sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-19 10:03:58 +03:00
Code

r3115: Bugfixes and extra debug in our kerberos verify code.

Browse Source 
Andrew Bartlett
(This used to be commit 9f19aae0c0812b156054385ef77785971488e21c)
This commit is contained in:
Andrew Bartlett 2004-10-21 15:24:50 +00:00 committed by Gerald (Jerry) Carter
parent ac989eda6d
commit f30a08813c
2 changed files with 26 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
source4/libcli/auth/gensec_krb5.c
View File

@ -229,21 +229,19 @@ static void gensec_krb5_end(struct gensec_security *gensec_security)
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
if (gensec_krb5_state->ticket.length) { if (gensec_krb5_state->ticket.length) {
/* Hmm, heimdal dooesn't have this - what's the correct call? */ /* Hmm, early heimdal dooesn't have this - correct call would be krb5_data_free */
#ifdef HAVE_KRB5_FREE_DATA_CONTENTS #ifdef HAVE_KRB5_FREE_DATA_CONTENTS
krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket); krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket);
#endif #endif
} }
if (gensec_krb5_state->krb5_ccache) { if (gensec_krb5_state->krb5_ccache) {
/* Removed by jra. They really need to fix their kerberos so we don't leak memory. /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
JERRY -- disabled since it causes heimdal 0.6.1rc3 to die krb5_cc_close(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache);
SuSE 9.1 Pro
*/
#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
krb5_cc_close(context, gensec_krb5_state->krb5_ccache);
#endif
} }
krb5_free_keyblock_contents(gensec_krb5_state->krb5_context,
&gensec_krb5_state->krb5_keyblock);
if (gensec_krb5_state->krb5_auth_context) { if (gensec_krb5_state->krb5_auth_context) {
krb5_auth_con_free(gensec_krb5_state->krb5_context, krb5_auth_con_free(gensec_krb5_state->krb5_context,
gensec_krb5_state->krb5_auth_context); gensec_krb5_state->krb5_auth_context);
@ -275,6 +273,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
gensec_krb5_state->krb5_auth_context = NULL; gensec_krb5_state->krb5_auth_context = NULL;
gensec_krb5_state->krb5_ccache = NULL; gensec_krb5_state->krb5_ccache = NULL;
ZERO_STRUCT(gensec_krb5_state->ticket); ZERO_STRUCT(gensec_krb5_state->ticket);
ZERO_STRUCT(gensec_krb5_state->krb5_keyblock);
gensec_krb5_state->session_key = data_blob(NULL, 0); gensec_krb5_state->session_key = data_blob(NULL, 0);
ret = krb5_init_context(&gensec_krb5_state->krb5_context); ret = krb5_init_context(&gensec_krb5_state->krb5_context);

38
source4/libcli/auth/kerberos_verify.c
View File

@ -62,12 +62,11 @@ static DATA_BLOB unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data)
ads_keytab_add_entry function for details. ads_keytab_add_entry function for details.
***********************************************************************************/ ***********************************************************************************/
static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context auth_context, static krb5_error_code ads_keytab_verify_ticket(krb5_context context, krb5_auth_context auth_context,
const DATA_BLOB *ticket, krb5_data *p_packet, krb5_ticket **pp_tkt, const DATA_BLOB *ticket, krb5_data *p_packet, krb5_ticket **pp_tkt,
krb5_keyblock *keyblock) krb5_keyblock *keyblock)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
BOOL auth_ok = False;
krb5_keytab keytab = NULL; krb5_keytab keytab = NULL;
krb5_kt_cursor cursor; krb5_kt_cursor cursor;
@ -91,12 +90,13 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut
goto out; goto out;
} }
while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) { while (!(ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor))) {
ret = krb5_unparse_name(context, kt_entry.principal, &princ_name); ret = krb5_unparse_name(context, kt_entry.principal, &princ_name);
if (ret) { if (ret) {
DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret))); DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret)));
goto out; goto out;
} }
DEBUG(10, ("Checking principal: %s\n", princ_name));
/* Look for a CIFS ticket */ /* Look for a CIFS ticket */
if (!strncasecmp(princ_name, "cifs/", 5) || (!strncasecmp(princ_name, "host/", 5))) { if (!strncasecmp(princ_name, "cifs/", 5) || (!strncasecmp(princ_name, "host/", 5))) {
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
@ -123,7 +123,6 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut
DEBUG(10,("ads_keytab_verify_ticket: enc type [%u] decrypted message !\n", DEBUG(10,("ads_keytab_verify_ticket: enc type [%u] decrypted message !\n",
keytype)); keytype));
auth_ok = True;
break; break;
} }
} }
@ -133,9 +132,11 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut
if (ret && ret != KRB5_KT_END) { if (ret && ret != KRB5_KT_END) {
/* This failed because something went wrong, not because the keytab file was empty. */ /* This failed because something went wrong, not because the keytab file was empty. */
DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_next_entry failed (%s)\n", error_message(ret))); DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_next_entry failed (%s)\n", error_message(ret)));
goto out; } else if (ret == KRB5_KT_END) {
DEBUG(10, ("ads_keytab_verify_ticket: no keytab entry found: %s\n", error_message(ret)));
} else {
DEBUG(10, ("ads_keytab_verify_ticket: keytab entry found: %s\n", princ_name));
} }
out: out:
if (princ_name) { if (princ_name) {
@ -152,7 +153,7 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut
krb5_kt_close(context, keytab); krb5_kt_close(context, keytab);
} }
return auth_ok; return ret;
} }
/********************************************************************************** /**********************************************************************************
@ -165,7 +166,6 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
krb5_keyblock *keyblock) krb5_keyblock *keyblock)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
BOOL auth_ok = False;
char *password_s = NULL; char *password_s = NULL;
krb5_data password; krb5_data password;
krb5_enctype *enctypes = NULL; krb5_enctype *enctypes = NULL;
@ -175,13 +175,13 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
if (!secrets_init()) { if (!secrets_init()) {
DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n")); DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
return False; return KRB5_KT_END;
} }
password_s = secrets_fetch_machine_password(lp_workgroup()); password_s = secrets_fetch_machine_password(lp_workgroup());
if (!password_s) { if (!password_s) {
DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n")); DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n"));
return False; return KRB5_KT_END;
} }
password.data = password_s; password.data = password_s;
@ -200,7 +200,8 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
/* We need to setup a auth context with each possible encoding type in turn. */ /* We need to setup a auth context with each possible encoding type in turn. */
for (i=0;enctypes[i];i++) { for (i=0;enctypes[i];i++) {
if (create_kerberos_key_from_string(context, host_princ, &password, keyblock, enctypes[i])) { ret = create_kerberos_key_from_string(context, host_princ, &password, keyblock, enctypes[i]);
if (ret) {
continue; continue;
} }
@ -212,11 +213,10 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
if (!ret) { if (!ret) {
DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n", DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
(unsigned int)enctypes[i] )); (unsigned int)enctypes[i] ));
auth_ok = True;
break; break;
} }
krb5_free_keyblock(context, keyblock); krb5_free_keyblock_contents(context, keyblock);
DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10, DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n", ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
@ -228,7 +228,7 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
free_kerberos_etypes(context, enctypes); free_kerberos_etypes(context, enctypes);
SAFE_FREE(password_s); SAFE_FREE(password_s);
return auth_ok; return ret;
} }
/********************************************************************************** /**********************************************************************************
@ -255,7 +255,6 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
BOOL got_replay_mutex = False; BOOL got_replay_mutex = False;
char *myname; char *myname;
BOOL auth_ok = False;
char *malloc_principal; char *malloc_principal;
@ -304,16 +303,17 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
goto out; goto out;
} }
auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &packet, &tkt, keyblock); ret = ads_keytab_verify_ticket(context, auth_context, ticket, &packet, &tkt, keyblock);
if (!auth_ok) { if (ret) {
auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ, DEBUG(10, ("ads_secrets_verify_ticket: using host principal: [%s]\n", host_princ_s));
ret = ads_secrets_verify_ticket(context, auth_context, host_princ,
ticket, &packet, &tkt, keyblock); ticket, &packet, &tkt, keyblock);
} }
release_server_mutex(); release_server_mutex();
got_replay_mutex = False; got_replay_mutex = False;
if (!auth_ok) { if (ret) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
error_message(ret))); error_message(ret)));
goto out; goto out;