From f722b0743811a4a5caf5288fa901cc8f683b9ffd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 8 Nov 2006 01:48:35 +0000 Subject: r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement. Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50) --- source4/auth/gensec/gensec_gssapi.c | 6 +- source4/auth/gensec/gensec_krb5.c | 69 ++++++++++++--------- source4/auth/kerberos/config.mk | 2 +- source4/auth/kerberos/kerberos_heimdal.c | 101 ++++++++++++++++++++++++++++++ source4/auth/kerberos/kerberos_verify.c | 102 ------------------------------- 5 files changed, 146 insertions(+), 134 deletions(-) create mode 100644 source4/auth/kerberos/kerberos_heimdal.c delete mode 100644 source4/auth/kerberos/kerberos_verify.c (limited to 'source4/auth') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 9f796dc9d1..7094692fb2 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1123,9 +1123,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_OK; } - maj_stat = gsskrb5_get_initiator_subkey(&min_stat, - gensec_gssapi_state->gssapi_context, - &subkey); + maj_stat = gsskrb5_get_subkey(&min_stat, + gensec_gssapi_state->gssapi_context, + &subkey); if (maj_stat != 0) { DEBUG(1, ("NO session key for this mech\n")); return NT_STATUS_NO_USER_SESSION_KEY; diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 66d2801520..044c7df1de 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -427,48 +427,61 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, { DATA_BLOB unwrapped_in; DATA_BLOB unwrapped_out = data_blob(NULL, 0); + krb5_data inbuf, outbuf; uint8_t tok_id[2]; + struct keytab_container *keytab; + krb5_principal server_in_keytab; if (!in.data) { return NT_STATUS_INVALID_PARAMETER; } + /* Grab the keytab, however generated */ + ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), &keytab); + if (ret) { + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + /* This ensures we lookup the correct entry in that keytab */ + ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), + gensec_krb5_state->smb_krb5_context, + &server_in_keytab); + + if (ret) { + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */ if (gensec_krb5_state->gssapi && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { - nt_status = ads_verify_ticket(out_mem_ctx, - gensec_krb5_state->smb_krb5_context, - &gensec_krb5_state->auth_context, - gensec_get_credentials(gensec_security), - gensec_get_target_service(gensec_security), &unwrapped_in, - &gensec_krb5_state->ticket, &unwrapped_out, - &gensec_krb5_state->keyblock); + inbuf.data = unwrapped_in.data; + inbuf.length = unwrapped_in.length; } else { - /* TODO: check the tok_id */ - nt_status = ads_verify_ticket(out_mem_ctx, - gensec_krb5_state->smb_krb5_context, - &gensec_krb5_state->auth_context, - gensec_get_credentials(gensec_security), - gensec_get_target_service(gensec_security), - &in, - &gensec_krb5_state->ticket, &unwrapped_out, - &gensec_krb5_state->keyblock); + inbuf.data = in.data; + inbuf.length = in.length; } - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context, + &gensec_krb5_state->auth_context, + &inbuf, keytab->keytab, server_in_keytab, + &outbuf, + &gensec_krb5_state->ticket, + &gensec_krb5_state->keyblock); - if (NT_STATUS_IS_OK(nt_status)) { - gensec_krb5_state->state_position = GENSEC_KRB5_DONE; - /* wrap that up in a nice GSS-API wrapping */ - if (gensec_krb5_state->gssapi) { - *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP); - } else { - *out = unwrapped_out; - } + if (ret) { + return NT_STATUS_LOGON_FAILURE; } - return nt_status; + unwrapped_out.data = outbuf.data; + unwrapped_out.length = outbuf.length; + gensec_krb5_state->state_position = GENSEC_KRB5_DONE; + /* wrap that up in a nice GSS-API wrapping */ + if (gensec_krb5_state->gssapi) { + *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP); + } else { + *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length); + } + krb5_data_free(&outbuf); + return NT_STATUS_OK; } case GENSEC_KRB5_DONE: diff --git a/source4/auth/kerberos/config.mk b/source4/auth/kerberos/config.mk index 689130d567..f75fd99323 100644 --- a/source4/auth/kerberos/config.mk +++ b/source4/auth/kerberos/config.mk @@ -4,7 +4,7 @@ PRIVATE_PROTO_HEADER = proto.h OBJ_FILES = kerberos.o \ clikrb5.o \ - kerberos_verify.o \ + kerberos_heimdal.o \ kerberos_util.o \ kerberos_pac.o \ gssapi_parse.o \ diff --git a/source4/auth/kerberos/kerberos_heimdal.c b/source4/auth/kerberos/kerberos_heimdal.c new file mode 100644 index 0000000000..f669d0f2f4 --- /dev/null +++ b/source4/auth/kerberos/kerberos_heimdal.c @@ -0,0 +1,101 @@ +/* + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* This file for code taken from the Heimdal code, to preserve licence */ +/* Modified by Andrew Bartlett */ + +#include "includes.h" +#include "system/kerberos.h" + +/* Taken from accept_sec_context.c,v 1.65 */ +krb5_error_code smb_rd_req_return_stuff(krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *inbuf, + krb5_keytab keytab, + krb5_principal acceptor_principal, + krb5_data *outbuf, + krb5_ticket **ticket, + krb5_keyblock **keyblock) +{ + krb5_rd_req_in_ctx in = NULL; + krb5_rd_req_out_ctx out = NULL; + krb5_error_code kret; + + *keyblock = NULL; + *ticket = NULL; + outbuf->length = 0; + outbuf->data = NULL; + + kret = krb5_rd_req_in_ctx_alloc(context, &in); + if (kret == 0) + kret = krb5_rd_req_in_set_keytab(context, in, keytab); + if (kret) { + if (in) + krb5_rd_req_in_ctx_free(context, in); + return kret; + } + + kret = krb5_rd_req_ctx(context, + auth_context, + inbuf, + acceptor_principal, + in, &out); + krb5_rd_req_in_ctx_free(context, in); + if (kret) { + return kret; + } + + /* + * We need to remember some data on the context_handle. + */ + kret = krb5_rd_req_out_get_ticket(context, out, + ticket); + if (kret == 0) { + kret = krb5_rd_req_out_get_keyblock(context, out, + keyblock); + } + krb5_rd_req_out_ctx_free(context, out); + + if (kret == 0) { + kret = krb5_mk_rep(context, *auth_context, outbuf); + } + + if (kret) { + krb5_free_ticket(context, *ticket); + krb5_free_keyblock(context, *keyblock); + krb5_data_free(outbuf); + } + + return kret; +} + diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c deleted file mode 100644 index 2111e22aa3..0000000000 --- a/source4/auth/kerberos/kerberos_verify.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - Unix SMB/CIFS implementation. - kerberos utility library - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Remus Koos 2001 - Copyright (C) Luke Howard 2003 - Copyright (C) Guenther Deschner 2003 - Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003 - Copyright (C) Andrew Bartlett 2004-2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" -#include "system/kerberos.h" -#include "auth/kerberos/kerberos.h" -#include "auth/credentials/credentials.h" -#include "auth/credentials/credentials_krb5.h" - -/********************************************************************************** - Verify an incoming ticket and parse out the principal name and - authorization_data if available. -***********************************************************************************/ - - NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, - struct smb_krb5_context *smb_krb5_context, - krb5_auth_context *auth_context, - struct cli_credentials *machine_account, - const char *service, - const DATA_BLOB *enc_ticket, - krb5_ticket **tkt, - DATA_BLOB *ap_rep, - krb5_keyblock **keyblock) -{ - krb5_keyblock *local_keyblock; - krb5_data packet; - int ret; - krb5_flags ap_req_options = 0; - krb5_principal server; - krb5_data packet_out; - - struct keytab_container *keytab_container; - - /* - * TODO: Actually hook in the replay cache in Heimdal, then - * re-add calls to setup a replay cache here, in our private - * directory. This will eventually prevent replay attacks - */ - - packet.length = enc_ticket->length; - packet.data = (krb5_pointer)enc_ticket->data; - - /* Grab the keytab, however generated */ - ret = cli_credentials_get_keytab(machine_account, &keytab_container); - if (ret) { - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - - /* This ensures we lookup the correct entry in that keytab */ - ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, - &server); - if (ret == 0) { - ret = krb5_rd_req_return_keyblock(smb_krb5_context->krb5_context, auth_context, &packet, - server, - keytab_container->keytab, &ap_req_options, tkt, - &local_keyblock); - } - - if (ret) { - DEBUG(3,("ads_secrets_verify_ticket: failed to decrypt with error %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); - return NT_STATUS_LOGON_FAILURE; - } - *keyblock = local_keyblock; - - - ret = krb5_mk_rep(smb_krb5_context->krb5_context, *auth_context, &packet_out); - if (ret) { - krb5_free_ticket(smb_krb5_context->krb5_context, *tkt); - - DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); - return NT_STATUS_LOGON_FAILURE; - } - - *ap_rep = data_blob_talloc(mem_ctx, packet_out.data, packet_out.length); - krb5_free_data_contents(smb_krb5_context->krb5_context, &packet_out); - - return NT_STATUS_OK; -} -- cgit