#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include "auth/auth.h"
-#include "lib/socket/socket.h"
#include "lib/tsocket/tsocket.h"
#include "librpc/gen_ndr/dcerpc.h"
#include "auth/credentials/credentials.h"
#include "lib/util/util_net.h"
#include "../lib/util/asn1.h"
#include "auth/kerberos/pac_utils.h"
-#include "gensec_krb5_util.h"
+#include "gensec_krb5.h"
_PUBLIC_ NTSTATUS gensec_krb5_init(void);
const char *error_string;
const char *principal;
const char *hostname;
- krb5_data in_data;
+ krb5_data in_data = { .length = 0 };
+ krb5_data *in_data_p = NULL;
struct tevent_context *previous_ev;
+ if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
+ NULL, "gensec_krb5", "send_authenticator_checksum", true)) {
+ in_data_p = &in_data;
+ }
+
gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
principal = gensec_get_target_principal(gensec_security);
DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
return NT_STATUS_UNSUCCESSFUL;
}
- in_data.length = 0;
/* Do this every time, in case we have weird recursive issues here */
ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
target_principal,
- &in_data, ccache_container->ccache,
+ in_data_p, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
target_principal);
gensec_krb5_state->ap_req_options,
gensec_get_target_service(gensec_security),
hostname,
- &in_data, ccache_container->ccache,
+ in_data_p, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
}
static DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2])
{
struct asn1_data *data;
- DATA_BLOB ret;
+ DATA_BLOB ret = data_blob_null;
data = asn1_init(mem_ctx);
if (!data || !ticket->data) {
- return data_blob(NULL,0);
+ return ret;
}
- asn1_push_tag(data, ASN1_APPLICATION(0));
- asn1_write_OID(data, GENSEC_OID_KERBEROS5);
+ if (!asn1_push_tag(data, ASN1_APPLICATION(0))) goto err;
+ if (!asn1_write_OID(data, GENSEC_OID_KERBEROS5)) goto err;
- asn1_write(data, tok_id, 2);
- asn1_write(data, ticket->data, ticket->length);
- asn1_pop_tag(data);
+ if (!asn1_write(data, tok_id, 2)) goto err;
+ if (!asn1_write(data, ticket->data, ticket->length)) goto err;
+ if (!asn1_pop_tag(data)) goto err;
- if (data->has_error) {
- DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data->ofs));
- asn1_free(data);
- return data_blob(NULL,0);
- }
- ret = data_blob_talloc(mem_ctx, data->data, data->length);
+ if (!asn1_extract_blob(data, mem_ctx, &ret)) {
+ goto err;
+ }
asn1_free(data);
return ret;
+
+ err:
+
+ DEBUG(1, ("Failed to build krb5 wrapper at offset %d\n",
+ (int)asn1_current_ofs(data)));
+ asn1_free(data);
+ return ret;
}
/*
*/
static bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2])
{
- bool ret;
+ bool ret = false;
struct asn1_data *data = asn1_init(mem_ctx);
int data_remaining;
return false;
}
- asn1_load(data, *blob);
- asn1_start_tag(data, ASN1_APPLICATION(0));
- asn1_check_OID(data, GENSEC_OID_KERBEROS5);
+ if (!asn1_load(data, *blob)) goto err;
+ if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;
+ if (!asn1_check_OID(data, GENSEC_OID_KERBEROS5)) goto err;
data_remaining = asn1_tag_remaining(data);
if (data_remaining < 3) {
- data->has_error = true;
+ asn1_set_error(data);
} else {
- asn1_read(data, tok_id, 2);
+ if (!asn1_read(data, tok_id, 2)) goto err;
data_remaining -= 2;
*ticket = data_blob_talloc(mem_ctx, NULL, data_remaining);
- asn1_read(data, ticket->data, ticket->length);
+ if (!asn1_read(data, ticket->data, ticket->length)) goto err;
}
- asn1_end_tag(data);
+ if (!asn1_end_tag(data)) goto err;
+
+ ret = !asn1_has_error(data);
- ret = !data->has_error;
+ err:
asn1_free(data);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
+ if (keytab->password_based || obtained < CRED_SPECIFIED) {
+ /*
+ * Use match-by-key in this case (matches
+ * cli_credentials_get_server_gss_creds()
+ * behaviour). No need to free the memory,
+ * this is handled with a talloc destructor.
+ */
+ server_in_keytab = NULL;
+ }
+
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
if (gensec_krb5_state->gssapi
&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
ret = gensec_register(&gensec_fake_gssapi_krb5_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
- gensec_krb5_security_ops.name));
+ gensec_fake_gssapi_krb5_security_ops.name));
return ret;
}