[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Apr 19 21:18:02 MDT 2011
The branch, master has been updated
via 6f846dd lib/util/charset Always set *converted_size even on failure
via 79e6fea lib/util/charset create _handle functions for convert_string() et al
via f28f5db libcli/auth Move PAC parsing and verification in common.
via 0e5482c libcli/auth: Move more kerberos wrapping in common
via 3a2afe4 s3-gse: Allow the GSSAPI wrapper to load a keytab using gss_krb5_import_cred()
from 1804d9a tdb_backup: avoid transaction on backup file, use lockall
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6f846ddf3213c825b676f770b5c8c053066ec4c7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 14 17:22:53 2011 +1000
lib/util/charset Always set *converted_size even on failure
The caller may wish to inspect the partially converted string.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Wed Apr 20 05:17:48 CEST 2011 on sn-devel-104
commit 79e6fea77443099a6ebe4a2e3bbf606cd444341d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 12 14:36:17 2011 +1000
lib/util/charset create _handle functions for convert_string() et al
This is now API compatible with the existing code in lib/util/charset
lazy_initialize_conv() is no longer called as init_iconv() is called
when the smb.conf is processed, and get_conv_handle() will auto-init
with defaults if required.
load_case_tables_library() is no longer requried as all binaries and
libraries already load these in their entry points, as otherwise all
the other string functions would fail.
Andrew Bartlett
commit f28f5db15a4bcf4c838ee6e4c6ef82c6b9dbd938
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Apr 20 12:05:27 2011 +1000
libcli/auth Move PAC parsing and verification in common.
This uses the source3 PAC code (originally from Samba4) with some
small changes to restore functionality needed by the torture tests,
and to have a common API.
Andrew Bartlett
commit 0e5482c791b9d99a44ca62323aa4dedbbf8d188e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Apr 20 12:03:48 2011 +1000
libcli/auth: Move more kerberos wrapping in common
These functions are required to get the krb5 PAC parsing and
verfication in common.
Andrew Bartlett
commit 3a2afe4285fca8ab9e3e323ef7f5388f4090d669
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Apr 16 08:50:53 2011 +1000
s3-gse: Allow the GSSAPI wrapper to load a keytab using gss_krb5_import_cred()
This Heimdal function does not set the global state, and allows the
GSSAPI server to progress further when compiled against Heimdal (such
as in the top level build).
The ability to specify a keytab has been removed from the API as it is
unused, and and the Heimdal function (avoiding setting global
variables) works with an open keytab.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
lib/util/charset/convert_string.c | 121 ++++++--
.../authdata.c => libcli/auth/kerberos_pac.c | 195 ++----------
libcli/auth/krb5_wrap.c | 207 +++++++++++++-
libcli/auth/krb5_wrap.h | 39 +++
libcli/auth/wscript_build | 4 +-
source3/Makefile.in | 2 +-
source3/configure.in | 1 +
source3/include/krb5_protos.h | 15 -
source3/include/proto.h | 1 -
source3/lib/charcnv.c | 12 -
source3/libads/authdata.c | 317 -------------------
source3/libads/kerberos_verify.c | 6 +-
source3/librpc/crypto/gse.c | 50 ++--
source3/librpc/crypto/gse.h | 1 -
source3/libsmb/clikrb5.c | 228 --------------
source3/rpc_server/dcesrv_gssapi.c | 2 +-
source3/wscript | 2 +-
source3/wscript_build | 2 +-
source4/auth/gensec/gensec_krb5.c | 4 +-
source4/auth/kerberos/kerberos.h | 27 +--
source4/auth/kerberos/kerberos_pac.c | 324 +-------------------
source4/torture/auth/pac.c | 23 +-
22 files changed, 430 insertions(+), 1153 deletions(-)
copy source3/libads/authdata.c => libcli/auth/kerberos_pac.c (68%)
Changeset truncated at 500 lines:
diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
index 86bb625..e51add2 100644
--- a/lib/util/charset/convert_string.c
+++ b/lib/util/charset/convert_string.c
@@ -54,19 +54,17 @@
*
**/
-static bool convert_string_internal(charset_t from, charset_t to,
- void const *src, size_t srclen,
- void *dest, size_t destlen, size_t *converted_size)
+static bool convert_string_internal(struct smb_iconv_handle *ic,
+ charset_t from, charset_t to,
+ void const *src, size_t srclen,
+ void *dest, size_t destlen, size_t *converted_size)
{
size_t i_len, o_len;
size_t retval;
const char* inbuf = (const char*)src;
char* outbuf = (char*)dest;
smb_iconv_t descriptor;
- struct smb_iconv_handle *ic;
- lazy_initialize_conv();
- ic = get_iconv_handle();
descriptor = get_conv_handle(ic, from, to);
if (srclen == (size_t)-1) {
@@ -87,11 +85,9 @@ static bool convert_string_internal(charset_t from, charset_t to,
o_len=destlen;
retval = smb_iconv(descriptor, &inbuf, &i_len, &outbuf, &o_len);
- if (retval == (size_t)-1) {
- return false;
- }
*converted_size = destlen-o_len;
- return true;
+
+ return (retval != (size_t)-1);
}
/**
@@ -112,10 +108,11 @@ static bool convert_string_internal(charset_t from, charset_t to,
* Don't change unless you really know what you are doing. JRA.
**/
-bool convert_string_error(charset_t from, charset_t to,
- void const *src, size_t srclen,
- void *dest, size_t destlen,
- size_t *converted_size)
+bool convert_string_error_handle(struct smb_iconv_handle *ic,
+ charset_t from, charset_t to,
+ void const *src, size_t srclen,
+ void *dest, size_t destlen,
+ size_t *converted_size)
{
/*
* NB. We deliberately don't do a strlen here if srclen == -1.
@@ -155,7 +152,7 @@ bool convert_string_error(charset_t from, charset_t to,
#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
goto general_case;
#else
- bool ret = convert_string_internal(from, to, p, slen, q, dlen, converted_size);
+ bool ret = convert_string_internal(ic, from, to, p, slen, q, dlen, converted_size);
*converted_size += retval;
return ret;
#endif
@@ -197,7 +194,7 @@ bool convert_string_error(charset_t from, charset_t to,
#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
goto general_case;
#else
- bool ret = convert_string_internal(from, to, p, slen, q, dlen, converted_size);
+ bool ret = convert_string_internal(ic, from, to, p, slen, q, dlen, converted_size);
*converted_size += retval;
return ret;
#endif
@@ -239,7 +236,7 @@ bool convert_string_error(charset_t from, charset_t to,
#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
goto general_case;
#else
- bool ret = convert_string_internal(from, to, p, slen, q, dlen, converted_size);
+ bool ret = convert_string_internal(ic, from, to, p, slen, q, dlen, converted_size);
*converted_size += retval;
return ret;
#endif
@@ -262,15 +259,16 @@ bool convert_string_error(charset_t from, charset_t to,
#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
general_case:
#endif
- return convert_string_internal(from, to, src, srclen, dest, destlen, converted_size);
+ return convert_string_internal(ic, from, to, src, srclen, dest, destlen, converted_size);
}
-bool convert_string(charset_t from, charset_t to,
- void const *src, size_t srclen,
- void *dest, size_t destlen,
- size_t *converted_size)
+bool convert_string_handle(struct smb_iconv_handle *ic,
+ charset_t from, charset_t to,
+ void const *src, size_t srclen,
+ void *dest, size_t destlen,
+ size_t *converted_size)
{
- bool ret = convert_string_error(from, to, src, srclen, dest, destlen, converted_size);
+ bool ret = convert_string_error_handle(ic, from, to, src, srclen, dest, destlen, converted_size);
if(ret==false) {
const char *reason="unknown error";
@@ -282,10 +280,6 @@ bool convert_string(charset_t from, charset_t to,
break;
case E2BIG:
{
- struct smb_iconv_handle *ic;
- lazy_initialize_conv();
- ic = get_iconv_handle();
-
reason="No more room";
if (from == CH_UNIX) {
DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s'\n",
@@ -331,9 +325,10 @@ bool convert_string(charset_t from, charset_t to,
* I hate the goto's in this function. It's embarressing.....
* There has to be a cleaner way to do this. JRA.
*/
-bool convert_string_talloc(TALLOC_CTX *ctx, charset_t from, charset_t to,
- void const *src, size_t srclen, void *dst,
- size_t *converted_size)
+bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,
+ charset_t from, charset_t to,
+ void const *src, size_t srclen, void *dst,
+ size_t *converted_size)
{
size_t i_len, o_len, destlen = (srclen * 3) / 2;
@@ -342,7 +337,6 @@ bool convert_string_talloc(TALLOC_CTX *ctx, charset_t from, charset_t to,
char *outbuf = NULL, *ob = NULL;
smb_iconv_t descriptor;
void **dest = (void **)dst;
- struct smb_iconv_handle *ic;
*dest = NULL;
@@ -371,8 +365,6 @@ bool convert_string_talloc(TALLOC_CTX *ctx, charset_t from, charset_t to,
return true;
}
- lazy_initialize_conv();
- ic = get_iconv_handle();
descriptor = get_conv_handle(ic, from, to);
if (descriptor == (smb_iconv_t)-1 || descriptor == (smb_iconv_t)0) {
@@ -465,3 +457,66 @@ bool convert_string_talloc(TALLOC_CTX *ctx, charset_t from, charset_t to,
*converted_size = destlen;
return true;
}
+
+/**
+ * Convert string from one encoding to another, making error checking etc
+ *
+ * @param src pointer to source string (multibyte or singlebyte)
+ * @param srclen length of the source string in bytes
+ * @param dest pointer to destination string (multibyte or singlebyte)
+ * @param destlen maximal length allowed for string
+ * @param converted_size the number of bytes occupied in the destination
+ *
+ * @returns true on success, false on fail.
+ **/
+_PUBLIC_ bool convert_string(charset_t from, charset_t to,
+ void const *src, size_t srclen,
+ void *dest, size_t destlen,
+ size_t *converted_size)
+{
+ return convert_string_handle(get_iconv_handle(), from, to,
+ src, srclen,
+ dest, destlen, converted_size);
+}
+
+/**
+ * Convert string from one encoding to another, making error checking etc
+ *
+ * @param src pointer to source string (multibyte or singlebyte)
+ * @param srclen length of the source string in bytes
+ * @param dest pointer to destination string (multibyte or singlebyte)
+ * @param destlen maximal length allowed for string
+ * @param converted_size the number of bytes occupied in the destination
+ *
+ * @returns true on success, false on fail.
+ **/
+_PUBLIC_ bool convert_string_error(charset_t from, charset_t to,
+ void const *src, size_t srclen,
+ void *dest, size_t destlen,
+ size_t *converted_size)
+{
+ return convert_string_error_handle(get_iconv_handle(), from, to,
+ src, srclen,
+ dest, destlen, converted_size);
+}
+
+/**
+ * Convert between character sets, allocating a new buffer using talloc for the result.
+ *
+ * @param srclen length of source buffer.
+ * @param dest always set at least to NULL
+ * @param converted_size Size in bytes of the converted string
+ * @note -1 is not accepted for srclen.
+ *
+ * @returns boolean indication whether the conversion succeeded
+ **/
+
+_PUBLIC_ bool convert_string_talloc(TALLOC_CTX *ctx,
+ charset_t from, charset_t to,
+ void const *src, size_t srclen,
+ void *dest, size_t *converted_size)
+{
+ return convert_string_talloc_handle(ctx, get_iconv_handle(),
+ from, to, src, srclen, dest,
+ converted_size);
+}
diff --git a/source3/libads/authdata.c b/libcli/auth/kerberos_pac.c
similarity index 68%
copy from source3/libads/authdata.c
copy to libcli/auth/kerberos_pac.c
index 0d877dd..6a41eb1 100644
--- a/source3/libads/authdata.c
+++ b/libcli/auth/kerberos_pac.c
@@ -23,20 +23,16 @@
*/
#include "includes.h"
-#include "librpc/gen_ndr/ndr_krb5pac.h"
-#include "smb_krb5.h"
-#include "libads/kerberos_proto.h"
-
#ifdef HAVE_KRB5
-/****************************************************************
-****************************************************************/
+#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "libcli/auth/krb5_wrap.h"
-static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
+krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
DATA_BLOB pac_data,
struct PAC_SIGNATURE_DATA *sig,
krb5_context context,
- krb5_keyblock *keyblock)
+ const krb5_keyblock *keyblock)
{
krb5_error_code ret;
krb5_checksum cksum;
@@ -81,13 +77,14 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
*
* @return - A NTSTATUS error code
*/
-NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
- DATA_BLOB *pac_data_blob,
- krb5_context context,
- krb5_keyblock *service_keyblock,
- krb5_const_principal client_principal,
- time_t tgs_authtime,
- struct PAC_DATA **pac_data_out)
+NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ DATA_BLOB pac_data_blob,
+ krb5_context context,
+ const krb5_keyblock *krbtgt_keyblock,
+ const krb5_keyblock *service_keyblock,
+ krb5_const_principal client_principal,
+ time_t tgs_authtime,
+ struct PAC_DATA **pac_data_out)
{
NTSTATUS status;
enum ndr_err_code ndr_err;
@@ -114,15 +111,15 @@ NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
*pac_data_out = NULL;
- pac_data = TALLOC_ZERO_P(mem_ctx, struct PAC_DATA);
- pac_data_raw = TALLOC_ZERO_P(mem_ctx, struct PAC_DATA_RAW);
- kdc_sig_wipe = TALLOC_ZERO_P(mem_ctx, struct PAC_SIGNATURE_DATA);
- srv_sig_wipe = TALLOC_ZERO_P(mem_ctx, struct PAC_SIGNATURE_DATA);
+ pac_data = talloc(mem_ctx, struct PAC_DATA);
+ pac_data_raw = talloc(mem_ctx, struct PAC_DATA_RAW);
+ kdc_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ srv_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
return NT_STATUS_NO_MEMORY;
}
- ndr_err = ndr_pull_struct_blob(pac_data_blob, pac_data, pac_data,
+ ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
@@ -138,7 +135,7 @@ NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
}
ndr_err = ndr_pull_struct_blob(
- pac_data_blob, pac_data_raw, pac_data_raw,
+ &pac_data_blob, pac_data_raw, pac_data_raw,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
@@ -293,6 +290,18 @@ NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
return NT_STATUS_ACCESS_DENIED;
}
+ if (krbtgt_keyblock) {
+ /* verify the service key checksum by krbtgt_key */
+ ret = check_pac_checksum(mem_ctx,
+ srv_sig_ptr->signature, kdc_sig_ptr,
+ context, krbtgt_keyblock);
+ if (ret) {
+ DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
/* Convert to NT time, so as not to loose accuracy in comparison */
unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
@@ -346,148 +355,4 @@ NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-/****************************************************************
-Given a username, password and other details, return the
-PAC_LOGON_INFO (the structure containing the important user
-information such as groups).
-****************************************************************/
-
-NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- const char *name,
- const char *pass,
- time_t time_offset,
- time_t *expire_time,
- time_t *renew_till_time,
- const char *cache_name,
- bool request_pac,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
- struct PAC_LOGON_INFO **logon_info)
-{
- krb5_error_code ret;
- NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB tkt, ap_rep, sesskey1, sesskey2;
- char *client_princ_out = NULL;
- const char *auth_princ = NULL;
- const char *local_service = NULL;
- const char *cc = "MEMORY:kerberos_return_pac";
-
- ZERO_STRUCT(tkt);
- ZERO_STRUCT(ap_rep);
- ZERO_STRUCT(sesskey1);
- ZERO_STRUCT(sesskey2);
-
- if (!name || !pass) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (cache_name) {
- cc = cache_name;
- }
-
- if (!strchr_m(name, '@')) {
- auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
- lp_realm());
- } else {
- auth_princ = name;
- }
- NT_STATUS_HAVE_NO_MEMORY(auth_princ);
-
- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
- global_myname(), lp_realm());
- NT_STATUS_HAVE_NO_MEMORY(local_service);
-
- ret = kerberos_kinit_password_ext(auth_princ,
- pass,
- time_offset,
- expire_time,
- renew_till_time,
- cc,
- request_pac,
- add_netbios_addr,
- renewable_time,
- &status);
- if (ret) {
- DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
- auth_princ, error_message(ret), ret));
- /* status already set */
- goto out;
- }
-
- DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
- if (expire_time) {
- DEBUGADD(10,("\tvalid until: %s (%d)\n",
- http_timestring(talloc_tos(), *expire_time),
- (int)*expire_time));
- }
- if (renew_till_time) {
- DEBUGADD(10,("\trenewable till: %s (%d)\n",
- http_timestring(talloc_tos(), *renew_till_time),
- (int)*renew_till_time));
- }
-
- /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
- * in that case fallback to NTLM - gd */
-
- if (expire_time && renew_till_time &&
- (*expire_time == 0) && (*renew_till_time == 0)) {
- return NT_STATUS_INVALID_LOGON_TYPE;
- }
-
- ret = cli_krb5_get_ticket(mem_ctx,
- local_service,
- time_offset,
- &tkt,
- &sesskey1,
- 0,
- cc,
- NULL,
- impersonate_princ_s);
- if (ret) {
- DEBUG(1,("failed to get ticket for %s: %s\n",
- local_service, error_message(ret)));
- if (impersonate_princ_s) {
- DEBUGADD(1,("tried S4U2SELF impersonation as: %s\n",
- impersonate_princ_s));
- }
- status = krb5_to_nt_status(ret);
- goto out;
- }
- status = ads_verify_ticket(mem_ctx,
- lp_realm(),
- time_offset,
- &tkt,
- &client_princ_out,
- logon_info,
- &ap_rep,
- &sesskey2,
- False);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1,("ads_verify_ticket failed: %s\n",
- nt_errstr(status)));
- goto out;
- }
-
- if (!*logon_info) {
- DEBUG(1,("no PAC\n"));
- status = NT_STATUS_INVALID_PARAMETER;
- goto out;
- }
-
-out:
- if (cc != cache_name) {
- ads_kdestroy(cc);
- }
-
- data_blob_free(&tkt);
- data_blob_free(&ap_rep);
- data_blob_free(&sesskey1);
- data_blob_free(&sesskey2);
-
- TALLOC_FREE(client_princ_out);
-
- return status;
-}
-
#endif
diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c
index 0a466fd..c69e394 100644
--- a/libcli/auth/krb5_wrap.c
+++ b/libcli/auth/krb5_wrap.c
@@ -3,7 +3,7 @@
simple kerberos5 routines for active directory
Copyright (C) Andrew Tridgell 2001
Copyright (C) Luke Howard 2002-2003
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005-2011
Copyright (C) Guenther Deschner 2005-2009
This program is free software; you can redistribute it and/or modify
@@ -24,6 +24,7 @@
#ifdef HAVE_KRB5
#include "libcli/auth/krb5_wrap.h"
+#include "librpc/gen_ndr/krb5pac.h"
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
int create_kerberos_key_from_string_direct(krb5_context context,
@@ -102,6 +103,210 @@ int create_kerberos_key_from_string_direct(krb5_context context,
#endif
}
+/**************************************************************
+ Wrappers around kerberos string functions that convert from
+ utf8 -> unix charset and vica versa.
+**************************************************************/
+
+/**************************************************************
--
Samba Shared Repository
More information about the samba-cvs
mailing list