sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-01 04:58:35 +03:00
Code

r10383: This patch is on the road to implementing servers (such as kpasswd) that

Browse Source 
use raw krb5, not GSSAPI.  I still keep the 'fake GSSAPI' code, but
under the module name 'fake_gssapi_krb5'.

Andrew Bartlett
(This used to be commit 99efec2758ad6c996db65dd42cb72a81077c9b2b)
This commit is contained in:
Andrew Bartlett 2005-09-21 10:18:40 +00:00 committed by Gerald (Jerry) Carter
parent 42f2519b50
commit 428c8ce207
1 changed files with 140 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
source4/auth/gensec/gensec_krb5.c
View File

@ -48,6 +48,7 @@ struct gensec_krb5_state {
krb5_data enc_ticket; krb5_data enc_ticket;
krb5_keyblock *keyblock; krb5_keyblock *keyblock;
krb5_ticket *ticket; krb5_ticket *ticket;
BOOL gssapi;
}; };
static int gensec_krb5_destroy(void *ptr) static int gensec_krb5_destroy(void *ptr)
@ -99,6 +100,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
gensec_krb5_state->keyblock = NULL; gensec_krb5_state->keyblock = NULL;
gensec_krb5_state->session_key = data_blob(NULL, 0); gensec_krb5_state->session_key = data_blob(NULL, 0);
gensec_krb5_state->pac = data_blob(NULL, 0); gensec_krb5_state->pac = data_blob(NULL, 0);
gensec_krb5_state->gssapi = False;
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
@ -140,6 +142,18 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security
return NT_STATUS_OK; return NT_STATUS_OK;
} }
static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status = gensec_krb5_server_start(gensec_security);
if (NT_STATUS_IS_OK(nt_status)) {
struct gensec_krb5_state *gensec_krb5_state;
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->gssapi = True;
}
return nt_status;
}
static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security) static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
{ {
struct gensec_krb5_state *gensec_krb5_state; struct gensec_krb5_state *gensec_krb5_state;
@ -155,7 +169,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
} }
if (is_ipaddress(hostname)) { if (is_ipaddress(hostname)) {
DEBUG(2, ("Cannot do GSSAPI to a IP address")); DEBUG(2, ("Cannot do krb5 to an IP address"));
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
} }
@ -250,6 +264,17 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
} }
} }
static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status = gensec_krb5_client_start(gensec_security);
if (NT_STATUS_IS_OK(nt_status)) {
struct gensec_krb5_state *gensec_krb5_state;
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->gssapi = True;
}
return nt_status;
}
/** /**
* Check if the packet is one for this mechansim * Check if the packet is one for this mechansim
@ -260,7 +285,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
* or NT_STATUS_OK if the packet is ok. * or NT_STATUS_OK if the packet is ok.
*/ */
static NTSTATUS gensec_krb5_magic(struct gensec_security *gensec_security, static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security,
const DATA_BLOB *in) const DATA_BLOB *in)
{ {
if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) { if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
@ -295,14 +320,14 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
{ {
DATA_BLOB unwrapped_out; DATA_BLOB unwrapped_out;
#ifndef GENSEC_SEND_UNWRAPPED_KRB5 /* This should be a switch for the torture code to set */ if (gensec_krb5_state->gssapi) {
unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length); unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
/* wrap that up in a nice GSS-API wrapping */ /* wrap that up in a nice GSS-API wrapping */
*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ); *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
#else } else {
*out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length); *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
#endif }
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH; gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
return nt_status; return nt_status;
@ -310,15 +335,19 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
case GENSEC_KRB5_CLIENT_MUTUAL_AUTH: case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
{ {
DATA_BLOB unwrapped_in;
krb5_data inbuf; krb5_data inbuf;
krb5_ap_rep_enc_part *repl = NULL; krb5_ap_rep_enc_part *repl = NULL;
uint8_t tok_id[2]; uint8_t tok_id[2];
DATA_BLOB unwrapped_in;
if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { if (gensec_krb5_state->gssapi) {
DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n")); if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
dump_data_pw("Mutual authentication message:\n", in.data, in.length); DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
return NT_STATUS_INVALID_PARAMETER; dump_data_pw("Mutual authentication message:\n", in.data, in.length);
return NT_STATUS_INVALID_PARAMETER;
}
} else {
unwrapped_in = in;
} }
/* TODO: check the tok_id */ /* TODO: check the tok_id */
@ -350,17 +379,17 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
uint8_t tok_id[2]; uint8_t tok_id[2];
if (!in.data) { if (!in.data) {
*out = unwrapped_out; return NT_STATUS_INVALID_PARAMETER;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
} }
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */ /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { if (gensec_krb5_state->gssapi
&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
nt_status = ads_verify_ticket(out_mem_ctx, nt_status = ads_verify_ticket(out_mem_ctx,
gensec_krb5_state->smb_krb5_context, gensec_krb5_state->smb_krb5_context,
&gensec_krb5_state->auth_context, &gensec_krb5_state->auth_context,
lp_realm(), lp_realm(),
gensec_get_target_service(gensec_security), &in, gensec_get_target_service(gensec_security), &unwrapped_in,
&gensec_krb5_state->ticket, &unwrapped_out, &gensec_krb5_state->ticket, &unwrapped_out,
&gensec_krb5_state->keyblock); &gensec_krb5_state->keyblock);
} else { } else {
@ -370,7 +399,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
&gensec_krb5_state->auth_context, &gensec_krb5_state->auth_context,
lp_realm(), lp_realm(),
gensec_get_target_service(gensec_security), gensec_get_target_service(gensec_security),
&unwrapped_in, &in,
&gensec_krb5_state->ticket, &unwrapped_out, &gensec_krb5_state->ticket, &unwrapped_out,
&gensec_krb5_state->keyblock); &gensec_krb5_state->keyblock);
} }
@ -382,11 +411,11 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
if (NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_IS_OK(nt_status)) {
gensec_krb5_state->state_position = GENSEC_KRB5_DONE; gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
/* wrap that up in a nice GSS-API wrapping */ /* wrap that up in a nice GSS-API wrapping */
#ifndef GENSEC_SEND_UNWRAPPED_KRB5 if (gensec_krb5_state->gssapi) {
*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP); *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
#else } else {
*out = unwrapped_out; *out = unwrapped_out;
#endif }
} }
return nt_status; return nt_status;
} }
@ -524,6 +553,68 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
return NT_STATUS_OK; return NT_STATUS_OK;
} }
static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
krb5_auth_context auth_context = gensec_krb5_state->auth_context;
krb5_error_code ret;
krb5_data input, output;
krb5_replay_data replay;
input.length = in->length;
input.data = in->data;
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
ret = krb5_mk_priv(context, auth_context, &input, &output, &replay);
if (ret) {
DEBUG(1, ("krb5_mk_priv failed: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, mem_ctx)));
return NT_STATUS_ACCESS_DENIED;
}
*out = data_blob_talloc(mem_ctx, output.data, output.length);
krb5_data_free(&output);
} else {
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
krb5_auth_context auth_context = gensec_krb5_state->auth_context;
krb5_error_code ret;
krb5_data input, output;
krb5_replay_data replay;
input.length = in->length;
input.data = in->data;
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
ret = krb5_rd_priv(context, auth_context, &input, &output, &replay);
if (ret) {
DEBUG(1, ("krb5_rd_priv failed: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, mem_ctx)));
return NT_STATUS_ACCESS_DENIED;
}
*out = data_blob_talloc(mem_ctx, output.data, output.length);
krb5_data_free(&output);
} else {
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
static BOOL gensec_krb5_have_feature(struct gensec_security *gensec_security, static BOOL gensec_krb5_have_feature(struct gensec_security *gensec_security,
uint32_t feature) uint32_t feature)
{ {
@ -540,18 +631,31 @@ static const char *gensec_krb5_oids[] = {
NULL NULL
}; };
static const struct gensec_security_ops gensec_krb5_security_ops = { static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
.name = "krb5", .name = "fake_gssapi_krb5",
.auth_type = DCERPC_AUTH_TYPE_KRB5, .auth_type = DCERPC_AUTH_TYPE_KRB5,
.oid = gensec_krb5_oids, .oid = gensec_krb5_oids,
.client_start = gensec_fake_gssapi_krb5_client_start,
.server_start = gensec_fake_gssapi_krb5_server_start,
.update = gensec_krb5_update,
.magic = gensec_fake_gssapi_krb5_magic,
.session_key = gensec_krb5_session_key,
.session_info = gensec_krb5_session_info,
.have_feature = gensec_krb5_have_feature,
.wrap = gensec_krb5_wrap,
.unwrap = gensec_krb5_unwrap,
.enabled = False
};
static const struct gensec_security_ops gensec_krb5_security_ops = {
.name = "krb5",
.client_start = gensec_krb5_client_start, .client_start = gensec_krb5_client_start,
.server_start = gensec_krb5_server_start, .server_start = gensec_krb5_server_start,
.magic = gensec_krb5_magic,
.update = gensec_krb5_update, .update = gensec_krb5_update,
.session_key = gensec_krb5_session_key, .session_key = gensec_krb5_session_key,
.session_info = gensec_krb5_session_info, .session_info = gensec_krb5_session_info,
.have_feature = gensec_krb5_have_feature, .have_feature = gensec_krb5_have_feature,
.enabled = False .enabled = True
}; };
NTSTATUS gensec_krb5_init(void) NTSTATUS gensec_krb5_init(void)
@ -565,5 +669,12 @@ NTSTATUS gensec_krb5_init(void)
return ret; return ret;
} }
ret = gensec_register(&gensec_fake_gssapi_krb5_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_krb5_security_ops.name));
return ret;
}
return ret; return ret;
} }