diff options
| author | Andrew Tridgell <tridge@samba.org> | 2001-10-18 10:26:06 +0000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2001-10-18 10:26:06 +0000 |
| commit | 353c290f059347265b9be2aa1010c2956da06485 (patch) | |
| tree | 47a4d21728e0e69cdaf88248d9317d4c7db02754 /source/libsmb | |
| parent | 7c3542ba8764be48b88255dd7f73ea6d87be10ac (diff) | |
| download | samba-353c290f059347265b9be2aa1010c2956da06485.tar.gz samba-353c290f059347265b9be2aa1010c2956da06485.tar.xz samba-353c290f059347265b9be2aa1010c2956da06485.zip | |
the beginnings of kerberos support in smbd. It doesn't work yet, but
it should give something for others to hack on and possibly find what
I'm doing wrong.
Diffstat (limited to 'source/libsmb')
| -rw-r--r-- | source/libsmb/asn1.c | 18 | ||||
| -rw-r--r-- | source/libsmb/cliconnect.c | 4 | ||||
| -rw-r--r-- | source/libsmb/clikrb5.c | 4 | ||||
| -rw-r--r-- | source/libsmb/clispnego.c | 23 |
4 files changed, 46 insertions, 3 deletions
diff --git a/source/libsmb/asn1.c b/source/libsmb/asn1.c index 59763408cfe..a8c0eebb94c 100644 --- a/source/libsmb/asn1.c +++ b/source/libsmb/asn1.c @@ -156,6 +156,24 @@ BOOL asn1_write_BOOLEAN(ASN1_DATA *data, BOOL v) return !data->has_error; } +/* check a BOOLEAN */ +BOOL asn1_check_BOOLEAN(ASN1_DATA *data, BOOL v) +{ + uint8 b = 0; + + asn1_read_uint8(data, &b); + if (b != ASN1_BOOLEAN) { + data->has_error = True; + return False; + } + asn1_read_uint8(data, &b); + if (b != v) { + data->has_error = True; + return False; + } + return !data->has_error; +} + /* load a ASN1_DATA structure with a lump of data, ready to be parsed */ BOOL asn1_load(ASN1_DATA *data, DATA_BLOB blob) diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c index 6a01744240b..4fba54900dc 100644 --- a/source/libsmb/cliconnect.c +++ b/source/libsmb/cliconnect.c @@ -392,6 +392,10 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, c if (!negTokenTarg.data) return False; +#if 0 + file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); +#endif + blob2 = cli_session_setup_blob(cli, negTokenTarg); /* we don't need this blob for kerberos */ diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c index 68e941f2aac..51b6e6e8cf7 100644 --- a/source/libsmb/clikrb5.c +++ b/source/libsmb/clikrb5.c @@ -22,8 +22,6 @@ #include "includes.h" #if HAVE_KRB5 -#include <krb5.h> - /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ @@ -105,7 +103,7 @@ DATA_BLOB krb5_get_ticket(char *service, char *realm) if ((retval = krb5_mk_req2(context, &auth_context, - AP_OPTS_MUTUAL_REQUIRED, + 0, service, realm, ccdef, &packet))) { DEBUG(1,("krb5_mk_req2 failed\n")); diff --git a/source/libsmb/clispnego.c b/source/libsmb/clispnego.c index 78cae3315a8..c421d759134 100644 --- a/source/libsmb/clispnego.c +++ b/source/libsmb/clispnego.c @@ -241,6 +241,29 @@ static DATA_BLOB spnego_gen_krb5_wrap(DATA_BLOB ticket) return ret; } +/* + parse a krb5 GSS-API wrapper packet giving a ticket +*/ +BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket) +{ + BOOL ret; + ASN1_DATA data; + + asn1_load(&data, blob); + asn1_start_tag(&data, ASN1_APPLICATION(0)); + asn1_check_OID(&data, OID_KERBEROS5); + asn1_check_BOOLEAN(&data, 0); + *ticket = data_blob(data.data, asn1_tag_remaining(&data)); + asn1_read(&data, ticket->data, ticket->length); + asn1_end_tag(&data); + + ret = !data.has_error; + + asn1_free(&data); + + return ret; +} + /* generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY |