[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Apr 12 07:24:04 MDT 2012
The branch, master has been updated
via bcc16f1 s4-libnet: split export_keytab in a separate python module to avoid pulling in HDB dependency
via dda0531 WAF: Add support for stopping processing before end of wscript{_*}
via 1f1e427 clikrb5: Move pure krb wrapper functions from libads to clikrb5.
via 46ab219 gse: Remove unnecessary header.
via a925c2c srv_keytab: Pass krb5_context directly, it's all we use anyways.
via c13c065 krb5_wrap: krb5_string_to_key / krb5_encrypt_block are deprecated.
via 70c303a auth-krb: Move pac related util functions in a single place.
via 3fd6ded auth-krb: Make functions static.
via d857e39 auth-krb: Use simpler method to extract keytype.
via 88d5d5c auth-krb: Nove oid packet check to gensec_util.
via f116262 s4-auth-krb: Remove dependency on credentials too.
via a46e465 s4-auth-krb: Remove unneded dependency on kerberos_util.
via aedbd6b s4-auth-krb: Simplify salt_princ handling.
via 6de578a s4-auth-krb: Move function to db-glue.c and make it static.
via b226955 s4-auth-krb: Move keytab functions in a separate file.
via 7d203f7 s4-auth-krb: Streamline and cleanup code to make it readable.
via 23d54e7 s4-auth-krb: streamline and rename enctype functions
via 6f7fa0b s4-auth-krb: Make kerberos_enctype_bitmap_to_enctype static.
via 60905c8 s4-auth-krb: Make kerberos_enctype_bitmap_to_enctypes static.
via 670dbde s4-auth-krb: Move function into more appropriate header.
via 70f1cd6 s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.
via b574e7c s4-auth-krb: Make impersonate_principal_from_credentials static.
via 93aa451 gensec_gssapi: keep private header file close to the actual code
via 6ab0dfe krb5_wrap: remove duplicate declaration and dead ifdef
via c761654 s4-ldb: use KRB5_KEY macros to access key elements.
via 011540b wafsamba: point out that local heimdal paths are not included when USING_SYSTEM_KRB5 gets set.
via 1fedb0a waf: when USING_SYSTEM_KRB5 environment variable is set, dont configure local heimdal.
via d82aab6 waf: when building with system krb5, we do not need to build local heimdal.
via 60f192a s3-waf: remove requirement of having --enable-developer for running system krb5 checks.
from 81d1749 Remove overly complex attemt to define blkcnt_t and blksize_t. AC_CHECK_TYPE should just do it.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bcc16f191175740f200c12925b63d45478f06454
Author: Alexander Bokovoy <ab at samba.org>
Date: Tue Apr 10 12:09:20 2012 +0300
s4-libnet: split export_keytab in a separate python module to avoid pulling in HDB dependency
Signed-off-by: Andreas Schneider <asn at samba.org>
Autobuild-User: Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date: Thu Apr 12 15:23:19 CEST 2012 on sn-devel-104
commit dda0531aae70e78e815fda8c594213369e76a847
Author: Alexander Bokovoy <ab at samba.org>
Date: Tue Apr 3 11:22:15 2012 +0300
WAF: Add support for stopping processing before end of wscript{_*}
WAF scripts are written in Python and Python has no simple way
to stop program execution other than using exceptions.
This change adds WscriptCheckSkipped exception and its handling in
core WAF code. When any of wscript{_*} throws WscriptCheckSkipped
exception, WAF simply continues to process next wscript in queue
rather than breaking build.
WscriptCheckSkipped exception can be used to perform early bail out
of configuration/build target checks if certain dependency is not available
when the default checks are way more numerous than a check for this
particular dependency. This is to avoid 'if ...' indenting for large
blocks of existing code which also muddens git history for nothing.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 1f1e4275b5fafbad1b5719f5efba7ee66f6d3037
Author: Simo Sorce <idra at samba.org>
Date: Mon Apr 2 23:41:32 2012 -0400
clikrb5: Move pure krb wrapper functions from libads to clikrb5.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 46ab21900555ba2f6ef06417095d50f14a2be676
Author: Simo Sorce <idra at samba.org>
Date: Mon Apr 2 10:20:24 2012 -0400
gse: Remove unnecessary header.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit a925c2c48d07cd4f074325954d933e194b4704d8
Author: Simo Sorce <idra at samba.org>
Date: Sun Apr 1 19:08:15 2012 -0400
srv_keytab: Pass krb5_context directly, it's all we use anyways.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit c13c065a9b92c1abf17e999649ea6bb620615d6f
Author: Simo Sorce <idra at samba.org>
Date: Sun Apr 1 17:28:19 2012 -0400
krb5_wrap: krb5_string_to_key / krb5_encrypt_block are deprecated.
Remove checks and replace with krb5_c_string_to_key().
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 70c303a7f357b2c73955b24128ac8a72b656d4e6
Author: Simo Sorce <idra at samba.org>
Date: Sat Mar 31 22:09:22 2012 -0400
auth-krb: Move pac related util functions in a single place.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 3fd6deda7d440b579950ab6d0e2407d755ac70ad
Author: Simo Sorce <idra at samba.org>
Date: Sat Mar 31 21:48:06 2012 -0400
auth-krb: Make functions static.
The remaining gssapi_parse functions were used exclusively in
gensec_krb5. Move them there and make them static.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit d857e393ac870f71943fc6b099e494f45afb6b48
Author: Simo Sorce <idra at samba.org>
Date: Sun Apr 1 22:48:21 2012 -0400
auth-krb: Use simpler method to extract keytype.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 88d5d5c4b458761fd77acdb72f09253413ac03e5
Author: Simo Sorce <idra at samba.org>
Date: Sat Mar 31 21:37:56 2012 -0400
auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec. Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit f116262a733cdf24c13e7c44a54736a2755f8335
Author: Simo Sorce <idra at samba.org>
Date: Sat Mar 31 05:19:59 2012 -0400
s4-auth-krb: Remove dependency on credentials too.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit a46e465ce0d05d9b2e0ff016aa8db14dc149153b
Author: Simo Sorce <idra at samba.org>
Date: Sat Mar 31 03:23:19 2012 -0400
s4-auth-krb: Remove unneded dependency on kerberos_util.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit aedbd6bf8e4029c2089652d0f0a80777bc856f89
Author: Simo Sorce <idra at samba.org>
Date: Sat Mar 31 01:27:02 2012 -0400
s4-auth-krb: Simplify salt_princ handling.
This allows us to make parse_principal static in kerbeors_util again and
avoid a silly game where we alloc containers and set destrcutors only to
release the whole thing at the end of the function.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 6de578a8f7a4ed2defeb778c089bdff0b8cef6cd
Author: Simo Sorce <idra at samba.org>
Date: Sat Mar 31 01:15:36 2012 -0400
s4-auth-krb: Move function to db-glue.c and make it static.
kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and
make it static, one less dependency to worry about.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit b226955587ee3a45c25bef2783e13e82d2f9048c
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 19:33:53 2012 -0400
s4-auth-krb: Move keytab functions in a separate file.
Confine ldb dependency.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 7d203f70aed948f40de0e5057e2289bb5e15628f
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 18:33:41 2012 -0400
s4-auth-krb: Streamline and cleanup code to make it readable.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 23d54e7f92e8fa89944ec4c77634098a46863276
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 18:32:07 2012 -0400
s4-auth-krb: streamline and rename enctype functions
better express what is being done in the function name.
commit 6f7fa0bd2f786ba01fd932f3bb78dee35877a1bc
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 18:29:26 2012 -0400
s4-auth-krb: Make kerberos_enctype_bitmap_to_enctype static.
It's a helper function not used anywhere else.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 60905c807a0a9d4911b67556da7eb03e3fd7bc5e
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 17:32:12 2012 -0400
s4-auth-krb: Make kerberos_enctype_bitmap_to_enctypes static.
It is not used anywhere else.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 670dbde65ea608c407bd49b181ece7f1dac9f670
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 17:17:07 2012 -0400
s4-auth-krb: Move function into more appropriate header.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 70f1cd6724a489cf3507fa196ff59fa8477cfbe1
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 17:11:02 2012 -0400
s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.
It's not used anywhere else.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit b574e7cd815347193ab33f18019112f28f402319
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 16:51:58 2012 -0400
s4-auth-krb: Make impersonate_principal_from_credentials static.
It's not used anywhere else.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 93aa4511b9843fb0b96c5d568888778bc5a8367c
Author: Simo Sorce <idra at samba.org>
Date: Fri Mar 30 15:48:54 2012 -0400
gensec_gssapi: keep private header file close to the actual code
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 6ab0dfe0d9fdea81599ae022c73f5c282ab6aadf
Author: Simo Sorce <idra at samba.org>
Date: Sat Mar 31 00:11:02 2012 -0400
krb5_wrap: remove duplicate declaration and dead ifdef
Signed-off-by: Andreas Schneider <asn at samba.org>
commit c761654b925d2cb556768bcd121ad9bf8f0c3bf9
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 30 15:25:59 2012 +0200
s4-ldb: use KRB5_KEY macros to access key elements.
Guenther
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 011540b5209f9f86cf683d625daf35e9f6744118
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 30 15:19:14 2012 +0200
wafsamba: point out that local heimdal paths are not included when
USING_SYSTEM_KRB5 gets set.
Guenther
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 1fedb0ae88347bf69b87e515bedb8b4b0ef1a2b3
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 30 15:18:16 2012 +0200
waf: when USING_SYSTEM_KRB5 environment variable is set, dont configure local
heimdal.
Guenther
Signed-off-by: Andreas Schneider <asn at samba.org>
commit d82aab6c709ce840594e6bafe29ae22f358fc7ee
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 30 15:16:43 2012 +0200
waf: when building with system krb5, we do not need to build local heimdal.
Guenther
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 60f192ae10553222b1fe74bf6236b9392d38299b
Author: Günther Deschner <gd at samba.org>
Date: Tue Mar 27 17:07:02 2012 +0200
s3-waf: remove requirement of having --enable-developer for running system krb5 checks.
When you know about "with_mit_krb5_checks" you are most likely a developer
already.
Guenther
Signed-off-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 25 +-
auth/credentials/credentials_krb5.h | 16 -
auth/credentials/wscript_build | 4 +-
auth/gensec/gensec.h | 2 +
auth/gensec/gensec_util.c | 44 ++
auth/gensec/wscript_build | 2 +-
auth/kerberos/gssapi_pac.c | 33 +-
auth/kerberos/gssapi_parse.c | 117 ----
auth/kerberos/kerberos_pac.c | 33 +-
auth/kerberos/pac_utils.h | 50 ++
auth/kerberos/wscript_build | 5 +-
buildtools/wafadmin/Utils.py | 5 +
buildtools/wafsamba/samba3.py | 1 +
libcli/auth/krb5_wrap.c | 61 +--
libcli/auth/krb5_wrap.h | 37 -
source3/Makefile.in | 1 -
source3/auth/auth_generic.c | 2 +-
source3/configure.in | 19 +-
source3/include/krb5_protos.h | 3 +
source3/include/smb_krb5.h | 1 +
source3/libads/kerberos.c | 140 ----
source3/libads/kerberos_proto.h | 3 -
source3/librpc/crypto/gse.c | 23 +-
source3/libsmb/clikrb5.c | 142 ++++
source3/wscript | 11 +-
source4/auth/gensec/gensec_gssapi.c | 27 +-
{auth => source4/auth}/gensec/gensec_gssapi.h | 11 +-
source4/auth/gensec/gensec_krb5.c | 82 ++-
source4/auth/kerberos/kerberos.h | 16 -
source4/auth/kerberos/kerberos_credentials.h | 8 +
source4/auth/kerberos/kerberos_pac.c | 1 +
source4/auth/kerberos/kerberos_util.c | 708 ++------------------
source4/auth/kerberos/srv_keytab.c | 632 +++++++++++++++++
source4/auth/kerberos/wscript_build | 7 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 16 +-
source4/dsdb/samdb/ldb_modules/update_keytab.c | 71 ++-
source4/dsdb/samdb/ldb_modules/wscript_build | 2 +-
source4/kdc/db-glue.c | 21 +
source4/kdc/pac-glue.c | 1 +
source4/libnet/libnet.h | 4 +-
source4/libnet/libnet_export_keytab.c | 21 +-
source4/libnet/libnet_export_keytab.h | 3 +
source4/libnet/py_net.c | 45 +--
.../libnet/grouptest.h => libnet/py_net.h} | 10 +-
source4/libnet/py_net_dckeytab.c | 106 +++
source4/libnet/wscript_build | 9 +-
source4/scripting/python/samba/netcmd/domain.py | 1 +
source4/torture/auth/pac.c | 1 +
wscript | 3 +-
wscript_build | 3 +-
50 files changed, 1338 insertions(+), 1251 deletions(-)
mode change 100644 => 100755 auth/credentials/wscript_build
mode change 100644 => 100755 auth/gensec/wscript_build
delete mode 100644 auth/kerberos/gssapi_parse.c
create mode 100644 auth/kerberos/pac_utils.h
mode change 100644 => 100755 auth/kerberos/wscript_build
mode change 100644 => 100755 source3/wscript
rename {auth => source4/auth}/gensec/gensec_gssapi.h (97%)
create mode 100644 source4/auth/kerberos/srv_keytab.c
mode change 100644 => 100755 source4/auth/kerberos/wscript_build
mode change 100644 => 100755 source4/dsdb/samdb/ldb_modules/wscript_build
copy source4/{torture/libnet/grouptest.h => libnet/py_net.h} (79%)
create mode 100644 source4/libnet/py_net_dckeytab.c
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2892c4f..c8b685e 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -28,9 +28,14 @@
#include "auth/credentials/credentials_proto.h"
#include "auth/credentials/credentials_krb5.h"
#include "auth/kerberos/kerberos_credentials.h"
+#include "auth/kerberos/kerberos_srv_keytab.h"
#include "auth/kerberos/kerberos_util.h"
#include "param/param.h"
+static void cli_credentials_invalidate_client_gss_creds(
+ struct cli_credentials *cred,
+ enum credentials_obtained obtained);
+
_PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
@@ -660,6 +665,8 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
krb5_error_code ret;
struct keytab_container *ktc;
struct smb_krb5_context *smb_krb5_context;
+ const char *keytab_name;
+ krb5_keytab keytab;
TALLOC_CTX *mem_ctx;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
@@ -683,8 +690,20 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
return ENOMEM;
}
- ret = smb_krb5_create_memory_keytab(mem_ctx, cred,
- smb_krb5_context, &ktc);
+ ret = smb_krb5_create_memory_keytab(mem_ctx,
+ smb_krb5_context->krb5_context,
+ cli_credentials_get_password(cred),
+ cli_credentials_get_username(cred),
+ cli_credentials_get_realm(cred),
+ cli_credentials_get_kvno(cred),
+ &keytab, &keytab_name);
+ if (ret) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+
+ ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context,
+ keytab, keytab_name, &ktc);
if (ret) {
talloc_free(mem_ctx);
return ret;
@@ -728,7 +747,7 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
}
ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context,
- keytab_name, &ktc);
+ NULL, keytab_name, &ktc);
if (ret) {
return ret;
}
diff --git a/auth/credentials/credentials_krb5.h b/auth/credentials/credentials_krb5.h
index 36bf03d..fc7d0be 100644
--- a/auth/credentials/credentials_krb5.h
+++ b/auth/credentials/credentials_krb5.h
@@ -38,20 +38,4 @@ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
enum credentials_obtained obtained,
const char **error_string);
-/* Manually prototyped here to avoid needing krb5 headers in most callers */
-krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
- struct cli_credentials *credentials,
- struct smb_krb5_context *smb_krb5_context,
- krb5_principal *princ,
- enum credentials_obtained *obtained,
- const char **error_string);
-krb5_error_code impersonate_principal_from_credentials(TALLOC_CTX *parent_ctx,
- struct cli_credentials *credentials,
- struct smb_krb5_context *smb_krb5_context,
- krb5_principal *princ,
- const char **error_string);
-
-void cli_credentials_invalidate_client_gss_creds(struct cli_credentials *cred,
- enum credentials_obtained obtained);
-
#endif /* __CREDENTIALS_KRB5_H__ */
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
old mode 100644
new mode 100755
index 2c46b43..a7936e9
--- a/auth/credentials/wscript_build
+++ b/auth/credentials/wscript_build
@@ -11,13 +11,13 @@ bld.SAMBA_LIBRARY('samba-credentials',
bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5',
source='credentials_krb5.c',
- deps='KERBEROS_UTIL gssapi samba-credentials',
+ deps='KERBEROS_SRV_KEYTAB KERBEROS_UTIL gssapi samba-credentials',
public_deps='com_err authkrb5',
)
bld.SAMBA_SUBSYSTEM('CREDENTIALS_SECRETS',
source='credentials_secrets.c',
- deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb samdb-common',
+ deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb SECRETS samdb-common',
)
bld.SAMBA_SUBSYSTEM('CREDENTIALS_NTLM',
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index f88da22..0b0689f 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -350,5 +350,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
struct auth_session_info **session_info);
+NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
+ const DATA_BLOB *blob);
#endif /* __GENSEC_H__ */
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index cdd615f..d732213 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "auth/gensec/gensec.h"
#include "auth/common_auth.h"
+#include "../lib/util/asn1.h"
NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
@@ -180,3 +181,46 @@ NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
}
return NT_STATUS_OK;
}
+
+/*
+ magic check a GSS-API wrapper packet for an Kerberos OID
+*/
+static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
+{
+ bool ret;
+ struct asn1_data *data = asn1_init(NULL);
+
+ if (!data) return false;
+
+ asn1_load(data, *blob);
+ asn1_start_tag(data, ASN1_APPLICATION(0));
+ asn1_check_OID(data, oid);
+
+ ret = !data->has_error;
+
+ asn1_free(data);
+
+ return ret;
+}
+
+/**
+ * Check if the packet is one for the KRB5 mechansim
+ *
+ * NOTE: This is a helper that can be employed by multiple mechanisms, do
+ * not make assumptions about the private_data
+ *
+ * @param gensec_security GENSEC state, unused
+ * @param in The request, as a DATA_BLOB
+ * @return Error, INVALID_PARAMETER if it's not a packet for us
+ * or NT_STATUS_OK if the packet is ok.
+ */
+
+NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
+ const DATA_BLOB *blob)
+{
+ if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
+ return NT_STATUS_OK;
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+}
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
old mode 100644
new mode 100755
index 7ca3cab..fcd74a3
--- a/auth/gensec/wscript_build
+++ b/auth/gensec/wscript_build
@@ -3,7 +3,7 @@ bld.SAMBA_LIBRARY('gensec',
source='gensec.c gensec_start.c gensec_util.c',
pc_files='gensec.pc',
autoproto='gensec_toplevel_proto.h',
- public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util',
+ public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util asn1util',
public_headers='gensec.h',
deps='com_err',
vnum='0.0.1'
diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index 1a9d6aa..05065b2 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -22,7 +22,7 @@
#ifdef HAVE_KRB5
#include "libcli/auth/krb5_wrap.h"
-#include "lib/util/asn1.h"
+#include "auth/kerberos/pac_utils.h"
#if 0
/* FIXME - need proper configure/waf test
@@ -220,9 +220,9 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
}
if (keytype) {
- char *oid;
- char *p, *q = NULL;
-
+ int diflen, i;
+ const char *p;
+
if (set->count < 2) {
#ifdef HAVE_GSSKRB5_GET_SUBKEY
@@ -251,29 +251,22 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
gss_maj = gss_release_buffer_set(&gss_min, &set);
return NT_STATUS_OK;
}
- if (!ber_read_OID_String(mem_ctx,
- data_blob_const(set->elements[1].value,
- set->elements[1].length), &oid)) {
- TALLOC_FREE(oid);
+ p = set->elements[1].value + gse_sesskeytype_oid.length;
+ diflen = set->elements[1].length - gse_sesskeytype_oid.length;
+ if (diflen <= 0) {
gss_maj = gss_release_buffer_set(&gss_min, &set);
return NT_STATUS_INVALID_PARAMETER;
}
- p = strrchr(oid, '.');
- if (!p) {
- TALLOC_FREE(oid);
- gss_maj = gss_release_buffer_set(&gss_min, &set);
- return NT_STATUS_INVALID_PARAMETER;
- } else {
- p++;
- *keytype = strtoul(p, &q, 10);
- if (q == NULL || *q != '\0') {
- TALLOC_FREE(oid);
+ *keytype = 0;
+ for (i = 0; i < diflen; i++) {
+ *keytype = (*keytype << 7) | (p[i] & 0x7f);
+ if (i + 1 != diflen && (p[i] & 0x80) == 0) {
+ gss_maj = gss_release_buffer_set(&gss_min, &set);
return NT_STATUS_INVALID_PARAMETER;
}
}
- TALLOC_FREE(oid);
}
-
+
gss_maj = gss_release_buffer_set(&gss_min, &set);
return NT_STATUS_OK;
}
diff --git a/auth/kerberos/gssapi_parse.c b/auth/kerberos/gssapi_parse.c
deleted file mode 100644
index dadc58b..0000000
--- a/auth/kerberos/gssapi_parse.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- simple GSSAPI wrappers
-
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Jim McDonough <jmcd at us.ibm.com> 2002
- Copyright (C) Luke Howard 2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "../lib/util/asn1.h"
-#include "auth/gensec/gensec.h"
-
-/*
- generate a krb5 GSS-API wrapper packet given a ticket
-*/
-DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2])
-{
- struct asn1_data *data;
- DATA_BLOB ret;
-
- data = asn1_init(mem_ctx);
- if (!data || !ticket->data) {
- return data_blob(NULL,0);
- }
-
- asn1_push_tag(data, ASN1_APPLICATION(0));
- asn1_write_OID(data, GENSEC_OID_KERBEROS5);
-
- asn1_write(data, tok_id, 2);
- asn1_write(data, ticket->data, ticket->length);
- asn1_pop_tag(data);
-
- if (data->has_error) {
- DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data->ofs));
- asn1_free(data);
- return data_blob(NULL,0);
- }
-
- ret = data_blob_talloc(mem_ctx, data->data, data->length);
- asn1_free(data);
-
- return ret;
-}
-
-/*
- parse a krb5 GSS-API wrapper packet giving a ticket
-*/
-bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2])
-{
- bool ret;
- struct asn1_data *data = asn1_init(mem_ctx);
- int data_remaining;
-
- if (!data) {
- return false;
- }
-
- asn1_load(data, *blob);
- asn1_start_tag(data, ASN1_APPLICATION(0));
- asn1_check_OID(data, GENSEC_OID_KERBEROS5);
-
- data_remaining = asn1_tag_remaining(data);
-
- if (data_remaining < 3) {
- data->has_error = true;
- } else {
- asn1_read(data, tok_id, 2);
- data_remaining -= 2;
- *ticket = data_blob_talloc(mem_ctx, NULL, data_remaining);
- asn1_read(data, ticket->data, ticket->length);
- }
-
- asn1_end_tag(data);
-
- ret = !data->has_error;
-
- asn1_free(data);
-
- return ret;
-}
-
-
-/*
- check a GSS-API wrapper packet givin an expected OID
-*/
-bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
-{
- bool ret;
- struct asn1_data *data = asn1_init(NULL);
-
- if (!data) return false;
-
- asn1_load(data, *blob);
- asn1_start_tag(data, ASN1_APPLICATION(0));
- asn1_check_OID(data, oid);
-
- ret = !data->has_error;
-
- asn1_free(data);
-
- return ret;
-}
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 5155c9f..eacf39d 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -26,7 +26,7 @@
#ifdef HAVE_KRB5
#include "librpc/gen_ndr/ndr_krb5pac.h"
-#include "libcli/auth/krb5_wrap.h"
+#include "auth/kerberos/pac_utils.h"
krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
struct PAC_SIGNATURE_DATA *sig,
@@ -36,8 +36,18 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_error_code ret;
krb5_checksum cksum;
krb5_keyusage usage = 0;
-
- smb_krb5_checksum_from_pac_sig(&cksum, sig);
+ krb5_boolean checksum_valid = false;
+ krb5_data input;
+
+#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
+ cksum.cksumtype = (krb5_cksumtype)sig->type;
+ cksum.checksum.length = sig->signature.length;
+ cksum.checksum.data = sig->signature.data;
+#else /* MIT */
+ cksum.checksum_type = (krb5_cksumtype)sig->type;
+ cksum.length = sig->signature.length;
+ cksum.contents = sig->signature.data;
+#endif
#ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */
usage = KRB5_KU_OTHER_CKSUM;
@@ -47,14 +57,19 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
#error UNKNOWN_KRB5_KEYUSAGE
#endif
- ret = smb_krb5_verify_checksum(context,
- keyblock,
- usage,
- &cksum,
- pac_data.data,
- pac_data.length);
-
- if (ret) {
+ input.data = (char *)pac_data.data;
+ input.length = pac_data.length;
+
+ ret = krb5_c_verify_checksum(context,
+ keyblock,
+ usage,
+ &input,
+ &cksum,
+ &checksum_valid);
+ if (!checksum_valid) {
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
+ if (ret){
DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n",
error_message(ret), ret));
return ret;
diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
new file mode 100644
index 0000000..9fe08de
--- /dev/null
+++ b/auth/kerberos/pac_utils.h
@@ -0,0 +1,50 @@
+/*
+ Unix SMB/CIFS implementation.
+ kerberos authorization data (PAC) utility library
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2011
+ Copyright (C) Simo Sorce 2010-2012
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _PAC_UTILS_H
+#define _PAC_UTILS_H
+
+#include "libcli/auth/krb5_wrap.h"
+struct PAC_SIGNATURE_DATA;
+struct PAC_DATA;
+
+krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
+ struct PAC_SIGNATURE_DATA *sig,
+ krb5_context context,
+ const krb5_keyblock *keyblock);
+
+NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ DATA_BLOB pac_data_blob,
+ krb5_context context,
+ const krb5_keyblock *krbtgt_keyblock,
+ const krb5_keyblock *service_keyblock,
+ krb5_const_principal client_principal,
+ time_t tgs_authtime,
+ struct PAC_DATA **pac_data_out);
+
+NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
+ gss_ctx_id_t gssapi_context,
+ gss_name_t gss_client_name,
+ DATA_BLOB *pac_data);
+NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
+ gss_ctx_id_t gssapi_context,
+ DATA_BLOB *session_key,
+ uint32_t *keytype);
+#endif /* _PAC_UTILS_H */
diff --git a/auth/kerberos/wscript_build b/auth/kerberos/wscript_build
--
Samba Shared Repository
More information about the samba-cvs
mailing list