summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c37
-rw-r--r--source4/auth/gensec/gensec_krb5.c70
2 files changed, 35 insertions, 72 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 314f76038b..c6a16cdf33 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -43,7 +43,7 @@ struct gensec_gssapi_state {
DATA_BLOB session_key;
DATA_BLOB pac;
- krb5_context krb5_context;
+ struct smb_krb5_context *smb_krb5_context;
krb5_ccache ccache;
const char *ccache_name;
@@ -98,9 +98,6 @@ static int gensec_gssapi_destory(void *ptr)
if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
}
- if (gensec_gssapi_state->krb5_context) {
- krb5_free_context(gensec_gssapi_state->krb5_context);
- }
return 0;
}
@@ -129,8 +126,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->session_key = data_blob(NULL, 0);
gensec_gssapi_state->pac = data_blob(NULL, 0);
- gensec_gssapi_state->krb5_context = NULL;
-
gensec_gssapi_state->cred = GSS_C_NO_CREDENTIAL;
talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destory);
@@ -161,29 +156,13 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->gss_oid = gss_mech_krb5;
- ret = krb5_init_context(&gensec_gssapi_state->krb5_context);
+ ret = smb_krb5_init_context(gensec_gssapi_state,
+ &gensec_gssapi_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
- smb_get_krb5_error_message(gensec_gssapi_state->krb5_context,
- ret, gensec_gssapi_state)));
+ error_message(ret)));
return NT_STATUS_INTERNAL_ERROR;
}
-
- if (lp_realm() && *lp_realm()) {
- char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm());
- if (!upper_realm) {
- DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
- return NT_STATUS_NO_MEMORY;
- }
- ret = krb5_set_default_realm(gensec_gssapi_state->krb5_context, upper_realm);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n",
- smb_get_krb5_error_message(gensec_gssapi_state->krb5_context,
- ret, gensec_gssapi_state)));
- return NT_STATUS_INTERNAL_ERROR;
- }
- }
-
return NT_STATUS_OK;
}
@@ -216,7 +195,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
gensec_gssapi_state = gensec_security->private_data;
- name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", gensec_get_target_service(gensec_security),
+ name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s",
+ gensec_get_target_service(gensec_security),
gensec_get_target_hostname(gensec_security));
name_token.length = strlen(name_token.value);
@@ -231,7 +211,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_UNSUCCESSFUL;
}
- name_token.value = cli_credentials_get_principal(gensec_get_credentials(gensec_security), gensec_gssapi_state),
+ name_token.value = cli_credentials_get_principal(gensec_get_credentials(gensec_security),
+ gensec_gssapi_state),
name_token.length = strlen(name_token.value);
maj_stat = gss_import_name (&min_stat,
@@ -249,7 +230,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
nt_status = kinit_to_ccache(gensec_gssapi_state,
gensec_get_credentials(gensec_security),
- gensec_gssapi_state->krb5_context,
+ gensec_gssapi_state->smb_krb5_context,
&gensec_gssapi_state->ccache, &gensec_gssapi_state->ccache_name);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 1ac46f3ac9..d633794e1c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -43,7 +43,7 @@ struct gensec_krb5_state {
DATA_BLOB session_key;
DATA_BLOB pac;
enum GENSEC_KRB5_STATE state_position;
- krb5_context context;
+ struct smb_krb5_context *smb_krb5_context;
krb5_auth_context auth_context;
krb5_ccache ccache;
krb5_data ticket;
@@ -67,7 +67,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
cksum.checksum.data = sig->signature;
- ret = krb5_crypto_init(gensec_krb5_state->context,
+ ret = krb5_crypto_init(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->keyblock,
0,
&crypto);
@@ -77,7 +77,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
}
for (i=0; i < 40; i++) {
keyusage = i;
- ret = krb5_verify_checksum(gensec_krb5_state->context,
+ ret = krb5_verify_checksum(gensec_krb5_state->smb_krb5_context->krb5_context,
crypto,
keyusage,
pac_data.data,
@@ -88,7 +88,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
break;
}
}
- krb5_crypto_destroy(gensec_krb5_state->context, crypto);
+ krb5_crypto_destroy(gensec_krb5_state->smb_krb5_context->krb5_context, crypto);
if (ret) {
DEBUG(0,("NOT verifying PAC checksums yet!\n"));
@@ -235,22 +235,19 @@ static int gensec_krb5_destory(void *ptr)
struct gensec_krb5_state *gensec_krb5_state = ptr;
if (gensec_krb5_state->ticket.length) {
- kerberos_free_data_contents(gensec_krb5_state->context,
+ kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->ticket);
}
/* ccache freed in a child destructor */
- krb5_free_keyblock_contents(gensec_krb5_state->context,
+ krb5_free_keyblock_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->keyblock);
if (gensec_krb5_state->auth_context) {
- krb5_auth_con_free(gensec_krb5_state->context,
+ krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context);
}
- if (gensec_krb5_state->context) {
- krb5_free_context(gensec_krb5_state->context);
- }
return 0;
}
@@ -267,7 +264,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
gensec_security->private_data = gensec_krb5_state;
initialize_krb5_error_table();
- gensec_krb5_state->context = NULL;
gensec_krb5_state->auth_context = NULL;
gensec_krb5_state->ccache = NULL;
ZERO_STRUCT(gensec_krb5_state->ticket);
@@ -277,32 +273,18 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destory);
- ret = krb5_init_context(&gensec_krb5_state->context);
+ ret = smb_krb5_init_context(gensec_krb5_state,
+ &gensec_krb5_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
error_message(ret)));
return NT_STATUS_INTERNAL_ERROR;
}
- if (lp_realm() && *lp_realm()) {
- char *upper_realm = strupper_talloc(gensec_krb5_state, lp_realm());
- if (!upper_realm) {
- DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
- return NT_STATUS_NO_MEMORY;
- }
- ret = krb5_set_default_realm(gensec_krb5_state->context, upper_realm);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context,
- ret, gensec_krb5_state)));
- return NT_STATUS_INTERNAL_ERROR;
- }
- }
-
- ret = krb5_auth_con_init(gensec_krb5_state->context, &gensec_krb5_state->auth_context);
+ ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context,
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
return NT_STATUS_INTERNAL_ERROR;
}
@@ -351,10 +333,10 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
TODO: If the user set a username, we should use an in-memory CCACHE (see below)
*/
- ret = krb5_cc_default(gensec_krb5_state->context, &gensec_krb5_state->ccache);
+ ret = krb5_cc_default(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INTERNAL_ERROR;
}
@@ -363,7 +345,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
krb5_data in_data;
in_data.length = 0;
- ret = krb5_mk_req(gensec_krb5_state->context,
+ ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
gensec_get_target_service(gensec_security),
@@ -377,7 +359,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
return NT_STATUS_OK;
case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
- hostname, smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+ hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_ACCESS_DENIED;
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_TKT_EXPIRED:
@@ -387,7 +369,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
case KRB5_KDCREP_SKEW:
{
DEBUG(3, ("kerberos (mk_req) failed: %s\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
/* fall down to remaining code */
}
@@ -399,7 +381,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
nt_status = kinit_to_ccache(gensec_krb5_state,
gensec_security->credentials,
- gensec_krb5_state->context,
+ gensec_krb5_state->smb_krb5_context,
&gensec_krb5_state->ccache,
&ccache_name);
@@ -410,7 +392,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
default:
DEBUG(0, ("kerberos: %s\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_UNSUCCESSFUL;
}
}
@@ -442,7 +424,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
{
if (ret) {
DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, out_mem_ctx)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
nt_status = NT_STATUS_LOGON_FAILURE;
} else {
DATA_BLOB unwrapped_out;
@@ -478,12 +460,12 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
inbuf.data = unwrapped_in.data;
inbuf.length = unwrapped_in.length;
- ret = krb5_rd_rep(gensec_krb5_state->context,
+ ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
&inbuf, &repl);
if (ret) {
DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, out_mem_ctx)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length);
nt_status = NT_STATUS_ACCESS_DENIED;
} else {
@@ -492,7 +474,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
}
if (repl) {
- krb5_free_ap_rep_enc_part(gensec_krb5_state->context, repl);
+ krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
}
return nt_status;
}
@@ -512,7 +494,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->context,
+ gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
lp_realm(),
gensec_get_target_service(gensec_security), &in,
@@ -521,7 +503,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
} else {
/* TODO: check the tok_id */
nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->context,
+ gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
lp_realm(),
gensec_get_target_service(gensec_security),
@@ -558,10 +540,10 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
}
static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
- DATA_BLOB *session_key)
+ DATA_BLOB *session_key)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
- krb5_context context = gensec_krb5_state->context;
+ krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
krb5_auth_context auth_context = gensec_krb5_state->auth_context;
krb5_keyblock *skey;
krb5_error_code err;
generated by cgit (git 2.34.1) at 2024-09-18 18:19:39 +0000