sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-07 20:23:50 +03:00
Code Activity

r1462: GENSEC Kerberos and SPENGO work:

Browse Source 
- Spelling - it's SPNEGO, not SPENGO
 - SMB signing - Krb5 logins are now correctly signed
 - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett
2004-07-12 09:11:13 +00:00
committed by Gerald (Jerry) Carter
parent 67ac960066
commit cea578d6f3
10 changed files with 177 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
source/libcli/auth/config.mk
View File

@@ -3,8 +3,7 @@
[SUBSYSTEM::LIBCLI_AUTH]
ADD_OBJ_FILES = libcli/auth/schannel.o \
libcli/auth/credentials.o \
libcli/auth/session.o \
libcli/auth/ntlm_check.o
libcli/auth/session.o
REQUIRED_SUBSYSTEMS = \
AUTH SCHANNELDB GENSEC
# End SUBSYSTEM LIBCLI_AUTH

5
source/libcli/auth/gensec.mk
View File

@@ -3,7 +3,7 @@
[SUBSYSTEM::GENSEC]
INIT_OBJ_FILES = libcli/auth/gensec.o
REQUIRED_SUBSYSTEMS = \
AUTH SCHANNELDB
SCHANNELDB
# End SUBSYSTEM GENSEC
#################################
@@ -14,7 +14,8 @@ INIT_OBJ_FILES = libcli/auth/gensec_krb5.o
ADD_OBJ_FILES = \
libcli/auth/clikrb5.o \
libcli/auth/kerberos.o \
libcli/auth/kerberos_verify.o
libcli/auth/kerberos_verify.o \
libcli/auth/gssapi_parse.o
REQUIRED_SUBSYSTEMS = GENSEC
# End MODULE gensec_krb5
################################################

13
source/libcli/auth/gensec_krb5.c
View File

@@ -42,6 +42,7 @@ struct gensec_krb5_state {
enum GENSEC_KRB5_STATE state_position;
krb5_context krb5_context;
krb5_auth_context krb5_auth_context;
krb5_ccache krb5_ccache;
};
static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
@@ -66,7 +67,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
initialize_krb5_error_table();
gensec_krb5_state->krb5_context = NULL;
gensec_krb5_state->krb5_auth_context = NULL;
gensec_krb5_state->krb5_ccdef = NULL;
gensec_krb5_state->krb5_ccache = NULL;
gensec_krb5_state->session_key = data_blob(NULL, 0);
ret = krb5_init_context(&gensec_krb5_state->krb5_context);
@@ -111,7 +112,7 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security
static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state;
krb5_error_code ret;
NTSTATUS nt_status;
nt_status = gensec_krb5_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -121,7 +122,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->ccdef);
ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
error_message(ret)));
@@ -135,13 +136,13 @@ static void gensec_krb5_end(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
if (gensec_krb5_state->krb5_ccdef) {
if (gensec_krb5_state->krb5_ccache) {
/* Removed by jra. They really need to fix their kerberos so we don't leak memory.
JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
SuSE 9.1 Pro
*/
#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
krb5_cc_close(context, gensec_krb5_state->krb5_ccdef);
krb5_cc_close(context, gensec_krb5_state->krb5_ccache);
#endif
}
@@ -193,7 +194,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
&gensec_krb5_state->krb5_auth_context,
AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
gensec_security->target.principal,
ccdef, &packet);
gensec_krb5_state->krb5_ccache, &packet);
if (ret) {
DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
error_message(ret)));

122
source/libcli/auth/spnego.c
View File

@@ -48,7 +48,7 @@ struct spnego_state {
static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
{
struct spnego_state *spnego_state;
TALLOC_CTX *mem_ctx = talloc_init("gensec_spengo_client_start");
TALLOC_CTX *mem_ctx = talloc_init("gensec_spnego_client_start");
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
@@ -151,12 +151,12 @@ static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_securit
/** Fallback to another GENSEC mechanism, based on magic strings
*
* This is the 'fallback' case, where we don't get SPENGO, and have to
* This is the 'fallback' case, where we don't get SPNEGO, and have to
* try all the other options (and hope they all have a magic string
* they check)
*/
static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec_security,
static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
@@ -189,7 +189,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec
}
gensec_end(&spnego_state->sub_sec_security);
}
DEBUG(1, ("Failed to parse SPENGO request\n"));
DEBUG(1, ("Failed to parse SPNEGO request\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -199,7 +199,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec
* This is the case, where the client is the first one who sends data
*/
static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec_security,
static NTSTATUS gensec_spnego_client_netTokenInit(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
@@ -266,7 +266,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n"));
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -277,7 +277,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec
}
gensec_end(&spnego_state->sub_sec_security);
DEBUG(1, ("Failed to setup SPENGO netTokenInit request\n"));
DEBUG(1, ("Failed to setup SPNEGO netTokenInit request\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -286,7 +286,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
{
struct spnego_state *spnego_state = gensec_security->private_data;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
DATA_BLOB unwrapped_out;
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
struct spnego_data spnego_out;
struct spnego_data spnego;
@@ -307,7 +307,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (in.length) {
len = spnego_read_data(in, &spnego);
if (len == -1) {
return gensec_spengo_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out);
return gensec_spnego_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out);
} else {
/* client sent NegTargetInit */
}
@@ -328,7 +328,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (!in.length) {
/* client to produce negTokenInit */
return gensec_spengo_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out);
return gensec_spnego_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out);
}
len = spnego_read_data(in, &spnego);
@@ -341,13 +341,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type,
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, (const char *)in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego.negTokenInit.targetPrincipal) {
nt_status = gensec_set_target_principal(gensec_security,
spnego.negTokenInit.targetPrincipal);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
}
mechType = spnego.negTokenInit.mechTypes;
for (i=0; mechType && mechType[i]; i++) {
nt_status = gensec_subcontext_start(gensec_security,
@@ -375,8 +383,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
null_data_blob,
&unwrapped_out);
}
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(1, ("SPENGO(%s) NEG_TOKEN_INIT failed: %s\n",
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
gensec_end(&spnego_state->sub_sec_security);
} else {
@@ -384,11 +392,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
}
if (!mechType || !mechType[i]) {
DEBUG(1, ("SPENGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
}
spnego_free_data(&spnego);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
@@ -402,7 +410,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n"));
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -410,7 +418,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
return nt_status;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
case SPNEGO_SERVER_TARG:
{
@@ -429,49 +437,47 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type,
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, (const char *)in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego.negTokenTarg.responseToken.length) {
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
} else {
unwrapped_out = data_blob(NULL, 0);
nt_status = NT_STATUS_OK;
}
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
spnego_state->result = spnego.negTokenTarg.negResult;
spnego_free_data(&spnego);
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.supportedMech
= spnego_state->sub_sec_security->ops->oid;
spnego_out.negTokenTarg.responseToken = unwrapped_out;
spnego_out.negTokenTarg.mechListMIC = null_data_blob;
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
spnego_out.negTokenTarg.supportedMech
= spnego_state->sub_sec_security->ops->oid;
spnego_out.negTokenTarg.responseToken = unwrapped_out;
spnego_out.negTokenTarg.mechListMIC = null_data_blob;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n"));
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->state_position = SPNEGO_SERVER_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
spnego_state->state_position = SPNEGO_DONE;
} else {
DEBUG(1, ("SPENGO(%s) login failed: %s\n",
spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
return nt_status;
spnego_state->state_position = SPNEGO_DONE;
}
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
return NT_STATUS_INVALID_PARAMETER;
}
return nt_status;
}
case SPNEGO_CLIENT_TARG:
@@ -501,16 +507,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
return NT_STATUS_ACCESS_DENIED;
}
if (spnego.negTokenTarg.responseToken.length) {
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
} else {
unwrapped_out = data_blob(NULL, 0);
nt_status = NT_STATUS_OK;
}
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)
&& (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) {
@@ -521,27 +522,28 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_state->result = spnego.negTokenTarg.negResult;
spnego_free_data(&spnego);
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
spnego_out.negTokenTarg.supportedMech = NULL;
spnego_out.negTokenTarg.responseToken = unwrapped_out;
spnego_out.negTokenTarg.mechListMIC = null_data_blob;
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
spnego_out.negTokenTarg.supportedMech = NULL;
spnego_out.negTokenTarg.responseToken = unwrapped_out;
spnego_out.negTokenTarg.mechListMIC = null_data_blob;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n"));
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->state_position = SPNEGO_CLIENT_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->state_position = SPNEGO_DONE;
} else {
DEBUG(1, ("SPENGO(%s) login failed: %s\n",
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
return nt_status;
}
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
return NT_STATUS_INVALID_PARAMETER;
}
return nt_status;
}