summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/kerberos')
-rw-r--r--source4/auth/kerberos/config.mk2
-rw-r--r--source4/auth/kerberos/kerberos_heimdal.c101
-rw-r--r--source4/auth/kerberos/kerberos_verify.c102
3 files changed, 102 insertions, 103 deletions
diff --git a/source4/auth/kerberos/config.mk b/source4/auth/kerberos/config.mk
index 689130d567..f75fd99323 100644
--- a/source4/auth/kerberos/config.mk
+++ b/source4/auth/kerberos/config.mk
@@ -4,7 +4,7 @@
PRIVATE_PROTO_HEADER = proto.h
OBJ_FILES = kerberos.o \
clikrb5.o \
- kerberos_verify.o \
+ kerberos_heimdal.o \
kerberos_util.o \
kerberos_pac.o \
gssapi_parse.o \
diff --git a/source4/auth/kerberos/kerberos_heimdal.c b/source4/auth/kerberos/kerberos_heimdal.c
new file mode 100644
index 0000000000..f669d0f2f4
--- /dev/null
+++ b/source4/auth/kerberos/kerberos_heimdal.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* This file for code taken from the Heimdal code, to preserve licence */
+/* Modified by Andrew Bartlett <abartlet@samba.org> */
+
+#include "includes.h"
+#include "system/kerberos.h"
+
+/* Taken from accept_sec_context.c,v 1.65 */
+krb5_error_code smb_rd_req_return_stuff(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_data *inbuf,
+ krb5_keytab keytab,
+ krb5_principal acceptor_principal,
+ krb5_data *outbuf,
+ krb5_ticket **ticket,
+ krb5_keyblock **keyblock)
+{
+ krb5_rd_req_in_ctx in = NULL;
+ krb5_rd_req_out_ctx out = NULL;
+ krb5_error_code kret;
+
+ *keyblock = NULL;
+ *ticket = NULL;
+ outbuf->length = 0;
+ outbuf->data = NULL;
+
+ kret = krb5_rd_req_in_ctx_alloc(context, &in);
+ if (kret == 0)
+ kret = krb5_rd_req_in_set_keytab(context, in, keytab);
+ if (kret) {
+ if (in)
+ krb5_rd_req_in_ctx_free(context, in);
+ return kret;
+ }
+
+ kret = krb5_rd_req_ctx(context,
+ auth_context,
+ inbuf,
+ acceptor_principal,
+ in, &out);
+ krb5_rd_req_in_ctx_free(context, in);
+ if (kret) {
+ return kret;
+ }
+
+ /*
+ * We need to remember some data on the context_handle.
+ */
+ kret = krb5_rd_req_out_get_ticket(context, out,
+ ticket);
+ if (kret == 0) {
+ kret = krb5_rd_req_out_get_keyblock(context, out,
+ keyblock);
+ }
+ krb5_rd_req_out_ctx_free(context, out);
+
+ if (kret == 0) {
+ kret = krb5_mk_rep(context, *auth_context, outbuf);
+ }
+
+ if (kret) {
+ krb5_free_ticket(context, *ticket);
+ krb5_free_keyblock(context, *keyblock);
+ krb5_data_free(outbuf);
+ }
+
+ return kret;
+}
+
diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c
deleted file mode 100644
index 2111e22aa3..0000000000
--- a/source4/auth/kerberos/kerberos_verify.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- kerberos utility library
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Remus Koos 2001
- Copyright (C) Luke Howard 2003
- Copyright (C) Guenther Deschner 2003
- Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
-#include "auth/credentials/credentials.h"
-#include "auth/credentials/credentials_krb5.h"
-
-/**********************************************************************************
- Verify an incoming ticket and parse out the principal name and
- authorization_data if available.
-***********************************************************************************/
-
- NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
- struct smb_krb5_context *smb_krb5_context,
- krb5_auth_context *auth_context,
- struct cli_credentials *machine_account,
- const char *service,
- const DATA_BLOB *enc_ticket,
- krb5_ticket **tkt,
- DATA_BLOB *ap_rep,
- krb5_keyblock **keyblock)
-{
- krb5_keyblock *local_keyblock;
- krb5_data packet;
- int ret;
- krb5_flags ap_req_options = 0;
- krb5_principal server;
- krb5_data packet_out;
-
- struct keytab_container *keytab_container;
-
- /*
- * TODO: Actually hook in the replay cache in Heimdal, then
- * re-add calls to setup a replay cache here, in our private
- * directory. This will eventually prevent replay attacks
- */
-
- packet.length = enc_ticket->length;
- packet.data = (krb5_pointer)enc_ticket->data;
-
- /* Grab the keytab, however generated */
- ret = cli_credentials_get_keytab(machine_account, &keytab_container);
- if (ret) {
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
- /* This ensures we lookup the correct entry in that keytab */
- ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context,
- &server);
- if (ret == 0) {
- ret = krb5_rd_req_return_keyblock(smb_krb5_context->krb5_context, auth_context, &packet,
- server,
- keytab_container->keytab, &ap_req_options, tkt,
- &local_keyblock);
- }
-
- if (ret) {
- DEBUG(3,("ads_secrets_verify_ticket: failed to decrypt with error %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
- return NT_STATUS_LOGON_FAILURE;
- }
- *keyblock = local_keyblock;
-
-
- ret = krb5_mk_rep(smb_krb5_context->krb5_context, *auth_context, &packet_out);
- if (ret) {
- krb5_free_ticket(smb_krb5_context->krb5_context, *tkt);
-
- DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
- return NT_STATUS_LOGON_FAILURE;
- }
-
- *ap_rep = data_blob_talloc(mem_ctx, packet_out.data, packet_out.length);
- krb5_free_data_contents(smb_krb5_context->krb5_context, &packet_out);
-
- return NT_STATUS_OK;
-}