From 0dcd4645961c5d672b9526538eaddf0503db793a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 2 Jan 2005 23:53:14 +0000 Subject: r4494: Allow gensec_gssapi to use the SPNEGO mech provided by Heimdal (off by default at this point), and include the GSSAPI OIDs in our source, per advice by lha that this is easier than getting the includes right. Andrew Bartlett (This used to be commit 9ff8b2b4d12d364084df5c95a752ce2a0546053d) --- source4/libcli/auth/gensec_gssapi.c | 51 ++++++++++++++++++++++++++++++++----- source4/param/loadparm.c | 3 ++- 2 files changed, 46 insertions(+), 8 deletions(-) diff --git a/source4/libcli/auth/gensec_gssapi.c b/source4/libcli/auth/gensec_gssapi.c index c41c3fb2bc..432d59ef24 100644 --- a/source4/libcli/auth/gensec_gssapi.c +++ b/source4/libcli/auth/gensec_gssapi.c @@ -36,6 +36,7 @@ struct gensec_gssapi_state { gss_name_t server_name; gss_name_t client_name; int want_flags, got_flags; + const gss_OID_desc *gss_oid; }; static int gensec_gssapi_destory(void *ptr) { @@ -91,6 +92,19 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->want_flags |= GSS_C_CONF_FLAG; } + if (strcmp(gensec_security->ops->oid, GENSEC_OID_KERBEROS5) == 0) { + static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc = + {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; + + gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc; + } else if (strcmp(gensec_security->ops->oid, GENSEC_OID_SPNEGO) == 0) { + static const gss_OID_desc gensec_gss_spnego_mechanism_oid_desc = + {6, (void *)discard_const_p(char, "\x2b\x06\x01\x05\x05\x02")}; + gensec_gssapi_state->gss_oid = &gensec_gss_spnego_mechanism_oid_desc; + } else { + return NT_STATUS_INVALID_PARAMETER; + } + return NT_STATUS_OK; } @@ -162,7 +176,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, OM_uint32 maj_stat, min_stat; OM_uint32 min_stat2; gss_buffer_desc input_token, output_token; - + gss_OID gss_oid_p; input_token.length = in.length; input_token.value = in.data; @@ -173,7 +187,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, GSS_C_NO_CREDENTIAL, &gensec_gssapi_state->gssapi_context, gensec_gssapi_state->server_name, - GSS_C_NO_OID, + discard_const_p(gss_OID_desc, gensec_gssapi_state->gss_oid), gensec_gssapi_state->want_flags, 0, gensec_gssapi_state->input_chan_bindings, @@ -192,11 +206,12 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, &input_token, gensec_gssapi_state->input_chan_bindings, &gensec_gssapi_state->client_name, - NULL /* mech oid */, + &gss_oid_p, &output_token, &gensec_gssapi_state->got_flags, NULL, NULL); + gensec_gssapi_state->gss_oid = gss_oid_p; break; } default: @@ -309,8 +324,10 @@ static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security, return False; } -static const struct gensec_security_ops gensec_gssapi_security_ops = { - .name = "gssapi", +/* As a server, this could in theory accept any GSSAPI mech */ +static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = { + .name = "gssapi_krb5", + .sasl_name = "GSSAPI", .oid = GENSEC_OID_KERBEROS5, .client_start = gensec_gssapi_client_start, .server_start = gensec_gssapi_server_start, @@ -321,14 +338,34 @@ static const struct gensec_security_ops gensec_gssapi_security_ops = { }; +static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = { + .name = "gssapi_spnego", + .sasl_name = "GSS-SPNEGO", + .oid = GENSEC_OID_SPNEGO, + .client_start = gensec_gssapi_client_start, + .server_start = gensec_gssapi_server_start, + .update = gensec_gssapi_update, + .wrap = gensec_gssapi_wrap, + .unwrap = gensec_gssapi_unwrap, + .have_feature = gensec_gssapi_have_feature + +}; + NTSTATUS gensec_gssapi_init(void) { NTSTATUS ret; - ret = gensec_register(&gensec_gssapi_security_ops); + ret = gensec_register(&gensec_gssapi_krb5_security_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register '%s' gensec backend!\n", + gensec_gssapi_krb5_security_ops.name)); + return ret; + } + + ret = gensec_register(&gensec_gssapi_spnego_security_ops); if (!NT_STATUS_IS_OK(ret)) { DEBUG(0,("Failed to register '%s' gensec backend!\n", - gensec_gssapi_security_ops.name)); + gensec_gssapi_spnego_security_ops.name)); return ret; } diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c index e06daf92c1..00c9133067 100644 --- a/source4/param/loadparm.c +++ b/source4/param/loadparm.c @@ -3078,7 +3078,8 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults, lp_do_parameter(-1, "wins server", "127.0.0.1"); } - lp_do_parameter(-1, "gensec:gssapi", "False"); + lp_do_parameter(-1, "gensec:gssapi_krb5", "False"); + lp_do_parameter(-1, "gensec:gssapi_spnego", "False"); lp_do_parameter(-1, "gensec:krb5", "False"); lp_do_parameter(-1, "gensec:ms_krb5", "False"); -- cgit