svn commit: samba r19650 - in branches/SAMBA_4_0/source:
auth/gensec heimdal/lib/gssapi/mech heimdal_build
abartlet at samba.org
abartlet at samba.org
Fri Nov 10 02:44:39 GMT 2006
Author: abartlet
Date: 2006-11-10 02:44:38 +0000 (Fri, 10 Nov 2006)
New Revision: 19650
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19650
Log:
Allow Samba to use Heimdal's SPNEGO code. Currently this can only
negotiate krb5, but if this works, I'll add NTLM as a GSSAPI backend
by some means or other.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
branches/SAMBA_4_0/source/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
branches/SAMBA_4_0/source/heimdal/lib/gssapi/mech/gss_mech_switch.c
branches/SAMBA_4_0/source/heimdal_build/config.mk
Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2006-11-10 02:41:00 UTC (rev 19649)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2006-11-10 02:44:38 UTC (rev 19650)
@@ -190,7 +190,7 @@
gensec_gssapi_state->want_flags |= GSS_C_DCE_STYLE;
}
- gensec_gssapi_state->gss_oid = gss_mech_krb5;
+ gensec_gssapi_state->gss_oid = GSS_C_NULL_OID;
send_to_kdc.func = smb_krb5_send_and_recv_func;
send_to_kdc.ptr = gensec_security->event_ctx;
@@ -308,6 +308,8 @@
gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
+ gensec_gssapi_state->gss_oid = gss_mech_krb5;
+
principal = gensec_get_target_principal(gensec_security);
if (principal && lp_client_use_spnego_principal()) {
name_token.value = discard_const_p(uint8_t, principal);
@@ -408,7 +410,7 @@
OM_uint32 maj_stat, min_stat;
OM_uint32 min_stat2;
gss_buffer_desc input_token, output_token;
- gss_OID gss_oid_p;
+ gss_OID gss_oid_p = NULL;
input_token.length = in.length;
input_token.value = in.data;
@@ -427,10 +429,13 @@
0,
gensec_gssapi_state->input_chan_bindings,
&input_token,
- NULL,
+ &gss_oid_p,
&output_token,
&gensec_gssapi_state->got_flags, /* ret flags */
NULL);
+ if (gss_oid_p) {
+ gensec_gssapi_state->gss_oid = gss_oid_p;
+ }
break;
}
case GENSEC_SERVER:
@@ -446,7 +451,9 @@
&gensec_gssapi_state->got_flags,
NULL,
&gensec_gssapi_state->delegated_cred_handle);
- gensec_gssapi_state->gss_oid = gss_oid_p;
+ if (gss_oid_p) {
+ gensec_gssapi_state->gss_oid = gss_oid_p;
+ }
break;
}
default:
@@ -502,9 +509,7 @@
gss_release_buffer(&min_stat2, &output_token);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
- } else if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
- && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
- gensec_gssapi_state->gss_oid->length) == 0)) {
+ } else if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
switch (min_stat) {
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require: %s\n",
@@ -1107,8 +1112,7 @@
}
if (feature & GENSEC_FEATURE_SESSION_KEY) {
/* Only for GSSAPI/Krb5 */
- if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
- && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) {
+ if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
return True;
}
}
@@ -1354,7 +1358,36 @@
NULL
};
+static const char *gensec_gssapi_spnego_oids[] = {
+ GENSEC_OID_SPNEGO,
+ NULL
+};
+
/* As a server, this could in theory accept any GSSAPI mech */
+static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
+ .name = "gssapi_spnego",
+ .sasl_name = "GSS-SPNEGO",
+ .auth_type = DCERPC_AUTH_TYPE_SPNEGO,
+ .oid = gensec_gssapi_spnego_oids,
+ .client_start = gensec_gssapi_client_start,
+ .server_start = gensec_gssapi_server_start,
+ .magic = gensec_gssapi_magic,
+ .update = gensec_gssapi_update,
+ .session_key = gensec_gssapi_session_key,
+ .session_info = gensec_gssapi_session_info,
+ .sign_packet = gensec_gssapi_sign_packet,
+ .check_packet = gensec_gssapi_check_packet,
+ .seal_packet = gensec_gssapi_seal_packet,
+ .unseal_packet = gensec_gssapi_unseal_packet,
+ .wrap = gensec_gssapi_wrap,
+ .unwrap = gensec_gssapi_unwrap,
+ .have_feature = gensec_gssapi_have_feature,
+ .enabled = False,
+ .kerberos = True,
+ .priority = GENSEC_GSSAPI
+};
+
+/* As a server, this could in theory accept any GSSAPI mech */
static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
.name = "gssapi_krb5",
.auth_type = DCERPC_AUTH_TYPE_KRB5,
@@ -1400,6 +1433,13 @@
{
NTSTATUS ret;
+ ret = gensec_register(&gensec_gssapi_spnego_security_ops);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
+ gensec_gssapi_spnego_security_ops.name));
+ return ret;
+ }
+
ret = gensec_register(&gensec_gssapi_krb5_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/mech/gss_accept_sec_context.c 2006-11-10 02:41:00 UTC (rev 19649)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/mech/gss_accept_sec_context.c 2006-11-10 02:44:38 UTC (rev 19650)
@@ -72,10 +72,11 @@
/*
* Token must start with [APPLICATION 0] SEQUENCE.
* But if it doesn't assume its DCE-STYLE Kerberos!
+ * And if it's not there at all, then we are requesting a mech list from SPNEGO
*/
- if (len == 0)
- return (GSS_S_DEFECTIVE_TOKEN);
- if (*p != 0x60) {
+ if (len == 0) {
+ mech_oid = *GSS_SPNEGO_MECHANISM;
+ } else if (*p != 0x60) {
mech_oid = *GSS_KRB5_MECHANISM;
} else {
p++;
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/mech/gss_mech_switch.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/mech/gss_mech_switch.c 2006-11-10 02:41:00 UTC (rev 19649)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/mech/gss_mech_switch.c 2006-11-10 02:44:38 UTC (rev 19650)
@@ -213,9 +213,7 @@
}
add_builtin(__gss_krb5_initialize());
-#ifndef _SAMBA_BUILD_
add_builtin(__gss_spnego_initialize());
-#endif
fp = fopen(_PATH_GSS_MECH, "r");
if (!fp) {
Modified: branches/SAMBA_4_0/source/heimdal_build/config.mk
===================================================================
--- branches/SAMBA_4_0/source/heimdal_build/config.mk 2006-11-10 02:41:00 UTC (rev 19649)
+++ branches/SAMBA_4_0/source/heimdal_build/config.mk 2006-11-10 02:44:38 UTC (rev 19650)
@@ -122,6 +122,18 @@
../heimdal/lib/gssapi/mech/gss_release_name.o \
../heimdal/lib/gssapi/mech/gss_set_cred_option.o \
../heimdal/lib/gssapi/mech/asn1_GSSAPIContextToken.o \
+ ../heimdal/lib/gssapi/spnego/init_sec_context.o \
+ ../heimdal/lib/gssapi/spnego/external.o \
+ ../heimdal/lib/gssapi/spnego/compat.o \
+ ../heimdal/lib/gssapi/spnego/context_stubs.o \
+ ../heimdal/lib/gssapi/spnego/cred_stubs.o \
+ ../heimdal/lib/gssapi/spnego/accept_sec_context.o \
+ ../heimdal/lib/gssapi/spnego/asn1_ContextFlags.o \
+ ../heimdal/lib/gssapi/spnego/asn1_MechType.o \
+ ../heimdal/lib/gssapi/spnego/asn1_MechTypeList.o \
+ ../heimdal/lib/gssapi/spnego/asn1_NegHints.o \
+ ../heimdal/lib/gssapi/spnego/asn1_NegTokenInit.o \
+ ../heimdal/lib/gssapi/spnego/asn1_NegTokenResp.o \
../heimdal/lib/gssapi/krb5/copy_ccache.o \
../heimdal/lib/gssapi/krb5/delete_sec_context.o \
../heimdal/lib/gssapi/krb5/init_sec_context.o \
More information about the samba-cvs
mailing list