summaryrefslogtreecommitdiffstats
path: root/source3/librpc/crypto/gse.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/librpc/crypto/gse.c')
-rw-r--r--source3/librpc/crypto/gse.c135
1 files changed, 61 insertions, 74 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 0d9eead082e..c311c774d42 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -27,12 +27,6 @@
#include "smb_krb5.h"
#include "gse_krb5.h"
-#include <gssapi/gssapi.h>
-#include <gssapi/gssapi_krb5.h>
-#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
-#include <gssapi/gssapi_ext.h>
-#endif
-
#ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
@@ -62,16 +56,6 @@ gss_OID_desc gse_authz_data_oid = {
(void *)GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID
};
-#ifndef GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
-#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
-#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
-#endif
-
-gss_OID_desc gse_authtime_oid = {
- GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH,
- (void *)GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
-};
-
static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
struct gse_context {
@@ -95,6 +79,24 @@ struct gse_context {
bool authenticated;
};
+#ifndef HAVE_GSS_OID_EQUAL
+
+static bool gss_oid_equal(const gss_OID o1, const gss_OID o2)
+{
+ if (o1 == o2) {
+ return true;
+ }
+ if ((o1 == NULL && o2 != NULL) || (o1 != NULL && o2 == NULL)) {
+ return false;
+ }
+ if (o1->length != o2->length) {
+ return false;
+ }
+ return memcmp(o1->elements, o2->elements, o1->length) == false;
+}
+
+#endif
+
/* free non talloc dependent contexts */
static int gse_context_destructor(void *ptr)
{
@@ -135,10 +137,19 @@ static int gse_context_destructor(void *ptr)
gss_maj = gss_release_cred(&gss_min,
&gse_ctx->delegated_creds);
}
- if (gse_ctx->ret_mech) {
- gss_maj = gss_release_oid(&gss_min,
- &gse_ctx->ret_mech);
- }
+
+ /* MIT and Heimdal differ as to if you can call
+ * gss_release_oid() on this OID, generated by
+ * gss_{accept,init}_sec_context(). However, as long as the
+ * oid is gss_mech_krb5 (which it always is at the moment),
+ * then this is a moot point, as both declare this particular
+ * OID static, and so no memory is lost. This assert is in
+ * place to ensure that the programmer who wishes to extend
+ * this code to EAP or other GSS mechanisms determines an
+ * implementation-dependent way of releasing any dynamically
+ * allocated OID */
+ SMB_ASSERT(gss_oid_equal(&gse_ctx->gss_mech, GSS_C_NO_OID) || gss_oid_equal(&gse_ctx->gss_mech, gss_mech_krb5));
+
return 0;
}
@@ -348,8 +359,6 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
OM_uint32 gss_maj, gss_min;
krb5_error_code ret;
NTSTATUS status;
- const char *ktname;
- gss_OID_set_desc mech_set;
status = gse_context_init(mem_ctx, do_sign, do_seal,
NULL, add_gss_c_flags, &gse_ctx);
@@ -379,24 +388,27 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
* This call sets the default keytab for the whole server, not
* just for this context. Need to find a way that does not alter
* the state of the whole server ... */
+ {
+ const char *ktname;
+ gss_OID_set_desc mech_set;
- ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
+ ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
gse_ctx->keytab, &ktname);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
+ if (ret) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
- ret = gsskrb5_register_acceptor_identity(ktname);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
+ ret = gsskrb5_register_acceptor_identity(ktname);
+ if (ret) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
- mech_set.count = 1;
- mech_set.elements = &gse_ctx->gss_mech;
-
- gss_maj = gss_acquire_cred(&gss_min,
+ mech_set.count = 1;
+ mech_set.elements = &gse_ctx->gss_mech;
+
+ gss_maj = gss_acquire_cred(&gss_min,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
&mech_set,
@@ -404,11 +416,12 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
&gse_ctx->creds,
NULL, NULL);
- if (gss_maj) {
- DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
- gse_errstr(gse_ctx, gss_maj, gss_min)));
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
+ if (gss_maj) {
+ DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
+ gse_errstr(gse_ctx, gss_maj, gss_min)));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
}
#endif
status = NT_STATUS_OK;
@@ -692,42 +705,15 @@ NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
return NT_STATUS_OK;
}
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
+NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
+ TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
{
- OM_uint32 gss_min, gss_maj;
- gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
- int32_t tkttime;
-
if (!gse_ctx->authenticated) {
return NT_STATUS_ACCESS_DENIED;
}
- gss_maj = gss_inquire_sec_context_by_oid(
- &gss_min, gse_ctx->gss_ctx,
- &gse_authtime_oid, &set);
- if (gss_maj) {
- DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
- gse_errstr(talloc_tos(), gss_maj, gss_min)));
- return NT_STATUS_NOT_FOUND;
- }
-
- if ((set == GSS_C_NO_BUFFER_SET) || (set->count != 1) != 0) {
- DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
- "data in results.\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- if (set->elements[0].length != sizeof(int32_t)) {
- DEBUG(0, ("Invalid authtime size!\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- tkttime = *((int32_t *)set->elements[0].value);
-
- gss_maj = gss_release_buffer_set(&gss_min, &set);
-
- *authtime = (time_t)tkttime;
- return NT_STATUS_OK;
+ return gssapi_obtain_pac_blob(mem_ctx, gse_ctx->gss_ctx,
+ gse_ctx->client_name, pac_blob);
}
size_t gse_get_signature_length(struct gse_context *gse_ctx,
@@ -982,7 +968,8 @@ NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
return NT_STATUS_NOT_IMPLEMENTED;
}
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
+NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
+ TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
{
return NT_STATUS_NOT_IMPLEMENTED;
}
@@ -1017,4 +1004,4 @@ NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
return NT_STATUS_NOT_IMPLEMENTED;
}
-#endif /* HAVE_KRB5 && HAVE_GSSAPI_EXT_H && HAVE_GSS_WRAP_IOV */
+#endif /* HAVE_KRB5 && HAVE_GSS_WRAP_IOV */
generated by cgit (git 2.34.1) at 2024-05-09 04:29:11 +0000