1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
samba-mirror/lib/krb5_wrap/gss_samba.c
Simo Sorce b8653f4ee7 Restrict GSSAPI query to the krb5 mechanism
Otherwise GSSAPI will consult other mechanisms if available and we can
only cope with krb5 credentials here.

Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 30 20:45:23 UTC 2020 on sn-devel-184
2020-09-30 20:45:23 +00:00

223 lines
5.6 KiB
C

/*
* Unix SMB/CIFS implementation.
*
* Simple GSSAPI wrappers
*
* Copyright (c) 2012 Andreas Schneider <asn@samba.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "gss_samba.h"
#ifdef HAVE_GSSAPI
#if !defined(HAVE_GSS_OID_EQUAL)
int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
{
if (first_oid == GSS_C_NO_OID || second_oid == GSS_C_NO_OID) {
return 0;
}
if (first_oid == second_oid) {
return 1;
}
if ((first_oid)->length != (second_oid)->length) {
return 0;
}
if (memcmp((first_oid)->elements, (second_oid)->elements,
(first_oid)->length) == 0) {
return 1;
}
return 0;
}
#endif /* !HAVE_GSS_OID_EQUAL */
/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
* if this GSSAPI extension is available. gss_acquire_cred_from() is properly
* interposed by GSSPROXY while gss_krb5_import_cred() is not.
*
* This wrapper requires a proper krb5_context to resolve ccache name.
* All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
krb5_ccache id, krb5_principal keytab_principal,
krb5_keytab keytab, gss_cred_id_t *cred)
{
uint32_t major_status = 0;
#ifdef HAVE_GSS_ACQUIRE_CRED_FROM
uint32_t minor = 0;
gss_key_value_element_desc ccache_element = {
.key = "ccache",
.value = NULL,
};
gss_key_value_element_desc keytab_element = {
.key = "keytab",
.value = NULL,
};
gss_key_value_element_desc elements[2];
gss_key_value_set_desc cred_store = {
.elements = &ccache_element,
.count = 1,
};
/* we are interested exclusively in krb5 credentials,
* indicate to GSSAPI that we are not interested in any other
* mechanism here */
gss_OID_set_desc mech_set = {
.count = 1,
.elements = discard_const_p(struct gss_OID_desc_struct,
gss_mech_krb5),
};
gss_cred_usage_t cred_usage = GSS_C_INITIATE;
gss_name_t name = NULL;
gss_buffer_desc pr_name = {
.value = NULL,
.length = 0,
};
if (id != NULL) {
major_status = krb5_cc_get_full_name(ctx,
id,
discard_const(&ccache_element.value));
if (major_status != 0) {
return major_status;
}
}
if (keytab != NULL) {
keytab_element.value = malloc(4096);
if (!keytab_element.value) {
return ENOMEM;
}
major_status = krb5_kt_get_name(ctx,
keytab,
discard_const(keytab_element.value), 4096);
if (major_status != 0) {
free(discard_const(keytab_element.value));
return major_status;
}
cred_usage = GSS_C_ACCEPT;
cred_store.elements = &keytab_element;
if (keytab_principal != NULL) {
major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
if (major_status != 0) {
free(discard_const(keytab_element.value));
return major_status;
}
pr_name.length = strlen(pr_name.value);
major_status = gss_import_name(minor_status,
&pr_name,
discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
&name);
if (major_status != 0) {
krb5_free_unparsed_name(ctx, pr_name.value);
free(discard_const(keytab_element.value));
return major_status;
}
}
}
if (id != NULL && keytab != NULL) {
elements[0] = ccache_element;
elements[1] = keytab_element;
cred_store.elements = elements;
cred_store.count = 2;
cred_usage = GSS_C_BOTH;
}
major_status = gss_acquire_cred_from(minor_status,
name,
0,
&mech_set,
cred_usage,
&cred_store,
cred,
NULL,
NULL);
if (pr_name.value != NULL) {
(void)gss_release_name(&minor, &name);
krb5_free_unparsed_name(ctx, pr_name.value);
}
if (keytab_element.value != NULL) {
free(discard_const(keytab_element.value));
}
krb5_free_string(ctx, discard_const(ccache_element.value));
#else
major_status = gss_krb5_import_cred(minor_status,
id,
keytab_principal,
keytab, cred);
if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
if ((keytab_principal == NULL) && (keytab != NULL)) {
/* No principal was specified and MIT krb5 1.9 version failed.
* We have to fall back to set global acceptor identity */
gss_OID_set_desc mech_set;
char *kt_name = NULL;
kt_name = malloc(4096);
if (!kt_name) {
return ENOMEM;
}
major_status = krb5_kt_get_name(ctx,
keytab,
kt_name, 4096);
if (major_status != 0) {
free(kt_name);
return major_status;
}
major_status = gsskrb5_register_acceptor_identity(kt_name);
if (major_status) {
free(kt_name);
return major_status;
}
/* We are dealing with krb5 GSSAPI mech in this fallback */
mech_set.count = 1;
mech_set.elements =
discard_const_p(struct gss_OID_desc_struct,
gss_mech_krb5);
major_status = gss_acquire_cred(minor_status,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
&mech_set,
GSS_C_ACCEPT,
cred,
NULL, NULL);
free(kt_name);
}
}
#endif
return major_status;
}
#endif /* HAVE_GSSAPI */