summaryrefslogtreecommitdiff
path: root/source4/libcli
diff options
context:
space:
mode:
Diffstat (limited to 'source4/libcli')
-rw-r--r--source4/libcli/auth/clikrb5.c (renamed from source4/libcli/raw/clikrb5.c)107
-rw-r--r--source4/libcli/auth/kerberos.c175
-rw-r--r--source4/libcli/auth/kerberos.h50
-rw-r--r--source4/libcli/auth/kerberos_verify.c266
-rw-r--r--source4/libcli/auth/spnego.c343
-rw-r--r--source4/libcli/auth/spnego.h65
-rw-r--r--source4/libcli/config.m410
-rw-r--r--source4/libcli/raw/clispnego.c539
-rw-r--r--source4/libcli/util/asn1.c35
9 files changed, 1021 insertions, 569 deletions
diff --git a/source4/libcli/raw/clikrb5.c b/source4/libcli/auth/clikrb5.c
index ba3e9ccd17..6e19d4dc18 100644
--- a/source4/libcli/raw/clikrb5.c
+++ b/source4/libcli/auth/clikrb5.c
@@ -234,6 +234,55 @@ krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
}
#endif
+#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
+ void krb5_free_unparsed_name(krb5_context context, char *val)
+{
+ SAFE_FREE(val);
+}
+#endif
+
+static BOOL ads_cleanup_expired_creds(krb5_context context,
+ krb5_ccache ccache,
+ krb5_creds *credsp)
+{
+ krb5_error_code retval;
+ TALLOC_CTX *mem_ctx = talloc_init("ticket expied time");
+ if (!mem_ctx) {
+ return False;
+ }
+
+ DEBUG(3, ("Ticket in ccache[%s] expiration %s\n",
+ krb5_cc_default_name(context),
+ http_timestring(mem_ctx, credsp->times.endtime)));
+
+ talloc_destroy(mem_ctx);
+
+ /* we will probably need new tickets if the current ones
+ will expire within 10 seconds.
+ */
+ if (credsp->times.endtime >= (time(NULL) + 10))
+ return False;
+
+ /* heimdal won't remove creds from a file ccache, and
+ perhaps we shouldn't anyway, since internally we
+ use memory ccaches, and a FILE one probably means that
+ we're using creds obtained outside of our exectuable
+ */
+ if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) {
+ DEBUG(5, ("We do not remove creds from a FILE ccache\n"));
+ return False;
+ }
+
+ retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
+ if (retval) {
+ DEBUG(1, ("krb5_cc_remove_cred failed, err %s\n",
+ error_message(retval)));
+ /* If we have an error in this, we want to display it,
+ but continue as though we deleted it */
+ }
+ return True;
+}
+
/*
we can't use krb5_mk_req because w2k wants the service to be in a particular format
*/
@@ -249,7 +298,10 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
krb5_creds * credsp;
krb5_creds creds;
krb5_data in_data;
+ BOOL creds_ready = False;
+ TALLOC_CTX *mem_ctx;
+
retval = krb5_parse_name(context, principal, &server);
if (retval) {
DEBUG(1,("Failed to parse principal %s\n", principal));
@@ -270,20 +322,36 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
goto cleanup_creds;
}
- if ((retval = krb5_get_credentials(context, 0,
- ccache, &creds, &credsp))) {
- DEBUG(1,("krb5_get_credentials failed for %s (%s)\n",
- principal, error_message(retval)));
- goto cleanup_creds;
+ while(!creds_ready) {
+ if ((retval = krb5_get_credentials(context, 0, ccache,
+ &creds, &credsp))) {
+ DEBUG(1,("krb5_get_credentials failed for %s (%s)\n",
+ principal, error_message(retval)));
+ goto cleanup_creds;
+ }
+
+ /* cope with ticket being in the future due to clock skew */
+ if ((unsigned)credsp->times.starttime > time(NULL)) {
+ time_t t = time(NULL);
+ int time_offset =(unsigned)credsp->times.starttime-t;
+ DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
+ krb5_set_real_time(context, t + time_offset + 1, 0);
+ }
+
+ if (!ads_cleanup_expired_creds(context, ccache, credsp))
+ creds_ready = True;
}
- /* cope with the ticket being in the future due to clock skew */
- if ((uint_t)credsp->times.starttime > time(NULL)) {
- time_t t = time(NULL);
- int time_offset = (uint_t)credsp->times.starttime - t;
- DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
- krb5_set_real_time(context, t + time_offset + 1, 0);
+ mem_ctx = talloc_init("ticket expied time");
+ if (!mem_ctx) {
+ retval = ENOMEM;
+ goto cleanup_creds;
}
+ DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n",
+ principal, krb5_cc_default_name(context),
+ http_timestring(mem_ctx, (unsigned)credsp->times.endtime),
+ (unsigned)credsp->times.endtime));
+
in_data.length = 0;
retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
@@ -312,8 +380,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
{
krb5_error_code retval;
krb5_data packet;
- krb5_ccache ccdef;
- krb5_context context;
+ krb5_context context = NULL;
+ krb5_ccache ccdef = NULL;
krb5_auth_context auth_context = NULL;
krb5_enctype enc_types[] = {
#ifdef ENCTYPE_ARCFOUR_HMAC
@@ -364,8 +432,17 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
#endif
failed:
- if ( context )
+
+ if ( context ) {
+#if 0 /* JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
+ SuSE 9.1 Pro */
+ if (ccdef)
+ krb5_cc_close(context, ccdef);
+#endif
+ if (auth_context)
+ krb5_auth_con_free(context, auth_context);
krb5_free_context(context);
+ }
return retval;
}
@@ -410,7 +487,7 @@ failed:
#endif
#else /* HAVE_KRB5 */
-/* this saves a few linking headaches */
+ /* this saves a few linking headaches */
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5)
{
diff --git a/source4/libcli/auth/kerberos.c b/source4/libcli/auth/kerberos.c
new file mode 100644
index 0000000000..e8bf4b0846
--- /dev/null
+++ b/source4/libcli/auth/kerberos.c
@@ -0,0 +1,175 @@
+/*
+ Unix SMB/CIFS implementation.
+ kerberos utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#ifdef HAVE_KRB5
+
+/*
+ we use a prompter to avoid a crash bug in the kerberos libs when
+ dealing with empty passwords
+ this prompter is just a string copy ...
+*/
+static krb5_error_code
+kerb_prompter(krb5_context ctx, void *data,
+ const char *name,
+ const char *banner,
+ int num_prompts,
+ krb5_prompt prompts[])
+{
+ if (num_prompts == 0) return 0;
+
+ memset(prompts[0].reply->data, 0, prompts[0].reply->length);
+ if (prompts[0].reply->length > 0) {
+ if (data) {
+ strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
+ prompts[0].reply->length = strlen(prompts[0].reply->data);
+ } else {
+ prompts[0].reply->length = 0;
+ }
+ }
+ return 0;
+}
+
+/*
+ simulate a kinit, putting the tgt in the default cache location
+ remus@snapserver.com
+*/
+int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time)
+{
+ krb5_context ctx = NULL;
+ krb5_error_code code = 0;
+ krb5_ccache cc = NULL;
+ krb5_principal me;
+ krb5_creds my_creds;
+
+ if ((code = krb5_init_context(&ctx)))
+ return code;
+
+ if (time_offset != 0) {
+ krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
+ }
+
+ if ((code = krb5_cc_default(ctx, &cc))) {
+ krb5_free_context(ctx);
+ return code;
+ }
+
+ if ((code = krb5_parse_name(ctx, principal, &me))) {
+ krb5_free_context(ctx);
+ return code;
+ }
+
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, NULL,
+ kerb_prompter,
+ password, 0, NULL, NULL))) {
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+ return code;
+ }
+
+ if ((code = krb5_cc_initialize(ctx, cc, me))) {
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+ return code;
+ }
+
+ if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+ krb5_cc_close(ctx, cc);
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+ return code;
+ }
+
+ if (expire_time)
+ *expire_time = (time_t) my_creds.times.endtime;
+
+ krb5_cc_close(ctx, cc);
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+
+ return 0;
+}
+
+
+
+/* run kinit to setup our ccache */
+int ads_kinit_password(ADS_STRUCT *ads)
+{
+ char *s;
+ int ret;
+
+ if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) {
+ return KRB5_CC_NOMEM;
+ }
+
+ if (!ads->auth.password) {
+ return KRB5_LIBOS_CANTREADPWD;
+ }
+
+ ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire);
+
+ if (ret) {
+ DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
+ s, error_message(ret)));
+ }
+ free(s);
+ return ret;
+}
+
+int ads_kdestroy(const char *cc_name)
+{
+ krb5_error_code code;
+ krb5_context ctx = NULL;
+ krb5_ccache cc = NULL;
+
+ if ((code = krb5_init_context (&ctx))) {
+ DEBUG(3, ("ads_kdestroy: kdb5_init_context rc=%d\n", code));
+ return code;
+ }
+
+ if (!cc_name) {
+ if ((code = krb5_cc_default(ctx, &cc))) {
+ krb5_free_context(ctx);
+ return code;
+ }
+ } else {
+ if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
+ DEBUG(3, ("ads_kdestroy: krb5_cc_resolve rc=%d\n",
+ code));
+ krb5_free_context(ctx);
+ return code;
+ }
+ }
+
+ if ((code = krb5_cc_destroy (ctx, cc))) {
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy rc=%d\n", code));
+ }
+
+ krb5_free_context (ctx);
+ return code;
+}
+
+#endif
diff --git a/source4/libcli/auth/kerberos.h b/source4/libcli/auth/kerberos.h
new file mode 100644
index 0000000000..6f63f6eef2
--- /dev/null
+++ b/source4/libcli/auth/kerberos.h
@@ -0,0 +1,50 @@
+/*
+ Unix SMB/CIFS implementation.
+ simple kerberos5 routines for active directory
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Luke Howard 2002-2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#if defined(HAVE_KRB5)
+
+#ifndef HAVE_KRB5_SET_REAL_TIME
+krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
+#endif
+
+#ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
+krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
+#endif
+
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
+#endif
+
+#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
+void krb5_free_unparsed_name(krb5_context ctx, char *val);
+#endif
+
+/* Samba wrapper function for krb5 functionality. */
+void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr);
+int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype);
+void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt);
+krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
+krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
+void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes);
+BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote);
+#endif /* HAVE_KRB5 */
+
diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c
new file mode 100644
index 0000000000..805a3f570f
--- /dev/null
+++ b/source4/libcli/auth/kerberos_verify.c
@@ -0,0 +1,266 @@
+/*
+ Unix SMB/CIFS implementation.
+ kerberos utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Luke Howard 2003
+ Copyright (C) Guenther Deschner 2003
+ Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#ifdef HAVE_KRB5
+
+/*
+ verify an incoming ticket and parse out the principal name and
+ authorization_data if available
+*/
+NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
+ char **principal, DATA_BLOB *auth_data,
+ DATA_BLOB *ap_rep,
+ DATA_BLOB *session_key)
+{
+ NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
+ krb5_context context = NULL;
+ krb5_auth_context auth_context = NULL;
+ krb5_data packet;
+ krb5_ticket *tkt = NULL;
+ krb5_rcache rcache = NULL;
+ int ret, i;
+ krb5_keyblock *key = NULL;
+
+ krb5_principal host_princ;
+ char *host_princ_s = NULL;
+ BOOL free_host_princ = False;
+ BOOL got_replay_mutex = False;
+
+ fstring myname;
+ char *password_s = NULL;
+ krb5_data password;
+ krb5_enctype *enctypes = NULL;
+#if 0
+ krb5_address local_addr;
+ krb5_address remote_addr;
+#endif
+ BOOL auth_ok = False;
+
+ ZERO_STRUCT(packet);
+ ZERO_STRUCT(password);
+ ZERO_STRUCTP(auth_data);
+ ZERO_STRUCTP(ap_rep);
+
+ if (!secrets_init()) {
+ DEBUG(1,("ads_verify_ticket: secrets_init failed\n"));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ password_s = secrets_fetch_machine_password(lp_workgroup());
+ if (!password_s) {
+ DEBUG(1,("ads_verify_ticket: failed to fetch machine password\n"));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ password.data = password_s;
+ password.length = strlen(password_s);
+
+ ret = krb5_init_context(&context);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_init_context failed (%s)\n", error_message(ret)));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ ret = krb5_set_default_realm(context, realm);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ /* This whole process is far more complex than I would
+ like. We have to go through all this to allow us to store
+ the secret internally, instead of using /etc/krb5.keytab */
+
+ ret = krb5_auth_con_init(context, &auth_context);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_auth_con_init failed (%s)\n", error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ fstrcpy(myname, global_myname());
+ strlower_m(myname);
+ asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
+ ret = krb5_parse_name(context, host_princ_s, &host_princ);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
+ host_princ_s, error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ free_host_princ = True;
+
+ /*
+ * JRA. We must set the rcache here. This will prevent replay attacks.
+ */
+
+ ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache failed (%s)\n", error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ ret = krb5_auth_con_setrcache(context, auth_context, rcache);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache failed (%s)\n", error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ /* CIFS doesn't use addresses in tickets. This would breat NAT. JRA */
+
+ if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) {
+ DEBUG(1,("ads_verify_ticket: krb5_get_permitted_enctypes failed (%s)\n",
+ error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5
+ * code surrounding the replay cache... */
+
+ if (!grab_server_mutex("replay cache mutex")) {
+ DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n"));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ got_replay_mutex = True;
+
+ /* We need to setup a auth context with each possible encoding type in turn. */
+ for (i=0;enctypes[i];i++) {
+ if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
+ sret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
+ continue;
+ }
+
+ krb5_auth_con_setuseruserkey(context, auth_context, key);
+
+ krb5_free_keyblock(context, key);
+
+ packet.length = ticket->length;
+ packet.data = (krb5_pointer)ticket->data;
+
+ if (!(ret = krb5_rd_req(context, &auth_context, &packet,
+ NULL,
+ NULL, NULL, &tkt))) {
+ DEBUG(10,("ads_verify_ticket: enc type [%u] decrypted message !\n",
+ (unsigned int)enctypes[i] ));
+ auth_ok = True;
+ break;
+ }
+
+ DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
+ ("ads_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
+ (unsigned int)enctypes[i], error_message(ret)));
+ }
+
+ release_server_mutex();
+ got_replay_mutex = False;
+
+ if (!auth_ok) {
+ DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
+ error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ ret = krb5_mk_rep(context, auth_context, &packet);
+ if (ret) {
+ DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
+ error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ *ap_rep = data_blob(packet.data, packet.length);
+ free(packet.data);
+
+ get_krb5_smb_session_key(context, auth_context, session_key, True);
+ dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
+
+#if 0
+ file_save("/tmp/ticket.dat", ticket->data, ticket->length);
+#endif
+
+ /* auth_data is the PAC */
+ get_auth_data_from_tkt(auth_data, tkt);
+
+#if 0
+ if (tkt->enc_part2) {
+ file_save("/tmp/authdata.dat",
+ tkt->enc_part2->authorization_data[0]->contents,
+ tkt->enc_part2->authorization_data[0]->length);
+ }
+#endif
+
+ if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt),
+ principal))) {
+ DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n",
+ error_message(ret)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ sret = NT_STATUS_OK;
+
+ out:
+
+ if (got_replay_mutex)
+ release_server_mutex();
+
+ if (!NT_STATUS_IS_OK(sret))
+ data_blob_free(auth_data);
+
+ if (!NT_STATUS_IS_OK(sret))
+ data_blob_free(ap_rep);
+
+ if (free_host_princ)
+ krb5_free_principal(context, host_princ);
+
+ if (tkt != NULL)
+ krb5_free_ticket(context, tkt);
+ free_kerberos_etypes(context, enctypes);
+ SAFE_FREE(password_s);
+ SAFE_FREE(host_princ_s);
+
+ if (auth_context)
+ krb5_auth_con_free(context, auth_context);
+
+ if (context)
+ krb5_free_context(context);
+
+ return sret;
+}
+
+#endif /* HAVE_KRB5 */
diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c
new file mode 100644
index 0000000000..ddc98f883b
--- /dev/null
+++ b/source4/libcli/auth/spnego.c
@@ -0,0 +1,343 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ RFC2478 Compliant SPNEGO implementation
+
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
+static BOOL read_negTokenInit(ASN1_DATA *asn1, struct spnego_negTokenInit *token)
+{
+ ZERO_STRUCTP(token);
+
+ asn1_start_tag(asn1, ASN1_CONTEXT(0));
+ asn1_start_tag(asn1, ASN1_SEQUENCE(0));
+
+ while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
+ int i;
+
+ switch (asn1->data[asn1->ofs]) {
+ /* Read mechTypes */
+ case ASN1_CONTEXT(0):
+ asn1_start_tag(asn1, ASN1_CONTEXT(0));
+ asn1_start_tag(asn1, ASN1_SEQUENCE(0));
+
+ token->mechTypes = malloc(sizeof(*token->mechTypes));
+ for (i = 0; !asn1->has_error &&
+ 0 < asn1_tag_remaining(asn1); i++) {
+ token->mechTypes =
+ realloc(token->mechTypes, (i + 2) *
+ sizeof(*token->mechTypes));
+ asn1_read_OID(asn1, token->mechTypes + i);
+ }
+ token->mechTypes[i] = NULL;
+
+ asn1_end_tag(asn1);
+ asn1_end_tag(asn1);
+ break;
+ /* Read reqFlags */
+ case ASN1_CONTEXT(1):
+ asn1_start_tag(asn1, ASN1_CONTEXT(1));
+ asn1_read_Integer(asn1, &token->reqFlags);
+ token->reqFlags |= SPNEGO_REQ_FLAG;
+ asn1_end_tag(asn1);
+ break;
+ /* Read mechToken */
+ case ASN1_CONTEXT(2):
+ asn1_start_tag(asn1, ASN1_CONTEXT(2));
+ asn1_read_OctetString(asn1, &token->mechToken);
+ asn1_end_tag(asn1);
+ break;
+ /* Read mecListMIC */
+ case ASN1_CONTEXT(3):
+ asn1_start_tag(asn1, ASN1_CONTEXT(3));
+ if (asn1->data[asn1->ofs] == ASN1_OCTET_STRING) {
+ asn1_read_OctetString(asn1,
+ &token->mechListMIC);
+ } else {
+ /* RFC 2478 says we have an Octet String here,
+ but W2k sends something different... */
+ char *mechListMIC;
+ asn1_push_tag(asn1, ASN1_SEQUENCE(0));
+ asn1_push_tag(asn1, ASN1_CONTEXT(0));
+ asn1_read_GeneralString(asn1, &mechListMIC);
+ asn1_pop_tag(asn1);
+ asn1_pop_tag(asn1);
+
+ token->mechListMIC =
+ data_blob(mechListMIC, strlen(mechListMIC));
+ SAFE_FREE(mechListMIC);
+ }
+ asn1_end_tag(asn1);
+ break;
+ default:
+ asn1->has_error = True;
+ break;
+ }
+ }
+
+ asn1_end_tag(asn1);
+ asn1_end_tag(asn1);
+
+ return !asn1->has_error;
+}
+
+static BOOL write_negTokenInit(ASN1_DATA *asn1, struct spnego_negTokenInit *token)
+{
+ asn1_push_tag(asn1, ASN1_CONTEXT(0));
+ asn1_push_tag(asn1, ASN1_SEQUENCE(0));
+
+ /* Write mechTypes */
+ if (token->mechTypes && *token->mechTypes) {
+ int i;
+
+ asn1_push_tag(asn1, ASN1_CONTEXT(0));
+ asn1_push_tag(asn1, ASN1_SEQUENCE(0));
+ for (i = 0; token->mechTypes[i]; i++) {
+ asn1_write_OID(asn1, token->mechTypes[i]);
+ }
+ asn1_pop_tag(asn1);
+ asn1_pop_tag(asn1);
+ }
+
+ /* write reqFlags */
+ if (token->reqFlags & SPNEGO_REQ_FLAG) {
+ int flags = token->reqFlags & ~SPNEGO_REQ_FLAG;
+
+ asn1_push_tag(asn1, ASN1_CONTEXT(1));
+ asn1_write_Integer(asn1, flags);
+ asn1_pop_tag(asn1);
+ }
+
+ /* write mechToken */
+ if (token->mechToken.data) {
+ asn1_push_tag(asn1, ASN1_CONTEXT(2));
+ asn1_write_OctetString(asn1, token->mechToken.data,
+ token->mechToken.length);
+ asn1_pop_tag(asn1);
+ }
+
+ /* write mechListMIC */
+ if (token->mechListMIC.data) {
+ asn1_push_tag(asn1, ASN1_CONTEXT(3));
+#if 0
+ /* This is what RFC 2478 says ... */
+ asn1_write_OctetString(asn1, token->mechListMIC.data,
+ token->mechListMIC.length);
+#else
+ /* ... but unfortunately this is what Windows
+ sends/expects */
+ asn1_push_tag(asn1, ASN1_SEQUENCE(0));
+ asn1_push_tag(asn1, ASN1_CONTEXT(0));
+ asn1_push_tag(asn1, ASN1_GENERAL_STRING);
+ asn1_write(asn1, token->mechListMIC.data,
+ token->mechListMIC.length);
+ asn1_pop_tag(asn1);
+ asn1_pop_tag(asn1);
+ asn1_pop_tag(asn1);
+#endif
+ asn1_pop_tag(asn1);
+ }
+
+ asn1_pop_tag(asn1);
+ asn1_pop_tag(asn1);
+
+ return !asn1->has_error;
+}
+
+static BOOL read_negTokenTarg(ASN1_DATA *asn1, struct spnego_negTokenTarg *token)
+{
+ ZERO_STRUCTP(token);
+
+ asn1_start_tag(asn1, ASN1_CONTEXT(1));
+ asn1_start_tag(asn1, ASN1_SEQUENCE(0));
+
+ while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
+ switch (asn1->data[asn1->ofs]) {
+ case ASN1_CONTEXT(0):
+ asn1_start_tag(asn1, ASN1_CONTEXT(0));
+ asn1_start_tag(asn1, ASN1_ENUMERATED);
+ asn1_read_uint8(asn1, &token->negResult);
+ asn1_end_tag(asn1);
+ asn1_end_tag(asn1);
+ break;
+ case ASN1_CONTEXT(1):
+ asn1_start_tag(asn1, ASN1_CONTEXT(1));
+ asn1_read_OID(asn1, &token->supportedMech);
+ asn1_end_tag(asn1);
+ break;
+ case ASN1_CONTEXT(2):
+ asn1_start_tag(asn1, ASN1_CONTEXT(2));
+ asn1_read_OctetString(asn1, &token->responseToken);
+ asn1_end_tag(asn1);
+ break;
+ case ASN1_CONTEXT(3):
+ asn1_start_tag(asn1, ASN1_CONTEXT(3));
+ asn1_read_OctetString(asn1, &token->mechListMIC);
+ asn1_end_tag(asn1);
+ break;
+ default:
+ asn1->has_error = True;
+ break;
+ }
+ }
+
+ asn1_end_tag(asn1);
+ asn1_end_tag(asn1);
+
+ return !asn1->has_error;
+}
+
+static BOOL write_negTokenTarg(ASN1_DATA *asn1, struct spnego_negTokenTarg *token)
+{
+ asn1_push_tag(asn1, ASN1_CONTEXT(1));
+ asn1_push_tag(asn1, ASN1_SEQUENCE(0));
+
+ asn1_push_tag(asn1, ASN1_CONTEXT(0));
+ asn1_write_enumerated(asn1, token->negResult);
+ asn1_pop_tag(asn1);
+
+ if (token->supportedMech) {
+ asn1_push_tag(asn1, ASN1_CONTEXT(1));
+ asn1_write_OID(asn1, token->supportedMech);
+ asn1_pop_tag(asn1);
+ }
+
+ if (token->responseToken.data) {
+ asn1_push_tag(asn1, ASN1_CONTEXT(2));
+ asn1_write_OctetString(asn1, token->responseToken.data,
+ token->responseToken.length);
+ asn1_pop_tag(asn1);
+ }
+
+ if (token->mechListMIC.data) {
+ asn1_push_tag(asn1, ASN1_CONTEXT(3));
+ asn1_write_OctetString(asn1, token->mechListMIC.data,
+ token->mechListMIC.length);
+ asn1_pop_tag(asn1);
+ }
+
+ asn1_pop_tag(asn1);
+ asn1_pop_tag(asn1);
+
+ return !asn1->has_error;
+}
+
+ssize_t read_spnego_data(DATA_BLOB data, struct spnego_data *token)
+{
+ ASN1_DATA asn1;
+ ssize_t ret = -1;
+
+ ZERO_STRUCTP(token);
+ ZERO_STRUCT(asn1);
+ asn1_load(&asn1, data);
+
+ switch (asn1.data[asn1.ofs]) {
+ case ASN1_APPLICATION(0):
+ asn1_start_tag(&asn1, ASN1_APPLICATION(0));
+ asn1_check_OID(&asn1, OID_SPNEGO);
+ if (read_negTokenInit(&asn1, &token->negTokenInit)) {
+ token->type = SPNEGO_NEG_TOKEN_INIT;
+ }
+ asn1_end_tag(&asn1);
+ break;
+ case ASN1_CONTEXT(1):
+ if (read_negTokenTarg(&asn1, &token->negTokenTarg)) {
+ token->type = SPNEGO_NEG_TOKEN_TARG;
+ }
+ break;
+ default:
+ break;
+ }
+
+ if (!asn1.has_error) ret = asn1.ofs;
+ asn1_free(&asn1);
+
+ return ret;
+}
+
+ssize_t write_spnego_data(DATA_BLOB *blob, struct spnego_data *spnego)
+{
+ ASN1_DATA asn1;
+ ssize_t ret = -1;
+
+ ZERO_STRUCT(asn1);
+
+ switch (spnego->type) {
+ case SPNEGO_NEG_TOKEN_INIT:
+ asn1_push_tag(&asn1, ASN1_APPLICATION(0));
+ asn1_write_OID(&asn1, OID_SPNEGO);
+ write_negTokenInit(&asn1, &spnego->negTokenInit);
+ asn1_pop_tag(&asn1);
+ break;
+ case SPNEGO_NEG_TOKEN_TARG:
+ write_negTokenTarg(&asn1, &spnego->negTokenTarg);
+ break;
+ default:
+ asn1.has_error = True;
+ break;
+ }
+
+ if (!asn1.has_error) {
+ *blob = data_blob(asn1.data, asn1.length);
+ ret = asn1.ofs;
+ }
+ asn1_free(&asn1);
+
+ return ret;
+}
+
+BOOL free_spnego_data(struct spnego_data *spnego)
+{
+ BOOL ret = True;
+
+ if (!spnego) goto out;
+
+ switch(spnego->type) {
+ case SPNEGO_NEG_TOKEN_INIT:
+ if (spnego->negTokenInit.mechTypes) {
+ int i;
+ for (i = 0; spnego->negTokenInit.mechTypes[i]; i++) {
+ free(spnego->negTokenInit.mechTypes[i]);
+ }
+ free(spnego->negTokenInit.mechTypes);
+ }
+ data_blob_free(&spnego->negTokenInit.mechToken);
+ data_blob_free(&spnego->negTokenInit.mechListMIC);
+ break;
+ case SPNEGO_NEG_TOKEN_TARG:
+ if (spnego->negTokenTarg.supportedMech) {
+ free(spnego->negTokenTarg.supportedMech);
+ }
+ data_blob_free(&spnego->negTokenTarg.responseToken);
+ data_blob_free(&spnego->negTokenTarg.mechListMIC);
+ break;
+ default:
+ ret = False;
+ break;
+ }
+ ZERO_STRUCTP(spnego);
+out:
+ return ret;
+}
+
diff --git a/source4/libcli/auth/spnego.h b/source4/libcli/auth/spnego.h
new file mode 100644
index 0000000000..e30fa13d26
--- /dev/null
+++ b/source4/libcli/auth/spnego.h
@@ -0,0 +1,65 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ RFC2478 Compliant SPNEGO implementation
+
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#ifndef SAMBA_SPNEGO_H
+#define SAMBA_SPNEGO_H
+
+#define SPNEGO_DELEG_FLAG 0x01
+#define SPNEGO_MUTUAL_FLAG 0x02
+#define SPNEGO_REPLAY_FLAG 0x04
+#define SPNEGO_SEQUENCE_FLAG 0x08
+#define SPNEGO_ANON_FLAG 0x10
+#define SPNEGO_CONF_FLAG 0x20
+#define SPNEGO_INTEG_FLAG 0x40
+#define SPNEGO_REQ_FLAG 0x80
+
+#define SPNEGO_NEG_TOKEN_INIT 0
+#define SPNEGO_NEG_TOKEN_TARG 1
+
+typedef enum _spnego_negResult {
+ SPNEGO_ACCEPT_COMPLETED = 0,
+ SPNEGO_ACCEPT_INCOMPLETE = 1,
+ SPNEGO_REJECT = 2
+} negResult_t;
+
+struct spnego_negTokenInit {
+ char **mechTypes;
+ int reqFlags;
+ DATA_BLOB mechToken;
+ DATA_BLOB mechListMIC;
+};
+
+struct spnego_negTokenTarg {
+ uint8 negResult;
+ const char *supportedMech;
+ DATA_BLOB responseToken;
+ DATA_BLOB mechListMIC;
+};
+
+struct spnego_data {
+ int type;
+ struct spnego_negTokenInit negTokenInit;
+ struct spnego_negTokenTarg negTokenTarg;
+};
+
+#endif
diff --git a/source4/libcli/config.m4 b/source4/libcli/config.m4
index 82f629b280..49c690c944 100644
--- a/source4/libcli/config.m4
+++ b/source4/libcli/config.m4
@@ -12,8 +12,6 @@ SMB_SUBSYSTEM(LIBCLI_RAW,[],
libcli/raw/clitransport.o
libcli/raw/clisession.o
libcli/raw/clitree.o
- libcli/raw/clikrb5.o
- libcli/raw/clispnego.o
libcli/raw/rawrequest.o
libcli/raw/rawreadwrite.o
libcli/raw/rawsearch.o
@@ -43,13 +41,17 @@ SMB_SUBSYSTEM(LIBCLI_UTILS,[],
libcli/util/dom_sid.o])
SMB_SUBSYSTEM(LIBCLI_AUTH,[],
- [libcli/auth/ntlmssp.o
+ [libcli/auth/spnego.o
+ libcli/auth/ntlmssp.o
libcli/auth/ntlmssp_parse.o
libcli/auth/ntlmssp_sign.o
libcli/auth/schannel.o
libcli/auth/credentials.o
libcli/auth/session.o
- libcli/auth/ntlm_check.o])
+ libcli/auth/ntlm_check.o
+ libcli/auth/kerberos.o
+ libcli/auth/kerberos_verify.o
+ libcli/auth/clikrb5.o])
SMB_SUBSYSTEM(LIBCLI_NMB,[],
[libcli/unexpected.o
diff --git a/source4/libcli/raw/clispnego.c b/source4/libcli/raw/clispnego.c
deleted file mode 100644
index ff7d45c8c1..0000000000
--- a/source4/libcli/raw/clispnego.c
+++ /dev/null
@@ -1,539 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- simple kerberos5/SPNEGO routines
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
- Copyright (C) Luke Howard 2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-/*
- generate a negTokenInit packet given a GUID, a list of supported
- OIDs (the mechanisms) and a principal name string
-*/
-DATA_BLOB spnego_gen_negTokenInit(uint8_t guid[16],
- const char *OIDs[],
- const char *principal)
-{
- int i;
- ASN1_DATA data;
- DATA_BLOB ret;
-
- memset(&data, 0, sizeof(data));
-
- asn1_write(&data, guid, 16);
- asn1_push_tag(&data,ASN1_APPLICATION(0));
- asn1_write_OID(&data,OID_SPNEGO);
- asn1_push_tag(&data,ASN1_CONTEXT(0));
- asn1_push_tag(&data,ASN1_SEQUENCE(0));
-
- asn1_push_tag(&data,ASN1_CONTEXT(0));
- asn1_push_tag(&data,ASN1_SEQUENCE(0));
- for (i=0; OIDs[i]; i++) {
- asn1_write_OID(&data,OIDs[i]);
- }
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- asn1_push_tag(&data, ASN1_CONTEXT(3));
- asn1_push_tag(&data, ASN1_SEQUENCE(0));
- asn1_push_tag(&data, ASN1_CONTEXT(0));
- asn1_write_GeneralString(&data,principal);
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- asn1_pop_tag(&data);
-
- if (data.has_error) {
- DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data.ofs));
- asn1_free(&data);
- }
-
- ret = data_blob(data.data, data.length);
- asn1_free(&data);
-
- return ret;
-}
-
-/*
- Generate a negTokenInit as used by the client side ... It has a mechType
- (OID), and a mechToken (a security blob) ...
-
- Really, we need to break out the NTLMSSP stuff as well, because it could be
- raw in the packets!
-*/
-DATA_BLOB gen_negTokenInit(const char *OID, DATA_BLOB blob)
-{
- ASN1_DATA data;
- DATA_BLOB ret;
-
- memset(&data, 0, sizeof(data));
-
- asn1_push_tag(&data, ASN1_APPLICATION(0));
- asn1_write_OID(&data,OID_SPNEGO);
- asn1_push_tag(&data, ASN1_CONTEXT(0));
- asn1_push_tag(&data, ASN1_SEQUENCE(0));
-
- asn1_push_tag(&data, ASN1_CONTEXT(0));
- asn1_push_tag(&data, ASN1_SEQUENCE(0));
- asn1_write_OID(&data, OID);
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- asn1_push_tag(&data, ASN1_CONTEXT(2));
- asn1_write_OctetString(&data,blob.data,blob.length);
- asn1_pop_tag(&data);
-
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- asn1_pop_tag(&data);
-
- if (data.has_error) {
- DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data.ofs));
- asn1_free(&data);
- }
-
- ret = data_blob(data.data, data.length);
- asn1_free(&data);
-
- return ret;
-}
-
-/*
- parse a negTokenInit packet giving a GUID, a list of supported
- OIDs (the mechanisms) and a principal name string
-*/
-BOOL spnego_parse_negTokenInit(DATA_BLOB blob,
- char *OIDs[ASN1_MAX_OIDS],
- char **principal)
-{
- int i;
- BOOL ret;
- ASN1_DATA data;
-
- asn1_load(&data, blob);
-
- asn1_start_tag(&data,ASN1_APPLICATION(0));
- asn1_check_OID(&data,OID_SPNEGO);
- asn1_start_tag(&data,ASN1_CONTEXT(0));
- asn1_start_tag(&data,ASN1_SEQUENCE(0));
-
- asn1_start_tag(&data,ASN1_CONTEXT(0));
- asn1_start_tag(&data,ASN1_SEQUENCE(0));
- for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) {
- char *aoid = NULL;
- asn1_read_OID(&data,&aoid);
- OIDs[i] = aoid;
- }
- OIDs[i] = NULL;
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- asn1_start_tag(&data, ASN1_CONTEXT(3));
- asn1_start_tag(&data, ASN1_SEQUENCE(0));
- asn1_start_tag(&data, ASN1_CONTEXT(0));
- asn1_read_GeneralString(&data,principal);
- asn1_end_tag(&data);
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- asn1_end_tag(&data);
-
- ret = !data.has_error;
- asn1_free(&data);
- return ret;
-}
-
-
-/*
- generate a negTokenTarg packet given a list of OIDs and a security blob
-*/
-DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob)
-{
- int i;
- ASN1_DATA data;
- DATA_BLOB ret;
-
- memset(&data, 0, sizeof(data));
-
- asn1_push_tag(&data, ASN1_APPLICATION(0));
- asn1_write_OID(&data,OID_SPNEGO);
- asn1_push_tag(&data, ASN1_CONTEXT(0));
- asn1_push_tag(&data, ASN1_SEQUENCE(0));
-
- asn1_push_tag(&data, ASN1_CONTEXT(0));
- asn1_push_tag(&data, ASN1_SEQUENCE(0));
- for (i=0; OIDs[i]; i++) {
- asn1_write_OID(&data,OIDs[i]);
- }
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- asn1_push_tag(&data, ASN1_CONTEXT(2));
- asn1_write_OctetString(&data,blob.data,blob.length);
- asn1_pop_tag(&data);
-
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- asn1_pop_tag(&data);
-
- if (data.has_error) {
- DEBUG(1,("Failed to build negTokenTarg at offset %d\n", (int)data.ofs));
- asn1_free(&data);
- }
-
- ret = data_blob(data.data, data.length);
- asn1_free(&data);
-
- return ret;
-}
-
-
-/*
- parse a negTokenTarg packet giving a list of OIDs and a security blob
-*/
-BOOL parse_negTokenTarg(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], DATA_BLOB *secblob)
-{
- int i;
- ASN1_DATA data;
-
- asn1_load(&data, blob);
- asn1_start_tag(&data, ASN1_APPLICATION(0));
- asn1_check_OID(&data,OID_SPNEGO);
- asn1_start_tag(&data, ASN1_CONTEXT(0));
- asn1_start_tag(&data, ASN1_SEQUENCE(0));
-
- asn1_start_tag(&data, ASN1_CONTEXT(0));
- asn1_start_tag(&data, ASN1_SEQUENCE(0));
- for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) {
- char *aoid = NULL;
- asn1_read_OID(&data,&aoid);
- OIDs[i] = aoid;
- }
- OIDs[i] = NULL;
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- asn1_start_tag(&data, ASN1_CONTEXT(2));
- asn1_read_OctetString(&data,secblob);
- asn1_end_tag(&data);
-
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- asn1_end_tag(&data);
-
- if (data.has_error) {
- DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data.ofs));
- asn1_free(&data);
- return False;
- }
-
- asn1_free(&data);
- return True;
-}
-
-/*
- generate a krb5 GSS-API wrapper packet given a ticket
-*/
-DATA_BLOB spnego_gen_krb5_wrap(DATA_BLOB ticket, const uint8_t tok_id[2])
-{
- ASN1_DATA data;
- DATA_BLOB ret;
-
- memset(&data, 0, sizeof(data));
-
- asn1_push_tag(&data, ASN1_APPLICATION(0));
- asn1_write_OID(&data, OID_KERBEROS5);
-
- asn1_write(&data, tok_id, 2);
- asn1_write(&data, ticket.data, ticket.length);
- asn1_pop_tag(&data);
-
- if (data.has_error) {
- DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data.ofs));
- asn1_free(&data);
- }
-
- ret = data_blob(data.data, data.length);
- asn1_free(&data);
-
- return ret;
-}
-
-/*
- parse a krb5 GSS-API wrapper packet giving a ticket
-*/
-BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8_t tok_id[2])
-{
- BOOL ret;
- ASN1_DATA data;
- int data_remaining;
-
- asn1_load(&data, blob);
- asn1_start_tag(&data, ASN1_APPLICATION(0));
- asn1_check_OID(&data, OID_KERBEROS5);
-
- data_remaining = asn1_tag_remaining(&data);
-
- if (data_remaining < 3) {
- data.has_error = True;
- } else {
- asn1_read(&data, tok_id, 2);
- data_remaining -= 2;
- *ticket = data_blob(NULL, data_remaining);
- asn1_read(&data, ticket->data, ticket->length);
- }
-
- asn1_end_tag(&data);
-
- ret = !data.has_error;
-
- asn1_free(&data);
-
- return ret;
-}
-
-
-/*
- generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY
- kerberos session setup
-*/
-int spnego_gen_negTokenTarg(const char *principal, int time_offset,
- DATA_BLOB *targ,
- DATA_BLOB *session_key_krb5)
-{
- int retval;
- DATA_BLOB tkt, tkt_wrapped;
- const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_NTLMSSP, NULL};
-
- /* get a kerberos ticket for the service and extract the session key */
- retval = cli_krb5_get_ticket(principal, time_offset, &tkt, session_key_krb5);
-
- if (retval)
- return retval;
-
- /* wrap that up in a nice GSS-API wrapping */
- tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
-
- /* and wrap that in a shiny SPNEGO wrapper */
- *targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
-
- data_blob_free(&tkt_wrapped);
- data_blob_free(&tkt);
-
- return retval;
-}
-
-
-/*
- parse a spnego NTLMSSP challenge packet giving two security blobs
-*/
-BOOL spnego_parse_challenge(const DATA_BLOB blob,
- DATA_BLOB *chal1, DATA_BLOB *chal2)
-{
- BOOL ret;
- ASN1_DATA data;
-
- ZERO_STRUCTP(chal1);
- ZERO_STRUCTP(chal2);
-
- asn1_load(&data, blob);
- asn1_start_tag(&data,ASN1_CONTEXT(1));
- asn1_start_tag(&data,ASN1_SEQUENCE(0));
-
- asn1_start_tag(&data,ASN1_CONTEXT(0));
- asn1_check_enumerated(&data,1);
- asn1_end_tag(&data);
-
- asn1_start_tag(&data,ASN1_CONTEXT(1));
- asn1_check_OID(&data, OID_NTLMSSP);
- asn1_end_tag(&data);
-
- asn1_start_tag(&data,ASN1_CONTEXT(2));
- asn1_read_OctetString(&data, chal1);
- asn1_end_tag(&data);
-
- /* the second challenge is optional (XP doesn't send it) */
- if (asn1_tag_remaining(&data)) {
- asn1_start_tag(&data,ASN1_CONTEXT(3));
- asn1_read_OctetString(&data, chal2);
- asn1_end_tag(&data);
- }
-
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- ret = !data.has_error;
- asn1_free(&data);
- return ret;
-}
-
-
-/*
- generate a SPNEGO auth packet. This will contain the encrypted passwords
-*/
-DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
-{
- ASN1_DATA data;
- DATA_BLOB ret;
-
- memset(&data, 0, sizeof(data));
-
- asn1_push_tag(&data, ASN1_CONTEXT(1));
- asn1_push_tag(&data, ASN1_SEQUENCE(0));
- asn1_push_tag(&data, ASN1_CONTEXT(2));
- asn1_write_OctetString(&data,blob.data,blob.length);
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- ret = data_blob(data.data, data.length);
-
- asn1_free(&data);
-
- return ret;
-}
-
-/*
- parse a SPNEGO auth packet. This contains the encrypted passwords
-*/
-BOOL spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth)
-{
- ASN1_DATA data;
-
- asn1_load(&data, blob);
- asn1_start_tag(&data, ASN1_CONTEXT(1));
- asn1_start_tag(&data, ASN1_SEQUENCE(0));
- asn1_start_tag(&data, ASN1_CONTEXT(2));
- asn1_read_OctetString(&data,auth);
- asn1_end_tag(&data);
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- if (data.has_error) {
- DEBUG(3,("spnego_parse_auth failed at %d\n", (int)data.ofs));
- asn1_free(&data);
- return False;
- }
-
- asn1_free(&data);
- return True;
-}
-
-/*
- generate a minimal SPNEGO response packet. Doesn't contain much.
-*/
-DATA_BLOB spnego_gen_auth_response(DATA_BLOB *reply, NTSTATUS nt_status,
- const char *mechOID)
-{
- ASN1_DATA data;
- DATA_BLOB ret;
- uint8_t negResult;
-
- if (NT_STATUS_IS_OK(nt_status)) {
- negResult = SPNEGO_NEG_RESULT_ACCEPT;
- } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- negResult = SPNEGO_NEG_RESULT_INCOMPLETE;
- } else {
- negResult = SPNEGO_NEG_RESULT_REJECT;
- }
-
- ZERO_STRUCT(data);
-
- asn1_push_tag(&data, ASN1_CONTEXT(1));
- asn1_push_tag(&data, ASN1_SEQUENCE(0));
- asn1_push_tag(&data, ASN1_CONTEXT(0));
- asn1_write_enumerated(&data, negResult);
- asn1_pop_tag(&data);
-
- if (reply->data != NULL) {
- asn1_push_tag(&data,ASN1_CONTEXT(1));
- asn1_write_OID(&data, mechOID);
- asn1_pop_tag(&data);
-
- asn1_push_tag(&data,ASN1_CONTEXT(2));
- asn1_write_OctetString(&data, reply->data, reply->length);
- asn1_pop_tag(&data);
- }
-
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
-
- ret = data_blob(data.data, data.length);
- asn1_free(&data);
- return ret;
-}
-
-/*
- parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords
-*/
-BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
- DATA_BLOB *auth)
-{
- ASN1_DATA data;
- uint8_t negResult;
-
- if (NT_STATUS_IS_OK(nt_status)) {
- negResult = SPNEGO_NEG_RESULT_ACCEPT;
- } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- negResult = SPNEGO_NEG_RESULT_INCOMPLETE;
- } else {
- negResult = SPNEGO_NEG_RESULT_REJECT;
- }
-
- asn1_load(&data, blob);
- asn1_start_tag(&data, ASN1_CONTEXT(1));
- asn1_start_tag(&data, ASN1_SEQUENCE(0));
- asn1_start_tag(&data, ASN1_CONTEXT(0));
- asn1_check_enumerated(&data, negResult);
- asn1_end_tag(&data);
-
- if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) {
- asn1_start_tag(&data,ASN1_CONTEXT(1));
- asn1_check_OID(&data, OID_NTLMSSP);
- asn1_end_tag(&data);
-
- asn1_start_tag(&data,ASN1_CONTEXT(2));
- asn1_read_OctetString(&data, auth);
- asn1_end_tag(&data);
- }
-
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- if (data.has_error) {
- DEBUG(3,("spnego_parse_auth_response failed at %d\n", (int)data.ofs));
- asn1_free(&data);
- data_blob_free(auth);
- return False;
- }
-
- asn1_free(&data);
- return True;
-}
-
diff --git a/source4/libcli/util/asn1.c b/source4/libcli/util/asn1.c
index ddefe0baa6..05bc5eace8 100644
--- a/source4/libcli/util/asn1.c
+++ b/source4/libcli/util/asn1.c
@@ -219,6 +219,11 @@ BOOL asn1_load(ASN1_DATA *data, DATA_BLOB blob)
/* read from a ASN1 buffer, advancing the buffer pointer */
BOOL asn1_read(ASN1_DATA *data, void *p, int len)
{
+ if (len < 0 || data->ofs + len < data->ofs || data->ofs + len < len) {
+ data->has_error = True;
+ return False;
+ }
+
if (data->ofs + len > data->length) {
data->has_error = True;
return False;
@@ -315,17 +320,17 @@ int asn1_tag_remaining(ASN1_DATA *data)
BOOL asn1_read_OID(ASN1_DATA *data, char **OID)
{
uint8_t b;
- pstring aoid;
- fstring el;
+ char *oid = NULL;
+ TALLOC_CTX *mem_ctx = talloc_init("asn1_read_OID");
+ if (!mem_ctx) {
+ return False;
+ }
if (!asn1_start_tag(data, ASN1_OID)) return False;
asn1_read_uint8(data, &b);
- aoid[0] = 0;
- snprintf(el, sizeof(el), "%u", b/40);
- pstrcat(aoid, el);
- snprintf(el, sizeof(el), " %u", b%40);
- pstrcat(aoid, el);
+ oid = talloc_asprintf_append(mem_ctx, oid, "%u", b/40);
+ oid = talloc_asprintf_append(mem_ctx, oid, " %u", b%40);
while (asn1_tag_remaining(data) > 0) {
uint_t v = 0;
@@ -333,15 +338,15 @@ BOOL asn1_read_OID(ASN1_DATA *data, char **OID)
asn1_read_uint8(data, &b);
v = (v<<7) | (b&0x7f);
} while (!data->has_error && b & 0x80);
- snprintf(el, sizeof(el), " %u", v);
- pstrcat(aoid, el);
+ oid = talloc_asprintf_append(mem_ctx, oid, " %u", v);
}
asn1_end_tag(data);
- *OID = strdup(aoid);
+ *OID = strdup(oid);
+ talloc_destroy(mem_ctx);
- return !data->has_error;
+ return (*OID && !data->has_error);
}
/* check that the next object ID is correct */
@@ -365,6 +370,10 @@ BOOL asn1_read_GeneralString(ASN1_DATA *data, char **s)
int len;
if (!asn1_start_tag(data, ASN1_GENERAL_STRING)) return False;
len = asn1_tag_remaining(data);
+ if (len < 0) {
+ data->has_error = True;
+ return False;
+ }
*s = malloc(len+1);
if (! *s) {
data->has_error = True;
@@ -383,6 +392,10 @@ BOOL asn1_read_OctetString(ASN1_DATA *data, DATA_BLOB *blob)
ZERO_STRUCTP(blob);
if (!asn1_start_tag(data, ASN1_OCTET_STRING)) return False;
len = asn1_tag_remaining(data);
+ if (len < 0) {
+ data->has_error = True;
+ return False;
+ }
*blob = data_blob(NULL, len);
asn1_read(data, blob->data, len);
asn1_end_tag(data);