The branch, master has been updated
via 26f1218... s3-libsmb: Use data_blob_talloc to get krb5 ticket and
session keys
via 8137f2d... misc: cleanup get_krb5_smb_session_key()
via e8460b4... misc: cleanup cli_krb5_get_ticket()
from 5002b3a... Add approriate TALLOC_CTX's thoughout the spnego code.
No more implicit NULL contexts.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 26f1218a3678e648c73db3b34732703396ad48b2
Author: Simo Sorce <[email protected]>
Date: Tue Jul 20 20:00:12 2010 -0400
s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keys
commit 8137f2d7e7e69db66a5191c1a80e0bda52506528
Author: Simo Sorce <[email protected]>
Date: Tue Jul 20 19:45:00 2010 -0400
misc: cleanup get_krb5_smb_session_key()
commit e8460b4ebc82659d2cf1ea1588c708fa7069be5c
Author: Simo Sorce <[email protected]>
Date: Tue Jul 20 19:41:19 2010 -0400
misc: cleanup cli_krb5_get_ticket()
-----------------------------------------------------------------------
Summary of changes:
source3/include/krb5_protos.h | 10 +++-
source3/libads/authdata.c | 3 +-
source3/libads/kerberos_verify.c | 3 +-
source3/libsmb/clikrb5.c | 79 ++++++++++++++++++++++----------------
source3/libsmb/clispnego.c | 11 +++--
source3/rpc_client/cli_pipe.c | 6 ++-
source3/utils/ntlm_auth.c | 10 +++--
7 files changed, 73 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h
index b65fb17..97e6871 100644
--- a/source3/include/krb5_protos.h
+++ b/source3/include/krb5_protos.h
@@ -46,7 +46,10 @@ krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const
krb5_data *realm, st
krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
struct sockaddr **addr_pp, int *naddrs, int get_masters);
#endif
krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype
**enctypes);
-bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context
auth_context, DATA_BLOB *session_key, bool remote);
+bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_auth_context auth_context,
+ DATA_BLOB *session_key, bool remote);
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry
*kt_entry);
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
krb5_principal host_princ, int enctype);
void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
@@ -141,9 +144,10 @@ char *smb_krb5_principal_get_realm(krb5_context context,
krb5_principal principal);
#endif /* HAVE_KRB5 */
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+ const char *principal, time_t time_offset,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
- uint32 extra_ap_opts, const char *ccname,
+ uint32_t extra_ap_opts, const char *ccname,
time_t *tgs_expire,
const char *impersonate_princ_s);
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 305b607..00062f4 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -406,7 +406,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_LOGON_TYPE;
}
- ret = cli_krb5_get_ticket(local_service,
+ ret = cli_krb5_get_ticket(mem_ctx,
+ local_service,
time_offset,
&tkt,
&sesskey1,
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index c072593..10edd07 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -615,7 +615,8 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(packet);
}
- get_krb5_smb_session_key(context, auth_context, session_key, True);
+ get_krb5_smb_session_key(mem_ctx, context,
+ auth_context, session_key, true);
dump_data_pw("SMB session key (from ticket)\n", session_key->data,
session_key->length);
#if 0
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 2e3fdf3..68b45d8 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -826,11 +826,12 @@ cleanup_princ:
}
/*
- get a kerberos5 ticket for the given service
+ get a kerberos5 ticket for the given service
*/
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
- uint32 extra_ap_opts, const char *ccname,
+int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+ const char *principal, time_t time_offset,
+ DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+ uint32_t extra_ap_opts, const char *ccname,
time_t *tgs_expire,
const char *impersonate_princ_s)
@@ -843,15 +844,15 @@ int cli_krb5_get_ticket(const char *principal, time_t
time_offset,
krb5_enctype enc_types[] = {
#ifdef ENCTYPE_ARCFOUR_HMAC
ENCTYPE_ARCFOUR_HMAC,
-#endif
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES_CBC_CRC,
+#endif
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
initialize_krb5_error_table();
retval = krb5_init_context(&context);
if (retval) {
- DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed
(%s)\n",
+ DEBUG(1, ("krb5_init_context failed (%s)\n",
error_message(retval)));
goto failed;
}
@@ -862,56 +863,60 @@ int cli_krb5_get_ticket(const char *principal, time_t
time_offset,
if ((retval = krb5_cc_resolve(context, ccname ?
ccname : krb5_cc_default_name(context), &ccdef))) {
- DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
+ DEBUG(1, ("krb5_cc_default failed (%s)\n",
error_message(retval)));
goto failed;
}
if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
- DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes
failed (%s)\n",
+ DEBUG(1, ("krb5_set_default_tgs_ktypes failed (%s)\n",
error_message(retval)));
goto failed;
}
- if ((retval = ads_krb5_mk_req(context,
- &auth_context,
- AP_OPTS_USE_SUBKEY |
(krb5_flags)extra_ap_opts,
- principal,
- ccdef, &packet,
- tgs_expire,
- impersonate_princ_s))) {
+ retval = ads_krb5_mk_req(context, &auth_context,
+ AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
+ principal, ccdef, &packet,
+ tgs_expire, impersonate_princ_s);
+ if (retval) {
goto failed;
}
- get_krb5_smb_session_key(context, auth_context, session_key_krb5,
False);
+ get_krb5_smb_session_key(mem_ctx, context, auth_context,
+ session_key_krb5, false);
- *ticket = data_blob(packet.data, packet.length);
+ *ticket = data_blob_talloc(mem_ctx, packet.data, packet.length);
- kerberos_free_data_contents(context, &packet);
+ kerberos_free_data_contents(context, &packet);
failed:
- if ( context ) {
+ if (context) {
if (ccdef)
krb5_cc_close(context, ccdef);
if (auth_context)
krb5_auth_con_free(context, auth_context);
krb5_free_context(context);
}
-
+
return retval;
}
- bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context
auth_context, DATA_BLOB *session_key, bool remote)
- {
+bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_auth_context auth_context,
+ DATA_BLOB *session_key, bool remote)
+{
krb5_keyblock *skey = NULL;
krb5_error_code err = 0;
bool ret = false;
if (remote) {
- err = krb5_auth_con_getremotesubkey(context, auth_context,
&skey);
+ err = krb5_auth_con_getremotesubkey(context,
+ auth_context, &skey);
} else {
- err = krb5_auth_con_getlocalsubkey(context, auth_context,
&skey);
+ err = krb5_auth_con_getlocalsubkey(context,
+ auth_context, &skey);
}
if (err || skey == NULL) {
@@ -919,19 +924,25 @@ failed:
goto done;
}
- DEBUG(10, ("Got KRB5 session key of length %d\n",
(int)KRB5_KEY_LENGTH(skey)));
- *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
- dump_data_pw("KRB5 Session Key:\n", session_key->data,
session_key->length);
+ DEBUG(10, ("Got KRB5 session key of length %d\n",
+ (int)KRB5_KEY_LENGTH(skey)));
+
+ *session_key = data_blob_talloc(mem_ctx,
+ KRB5_KEY_DATA(skey),
+ KRB5_KEY_LENGTH(skey));
+ dump_data_pw("KRB5 Session Key:\n",
+ session_key->data,
+ session_key->length);
ret = true;
- done:
+done:
if (skey) {
krb5_free_keyblock(context, skey);
}
return ret;
- }
+}
#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) &&
!defined(HAVE_KRB5_PRINC_COMPONENT)
@@ -2271,8 +2282,10 @@ char *smb_krb5_principal_get_realm(krb5_context context,
#else /* HAVE_KRB5 */
/* this saves a few linking headaches */
- int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32
extra_ap_opts,
+ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+ const char *principal, time_t time_offset,
+ DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+ uint32_t extra_ap_opts,
const char *ccname, time_t *tgs_expire,
const char *impersonate_princ_s)
{
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 66e023a..539b411 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -301,12 +301,13 @@ int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx,
const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5,
OID_NTLMSSP, NULL};
/* get a kerberos ticket for the service and extract the session key */
- retval = cli_krb5_get_ticket(principal, time_offset,
- &tkt, session_key_krb5, extra_ap_opts,
NULL,
- expire_time, NULL);
-
- if (retval)
+ retval = cli_krb5_get_ticket(ctx, principal, time_offset,
+ &tkt, session_key_krb5,
+ extra_ap_opts, NULL,
+ expire_time, NULL);
+ if (retval) {
return retval;
+ }
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ);
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 50b0efa..c3712f7 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1288,8 +1288,10 @@ static NTSTATUS create_krb5_auth_bind_req(struct
rpc_pipe_client *cli,
/* Create the ticket for the service principal and return it in a
gss-api wrapped blob. */
- ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
- &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL,
NULL, NULL);
+ ret = cli_krb5_get_ticket(a, a->service_principal, 0,
+ &tkt, &a->session_key,
+ AP_OPTS_MUTUAL_REQUIRED, NULL,
+ NULL, NULL);
if (ret) {
DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for
principal %s "
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index bfdc369..971ba96 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1602,8 +1602,9 @@ static bool manage_client_krb5_init(struct spnego_data
spnego)
spnego.negTokenInit.mechListMIC.length);
principal[spnego.negTokenInit.mechListMIC.length] = '\0';
- retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0,
NULL, NULL, NULL);
-
+ retval = cli_krb5_get_ticket(ctx, principal, 0,
+ &tkt, &session_key_krb5,
+ 0, NULL, NULL, NULL);
if (retval) {
char *user = NULL;
@@ -1626,8 +1627,9 @@ static bool manage_client_krb5_init(struct spnego_data
spnego)
return False;
}
- retval = cli_krb5_get_ticket(principal, 0, &tkt,
&session_key_krb5, 0, NULL, NULL, NULL);
-
+ retval = cli_krb5_get_ticket(ctx, principal, 0,
+ &tkt, &session_key_krb5,
+ 0, NULL, NULL, NULL);
if (retval) {
DEBUG(10, ("Kinit suceeded, but getting a ticket
failed: %s\n", error_message(retval)));
return False;
--
Samba Shared Repository
