From 88d5d5c4b458761fd77acdb72f09253413ac03e5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 31 Mar 2012 21:37:56 -0400 Subject: [PATCH] auth-krb: Nove oid packet check to gensec_util. This is clearly a utiliy function generic to gensec. Also the 3 callers had identical implementations. Provide a generic implementation for all of them and avoid duplicating the code everywhere. Signed-off-by: Andreas Schneider --- auth/gensec/gensec.h | 2 ++ auth/gensec/gensec_util.c | 44 +++++++++++++++++++++++++++++ auth/gensec/wscript_build | 2 +- auth/kerberos/gssapi_parse.c | 20 ------------- libcli/auth/krb5_wrap.h | 1 - source3/librpc/crypto/gse.c | 22 +-------------- source4/auth/gensec/gensec_gssapi.c | 24 ++-------------- source4/auth/gensec/gensec_krb5.c | 22 +-------------- 8 files changed, 51 insertions(+), 86 deletions(-) mode change 100644 => 100755 auth/gensec/wscript_build diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index f88da2227d6..0b0689fbcef 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -350,5 +350,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, struct auth_session_info **session_info); +NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused, + const DATA_BLOB *blob); #endif /* __GENSEC_H__ */ diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index cdd615fb60c..d7322135510 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -23,6 +23,7 @@ #include "includes.h" #include "auth/gensec/gensec.h" #include "auth/common_auth.h" +#include "../lib/util/asn1.h" NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, @@ -180,3 +181,46 @@ NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security, } return NT_STATUS_OK; } + +/* + magic check a GSS-API wrapper packet for an Kerberos OID +*/ +static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid) +{ + bool ret; + struct asn1_data *data = asn1_init(NULL); + + if (!data) return false; + + asn1_load(data, *blob); + asn1_start_tag(data, ASN1_APPLICATION(0)); + asn1_check_OID(data, oid); + + ret = !data->has_error; + + asn1_free(data); + + return ret; +} + +/** + * Check if the packet is one for the KRB5 mechansim + * + * NOTE: This is a helper that can be employed by multiple mechanisms, do + * not make assumptions about the private_data + * + * @param gensec_security GENSEC state, unused + * @param in The request, as a DATA_BLOB + * @return Error, INVALID_PARAMETER if it's not a packet for us + * or NT_STATUS_OK if the packet is ok. + */ + +NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused, + const DATA_BLOB *blob) +{ + if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) { + return NT_STATUS_OK; + } else { + return NT_STATUS_INVALID_PARAMETER; + } +} diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build old mode 100644 new mode 100755 index 7ca3cab0037..fcd74a3a9de --- a/auth/gensec/wscript_build +++ b/auth/gensec/wscript_build @@ -3,7 +3,7 @@ bld.SAMBA_LIBRARY('gensec', source='gensec.c gensec_start.c gensec_util.c', pc_files='gensec.pc', autoproto='gensec_toplevel_proto.h', - public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util', + public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util asn1util', public_headers='gensec.h', deps='com_err', vnum='0.0.1' diff --git a/auth/kerberos/gssapi_parse.c b/auth/kerberos/gssapi_parse.c index dadc58b4f89..f58bf3b070e 100644 --- a/auth/kerberos/gssapi_parse.c +++ b/auth/kerberos/gssapi_parse.c @@ -95,23 +95,3 @@ bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, D } -/* - check a GSS-API wrapper packet givin an expected OID -*/ -bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid) -{ - bool ret; - struct asn1_data *data = asn1_init(NULL); - - if (!data) return false; - - asn1_load(data, *blob); - asn1_start_tag(data, ASN1_APPLICATION(0)); - asn1_check_OID(data, oid); - - ret = !data->has_error; - - asn1_free(data); - - return ret; -} diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h index 01ea6acd070..997c2fbb3f8 100644 --- a/libcli/auth/krb5_wrap.h +++ b/libcli/auth/krb5_wrap.h @@ -96,4 +96,3 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx, DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2]); bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2]); -bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid); diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index e2a84c19b58..b14829b6cc1 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -802,26 +802,6 @@ static NTSTATUS gensec_gse_server_start(struct gensec_security *gensec_security) return NT_STATUS_OK; } -/** - * Check if the packet is one for this mechansim - * - * @param gensec_security GENSEC state - * @param in The request, as a DATA_BLOB - * @return Error, INVALID_PARAMETER if it's not a packet for us - * or NT_STATUS_OK if the packet is ok. - */ - -static NTSTATUS gensec_gse_magic(struct gensec_security *gensec_security, - const DATA_BLOB *in) -{ - if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) { - return NT_STATUS_OK; - } else { - return NT_STATUS_INVALID_PARAMETER; - } -} - - /** * Next state function for the GSE GENSEC mechanism * @@ -1163,7 +1143,7 @@ const struct gensec_security_ops gensec_gse_krb5_security_ops = { .oid = gensec_gse_krb5_oids, .client_start = gensec_gse_client_start, .server_start = gensec_gse_server_start, - .magic = gensec_gse_magic, + .magic = gensec_magic_check_krb5_oid, .update = gensec_gse_update, .session_key = gensec_gse_session_key, .session_info = gensec_gse_session_info, diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 29f1e469e5d..c6d4fb5fd58 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -393,26 +393,6 @@ static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_s } -/** - * Check if the packet is one for this mechansim - * - * @param gensec_security GENSEC state - * @param in The request, as a DATA_BLOB - * @return Error, INVALID_PARAMETER if it's not a packet for us - * or NT_STATUS_OK if the packet is ok. - */ - -static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security, - const DATA_BLOB *in) -{ - if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) { - return NT_STATUS_OK; - } else { - return NT_STATUS_INVALID_PARAMETER; - } -} - - /** * Next state function for the GSSAPI GENSEC mechanism * @@ -1470,7 +1450,7 @@ static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = { .oid = gensec_gssapi_spnego_oids, .client_start = gensec_gssapi_client_start, .server_start = gensec_gssapi_server_start, - .magic = gensec_gssapi_magic, + .magic = gensec_magic_check_krb5_oid, .update = gensec_gssapi_update, .session_key = gensec_gssapi_session_key, .session_info = gensec_gssapi_session_info, @@ -1493,7 +1473,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = { .oid = gensec_gssapi_krb5_oids, .client_start = gensec_gssapi_client_start, .server_start = gensec_gssapi_server_start, - .magic = gensec_gssapi_magic, + .magic = gensec_magic_check_krb5_oid, .update = gensec_gssapi_update, .session_key = gensec_gssapi_session_key, .session_info = gensec_gssapi_session_info, diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 573a4c9a675..9939105ad5c 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -392,26 +392,6 @@ static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gen return gensec_krb5_common_client_start(gensec_security, true); } -/** - * Check if the packet is one for this mechansim - * - * @param gensec_security GENSEC state - * @param in The request, as a DATA_BLOB - * @return Error, INVALID_PARAMETER if it's not a packet for us - * or NT_STATUS_OK if the packet is ok. - */ - -static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security, - const DATA_BLOB *in) -{ - if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) { - return NT_STATUS_OK; - } else { - return NT_STATUS_INVALID_PARAMETER; - } -} - - /** * Next state function for the Krb5 GENSEC mechanism * @@ -807,7 +787,7 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = { .client_start = gensec_fake_gssapi_krb5_client_start, .server_start = gensec_fake_gssapi_krb5_server_start, .update = gensec_krb5_update, - .magic = gensec_fake_gssapi_krb5_magic, + .magic = gensec_magic_check_krb5_oid, .session_key = gensec_krb5_session_key, .session_info = gensec_krb5_session_info, .have_feature = gensec_krb5_have_feature,