mirror of
https://github.com/samba-team/samba.git
synced 2025-01-13 13:18:06 +03:00
Fixed memory leaks, added krb5 replay cache. Now I need to add code to check
the incoming addresses....
Jeremy.
(This used to be commit 4e9359a1f6)
This commit is contained in:
Jeremy Allison
parent
531caf6b5d
commit
9c15a65dc3
@ -33,21 +33,32 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
|
|||||||
DATA_BLOB *ap_rep,
|
DATA_BLOB *ap_rep,
|
||||||
uint8 session_key[16])
|
uint8 session_key[16])
|
||||||
{
|
{
|
||||||
krb5_context context;
|
NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
|
||||||
|
krb5_context context = NULL;
|
||||||
krb5_auth_context auth_context = NULL;
|
krb5_auth_context auth_context = NULL;
|
||||||
krb5_keytab keytab = NULL;
|
krb5_keytab keytab = NULL;
|
||||||
krb5_data packet;
|
krb5_data packet;
|
||||||
krb5_ticket *tkt = NULL;
|
krb5_ticket *tkt = NULL;
|
||||||
|
krb5_rcache rcache = NULL;
|
||||||
int ret, i;
|
int ret, i;
|
||||||
krb5_keyblock * key;
|
krb5_keyblock *key = NULL;
|
||||||
krb5_principal host_princ;
|
krb5_principal host_princ;
|
||||||
char *host_princ_s;
|
char *host_princ_s = NULL;
|
||||||
fstring myname;
|
fstring myname;
|
||||||
char *password_s;
|
char *password_s = NULL;
|
||||||
krb5_data password;
|
krb5_data password;
|
||||||
krb5_enctype *enctypes = NULL;
|
krb5_enctype *enctypes = NULL;
|
||||||
|
#if 0
|
||||||
|
krb5_address local_addr;
|
||||||
|
krb5_address remote_addr;
|
||||||
|
#endif
|
||||||
BOOL auth_ok = False;
|
BOOL auth_ok = False;
|
||||||
|
|
||||||
|
ZERO_STRUCT(packet);
|
||||||
|
ZERO_STRUCT(password);
|
||||||
|
ZERO_STRUCTP(auth_data);
|
||||||
|
ZERO_STRUCTP(ap_rep);
|
||||||
|
|
||||||
if (!secrets_init()) {
|
if (!secrets_init()) {
|
||||||
DEBUG(1,("secrets_init failed\n"));
|
DEBUG(1,("secrets_init failed\n"));
|
||||||
return NT_STATUS_LOGON_FAILURE;
|
return NT_STATUS_LOGON_FAILURE;
|
||||||
@ -71,16 +82,19 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
|
|||||||
ret = krb5_set_default_realm(context, ads->auth.realm);
|
ret = krb5_set_default_realm(context, ads->auth.realm);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret)));
|
DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret)));
|
||||||
return NT_STATUS_LOGON_FAILURE;
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* this whole process is far more complex than I would
|
/* This whole process is far more complex than I would
|
||||||
like. We have to go through all this to allow us to store
|
like. We have to go through all this to allow us to store
|
||||||
the secret internally, instead of using /etc/krb5.keytab */
|
the secret internally, instead of using /etc/krb5.keytab */
|
||||||
|
|
||||||
ret = krb5_auth_con_init(context, &auth_context);
|
ret = krb5_auth_con_init(context, &auth_context);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
|
DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
|
||||||
return NT_STATUS_LOGON_FAILURE;
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
fstrcpy(myname, global_myname());
|
fstrcpy(myname, global_myname());
|
||||||
@ -89,17 +103,42 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
|
|||||||
ret = krb5_parse_name(context, host_princ_s, &host_princ);
|
ret = krb5_parse_name(context, host_princ_s, &host_princ);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
DEBUG(1,("krb5_parse_name(%s) failed (%s)\n", host_princ_s, error_message(ret)));
|
DEBUG(1,("krb5_parse_name(%s) failed (%s)\n", host_princ_s, error_message(ret)));
|
||||||
return NT_STATUS_LOGON_FAILURE;
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* JRA. We must set the rcache and the allowed addresses in the auth_context
|
||||||
|
* here. This will prevent replay attacks and ensure the client has got a key from
|
||||||
|
* the correct IP address.
|
||||||
|
*/
|
||||||
|
|
||||||
|
ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache);
|
||||||
|
if (ret) {
|
||||||
|
DEBUG(1,("krb5_get_server_rcache failed (%s)\n", error_message(ret)));
|
||||||
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = krb5_auth_con_setrcache(context, auth_context, rcache);
|
||||||
|
if (ret) {
|
||||||
|
DEBUG(1,("krb5_auth_con_setrcache failed (%s)\n", error_message(ret)));
|
||||||
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Now we need to add the addresses.... JRA. */
|
||||||
|
|
||||||
if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
|
if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
|
||||||
return NT_STATUS_NO_MEMORY;
|
sret = NT_STATUS_NO_MEMORY;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) {
|
if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) {
|
||||||
DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n",
|
DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n",
|
||||||
error_message(ret)));
|
error_message(ret)));
|
||||||
return NT_STATUS_LOGON_FAILURE;
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* we need to setup a auth context with each possible encoding type in turn */
|
/* we need to setup a auth context with each possible encoding type in turn */
|
||||||
@ -124,15 +163,16 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
|
|||||||
if (!auth_ok) {
|
if (!auth_ok) {
|
||||||
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
|
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
|
||||||
error_message(ret)));
|
error_message(ret)));
|
||||||
return NT_STATUS_LOGON_FAILURE;
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = krb5_mk_rep(context, auth_context, &packet);
|
ret = krb5_mk_rep(context, auth_context, &packet);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
DEBUG(3,("Failed to generate mutual authentication reply (%s)\n",
|
DEBUG(3,("Failed to generate mutual authentication reply (%s)\n",
|
||||||
error_message(ret)));
|
error_message(ret)));
|
||||||
krb5_auth_con_free(context, auth_context);
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
return NT_STATUS_LOGON_FAILURE;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
*ap_rep = data_blob(packet.data, packet.length);
|
*ap_rep = data_blob(packet.data, packet.length);
|
||||||
@ -167,15 +207,30 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
|
|||||||
principal))) {
|
principal))) {
|
||||||
DEBUG(3,("krb5_unparse_name failed (%s)\n",
|
DEBUG(3,("krb5_unparse_name failed (%s)\n",
|
||||||
error_message(ret)));
|
error_message(ret)));
|
||||||
data_blob_free(auth_data);
|
sret = NT_STATUS_LOGON_FAILURE;
|
||||||
data_blob_free(ap_rep);
|
goto out;
|
||||||
krb5_auth_con_free(context, auth_context);
|
|
||||||
return NT_STATUS_LOGON_FAILURE;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_auth_con_free(context, auth_context);
|
sret = NT_STATUS_OK;
|
||||||
|
|
||||||
return NT_STATUS_OK;
|
out:
|
||||||
|
|
||||||
|
if (!NT_STATUS_IS_OK(sret))
|
||||||
|
data_blob_free(auth_data);
|
||||||
|
|
||||||
|
if (!NT_STATUS_IS_OK(sret))
|
||||||
|
data_blob_free(ap_rep);
|
||||||
|
|
||||||
|
SAFE_FREE(host_princ_s);
|
||||||
|
SAFE_FREE(password_s);
|
||||||
|
|
||||||
|
if (auth_context)
|
||||||
|
krb5_auth_con_free(context, auth_context);
|
||||||
|
|
||||||
|
if (context)
|
||||||
|
krb5_free_context(context);
|
||||||
|
|
||||||
|
return sret;
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* HAVE_KRB5 */
|
#endif /* HAVE_KRB5 */
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user