KERBEROS5);
+
+ asn1_write(&data, tok_id, 2);
+ asn1_write(&data, ticket->data, ticket->length);
+ asn1_pop_tag(&data);
+
+ if (data.has_error) {
+ DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data.ofs));
+ asn1_free(&data);
+ }
+
+ ret = data_blob_talloc(mem_ctx, data.data, data.length);
+ asn1_free(&data);
+
+ return ret;
+}
+
+/*
+ parse a krb5 GSS-API wrapper packet giving a ticket
+*/
+BOOL gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8 tok_id[2])
+{
+ BOOL ret;
+ ASN1_DATA data;
+ int data_remaining;
+
+ asn1_load(&data, *blob);
+ asn1_start_tag(&data, ASN1_APPLICATION(0));
+ asn1_check_OID(&data, OID_KERBEROS5);
+
+ data_remaining = asn1_tag_remaining(&data);
+
+ if (data_remaining < 3) {
+ data.has_error = True;
+ } else {
+ asn1_read(&data, tok_id, 2);
+ data_remaining -= 2;
+ *ticket = data_blob_talloc(mem_ctx, NULL, data_remaining);
+ asn1_read(&data, ticket->data, ticket->length);
+ }
+
+ asn1_end_tag(&data);
+
+ ret = !data.has_error;
+
+ asn1_free(&data);
+
+ return ret;
+}
+
+