diff options
-rw-r--r-- | source4/libcli/auth/gensec_krb5.c | 87 | ||||
-rw-r--r-- | source4/libcli/auth/gssapi_parse.c | 88 |
2 files changed, 142 insertions, 33 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index 2035a5bf9a..dbb2a10659 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -66,6 +66,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) initialize_krb5_error_table(); gensec_krb5_state->krb5_context = NULL; gensec_krb5_state->krb5_auth_context = NULL; + gensec_krb5_state->krb5_ccdef = NULL; gensec_krb5_state->session_key = data_blob(NULL, 0); ret = krb5_init_context(&gensec_krb5_state->krb5_context); @@ -120,6 +121,13 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security gensec_krb5_state = gensec_security->private_data; gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START; + ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->ccdef); + if (ret) { + DEBUG(1,("krb5_cc_default failed (%s)\n", + error_message(ret))); + return NT_STATUS_INTERNAL_ERROR; + } + return NT_STATUS_OK; } @@ -127,6 +135,16 @@ static void gensec_krb5_end(struct gensec_security *gensec_security) { struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; + if (gensec_krb5_state->krb5_ccdef) { + /* Removed by jra. They really need to fix their kerberos so we don't leak memory. + JERRY -- disabled since it causes heimdal 0.6.1rc3 to die + SuSE 9.1 Pro + */ +#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */ + krb5_cc_close(context, gensec_krb5_state->krb5_ccdef); +#endif + } + if (gensec_krb5_state->krb5_auth_context) { krb5_auth_con_free(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_auth_context); @@ -164,7 +182,6 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL case GENSEC_KRB5_CLIENT_START: { krb5_data packet; - krb5_ccache ccdef = NULL; #if 0 /* When we get some way to input the time offset */ if (time_offset != 0) { @@ -172,20 +189,9 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL } #endif - ret = krb5_cc_default(gensec_krb5_state->krb5_context, &ccdef); - if (ret) { - DEBUG(1,("krb5_cc_default failed (%s)\n", - error_message(ret))); - return NT_STATUS_INTERNAL_ERROR; - } - ret = ads_krb5_mk_req(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_auth_context, - AP_OPTS_USE_SUBKEY -#ifdef MUTUAL_AUTH - | AP_OPTS_MUTUAL_REQUIRED -#endif - , + AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED, gensec_security->target.principal, ccdef, &packet); if (ret) { @@ -193,28 +199,19 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL error_message(ret))); nt_status = NT_STATUS_LOGON_FAILURE; } else { - *out = data_blob_talloc(out_mem_ctx, packet.data, packet.length); + DATA_BLOB unwrapped_out; + unwrapped_out = data_blob_talloc(out_mem_ctx, packet.data, packet.length); + /* wrap that up in a nice GSS-API wrapping */ + *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ); /* Hmm, heimdal dooesn't have this - what's the correct call? */ #ifdef HAVE_KRB5_FREE_DATA_CONTENTS krb5_free_data_contents(gensec_krb5_state->krb5_context, &packet); #endif -#ifdef MUTUAL_AUTH gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH; nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; -#else - gensec_krb5_state->state_position = GENSEC_KRB5_DONE; - nt_status = NT_STATUS_OK; -#endif } - /* Removed by jra. They really need to fix their kerberos so we don't leak memory. - JERRY -- disabled since it causes heimdal 0.6.1rc3 to die - SuSE 9.1 Pro - */ -#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */ - krb5_cc_close(context, ccdef); -#endif return nt_status; } @@ -222,8 +219,16 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL { krb5_data inbuf; krb5_ap_rep_enc_part *repl = NULL; - inbuf.data = in.data; - inbuf.length = in.length; + uint8 tok_id[2]; + DATA_BLOB unwrapped_in; + + if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { + return NT_STATUS_INVALID_PARAMETER; + } + /* TODO: check the tok_id */ + + inbuf.data = unwrapped_in.data; + inbuf.length = unwrapped_in.length; ret = krb5_rd_rep(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_auth_context, &inbuf, &repl); @@ -246,18 +251,34 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL case GENSEC_KRB5_SERVER_START: { char *principal; + DATA_BLOB unwrapped_in; + DATA_BLOB unwrapped_out; + uint8 tok_id[2]; + + /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */ + if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { + nt_status = ads_verify_ticket(out_mem_ctx, + gensec_krb5_state->krb5_context, + gensec_krb5_state->krb5_auth_context, + lp_realm(), &in, + &principal, &pac, &unwrapped_out); + } else { + /* TODO: check the tok_id */ + nt_status = ads_verify_ticket(out_mem_ctx, + gensec_krb5_state->krb5_context, + gensec_krb5_state->krb5_auth_context, + lp_realm(), &unwrapped_in, + &principal, &pac, &unwrapped_out); + } - nt_status = ads_verify_ticket(out_mem_ctx, - gensec_krb5_state->krb5_context, - gensec_krb5_state->krb5_auth_context, - lp_realm(), &in, - &principal, &pac, out); gensec_krb5_state->pac = data_blob_talloc_steal(out_mem_ctx, gensec_krb5_state->mem_ctx, &pac); /* TODO: parse the pac */ if (NT_STATUS_IS_OK(nt_status)) { gensec_krb5_state->state_position = GENSEC_KRB5_DONE; + /* wrap that up in a nice GSS-API wrapping */ + *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP); } SAFE_FREE(principal); return nt_status; diff --git a/source4/libcli/auth/gssapi_parse.c b/source4/libcli/auth/gssapi_parse.c new file mode 100644 index 0000000000..4a80e1d799 --- /dev/null +++ b/source4/libcli/auth/gssapi_parse.c @@ -0,0 +1,88 @@ +/* + Unix SMB/CIFS implementation. + + simple GSSAPI wrappers + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 + Copyright (C) Luke Howard 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* + generate a krb5 GSS-API wrapper packet given a ticket +*/ +DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8 tok_id[2]) +{ + ASN1_DATA data; + DATA_BLOB ret; + + ZERO_STRUCT(data); + + asn1_push_tag(&data, ASN1_APPLICATION(0)); + asn1_write_OID(&data, OID_KERBEROS5); + + asn1_write(&data, tok_id, 2); + asn1_write(&data, ticket->data, ticket->length); + asn1_pop_tag(&data); + + if (data.has_error) { + DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data.ofs)); + asn1_free(&data); + } + + ret = data_blob_talloc(mem_ctx, data.data, data.length); + asn1_free(&data); + + return ret; +} + +/* + parse a krb5 GSS-API wrapper packet giving a ticket +*/ +BOOL gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8 tok_id[2]) +{ + BOOL ret; + ASN1_DATA data; + int data_remaining; + + asn1_load(&data, *blob); + asn1_start_tag(&data, ASN1_APPLICATION(0)); + asn1_check_OID(&data, OID_KERBEROS5); + + data_remaining = asn1_tag_remaining(&data); + + if (data_remaining < 3) { + data.has_error = True; + } else { + asn1_read(&data, tok_id, 2); + data_remaining -= 2; + *ticket = data_blob_talloc(mem_ctx, NULL, data_remaining); + asn1_read(&data, ticket->data, ticket->length); + } + + asn1_end_tag(&data); + + ret = !data.has_error; + + asn1_free(&data); + + return ret; +} + + |