The branch, master has been updated
via fa4f4fe s4:gensec/gssapi: make use of add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
via f643677 s3:librpc/gse: make use of add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
via 8a4c0ab auth/kerberos: add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
via c245d4f heimdal:lib/gssapi/krb5: implement
gss_[un]wrap_iov[_length] with arcfour-hmac-md5
via 571a05c heimdal:lib/gssapi/krb5: split out a
arcfour_mic_cksum_iov() function
via 688c537 heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
via 3269ebf heimdal:lib/gssapi/krb5: clear temporary buffer with
cleartext data.
via 01350c7 heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
via 9414d98 heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more
robust
via 3b9e5cf s4:selftest: add torture:run_removedollar_test=true to the
machine account kdc tests
via 0ba6e0d s4:torture/krb5: add a
--option=torture:run_removedollar_test=true option to kdc-conon
via 65355d6 s4:selftest: run samba4.rpc.lsa.secrets with more principal
combinations
via 61de102 s4:kdc/db-glue: allow principals in form of
[email protected]
via ccb6495 s4:kdc/db-glue: fix memory leak in samba_kdc_lookup_server()
from a924399 dsdb: Fix CID 1034902 Dereference before null check
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fa4f4fed2ea20166f48fc40b895ef57aa608ace9
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jun 23 12:32:34 2015 +0200
s4:gensec/gssapi: make use of add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
This way are able to support GENSEC_FEATURE_SIGN_PKT_HEADER also together
with
GENSEC_FEATURE_SEAL.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Wed Jun 24 04:00:43 CEST 2015 on sn-devel-104
commit f643677d3fe62978b6ca7f1da9ec8b1e450b7bcb
Author: Stefan Metzmacher <[email protected]>
Date: Mon Jun 22 01:23:16 2015 +0200
s3:librpc/gse: make use of add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
This way are able to support GENSEC_FEATURE_SIGN_PKT_HEADER.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 8a4c0abb3eaf1ae80d1ce476cc123c5a195cd15d
Author: Stefan Metzmacher <[email protected]>
Date: Thu Sep 25 08:34:48 2008 +0200
auth/kerberos: add gssapi_get_sig_size() and
gssapi_{seal,unseal,sign,check}_packet() helper functions
These make use of gss_[un]wrap_iov[_length]() where required and support
header signing.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit c245d4f33e233f16aafb29a1737f8f1fa96724d7
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 11 19:48:50 2009 +0200
heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with
arcfour-hmac-md5
Pair-Programmed-With: Andreas Schneider <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 571a05c64951f28c41c73541f5824458a3bba909
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jun 18 14:07:43 2015 +0200
heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 688c537ab1fb9690e58a448f8a06d5cc65eafbb4
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jun 18 15:42:03 2015 +0200
heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 3269ebfcbfefb2bf41c92eca270ea5feefdb9d05
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jun 18 14:06:57 2015 +0200
heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 01350c76ade6962f7974513afd81632494a8efaa
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jun 18 12:20:26 2015 +0200
heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
Now it matches _gk_unwrap_iov() and _gk_wrap_iov_length().
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 9414d9867c51c0db3d7166b4afcf5ff5b39d64a1
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jun 18 15:43:32 2015 +0200
heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 3b9e5cfd2318d96dfaf1b31526f578d7fb42ff7a
Author: Stefan Metzmacher <[email protected]>
Date: Fri Mar 27 14:41:19 2015 +0100
s4:selftest: add torture:run_removedollar_test=true to the machine account
kdc tests
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 0ba6e0dc2a96dd287ce5f82d620247312a2e86d9
Author: Stefan Metzmacher <[email protected]>
Date: Fri Mar 27 14:41:19 2015 +0100
s4:torture/krb5: add a --option=torture:run_removedollar_test=true option
to kdc-conon
With this option a machine account is tested without the trailing '$'
in the account name.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 65355d694cbb8a6b77a2d0fd729d62821ea44770
Author: Stefan Metzmacher <[email protected]>
Date: Mon Mar 23 22:10:02 2015 +0000
s4:selftest: run samba4.rpc.lsa.secrets with more principal combinations
'dcom/SERVER', 'SERVER$' and 'SERVER' as target principal names.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 61de10240e26f6edf4961841206347d0652c40d9
Author: Stefan Metzmacher <[email protected]>
Date: Mon Mar 23 10:00:51 2015 +0000
s4:kdc/db-glue: allow principals in form of [email protected]
This should be translated to [email protected].
Note the behavior differs between client and server lookup.
In samba_kdc_lookup_client() we need to fallback in case of
NO_SUCH_USER. samba_kdc_lookup_server() needs to do a single search
and only use the result if it's unique.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit ccb64954456873c02331b8795fd9bdd0cbe97e79
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jun 11 20:04:09 2015 +0200
s4:kdc/db-glue: fix memory leak in samba_kdc_lookup_server()
We need to free enterprise_principal if generated.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
auth/kerberos/gssapi_helper.c | 395 ++++++++++++++++
auth/kerberos/gssapi_helper.h | 55 +++
auth/kerberos/wscript_build | 2 +-
source3/librpc/crypto/gse.c | 313 +++++--------
source4/auth/gensec/gensec_gssapi.c | 285 +++---------
source4/auth/gensec/gensec_gssapi.h | 1 -
source4/heimdal/lib/gssapi/krb5/aeap.c | 98 +++-
source4/heimdal/lib/gssapi/krb5/arcfour.c | 645 +++++++++++++++++++++++++-
source4/heimdal/lib/gssapi/krb5/decapsulate.c | 3 +
source4/kdc/db-glue.c | 170 ++++++-
source4/selftest/tests.py | 9 +-
source4/torture/krb5/kdc-canon.c | 26 +-
12 files changed, 1541 insertions(+), 461 deletions(-)
create mode 100644 auth/kerberos/gssapi_helper.c
create mode 100644 auth/kerberos/gssapi_helper.h
Changeset truncated at 500 lines:
diff --git a/auth/kerberos/gssapi_helper.c b/auth/kerberos/gssapi_helper.c
new file mode 100644
index 0000000..b7ffb6c
--- /dev/null
+++ b/auth/kerberos/gssapi_helper.c
@@ -0,0 +1,395 @@
+/*
+ Unix SMB/CIFS implementation.
+ GSSAPI helper functions
+
+ Copyright (C) Stefan Metzmacher 2008,2015
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/gssapi.h"
+#include "auth/kerberos/pac_utils.h"
+#include "auth/kerberos/gssapi_helper.h"
+
+size_t gssapi_get_sig_size(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ uint32_t gss_want_flags,
+ size_t data_size)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ size_t sig_size = 0;
+
+ if (gss_want_flags & GSS_C_CONF_FLAG) {
+ OM_uint32 min_stat, maj_stat;
+ bool want_sealing = true;
+ int sealed = 0;
+ gss_iov_buffer_desc iov[2];
+
+ if (!(gss_want_flags & GSS_C_DCE_STYLE)) {
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
+ /*
+ * gss_wrap_iov_length() only needs the type and length
+ */
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+ iov[0].buffer.value = NULL;
+ iov[0].buffer.length = 0;
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[1].buffer.value = NULL;
+ iov[1].buffer.length = data_size;
+
+ maj_stat = gss_wrap_iov_length(&min_stat,
+ gssapi_context,
+ want_sealing,
+ GSS_C_QOP_DEFAULT,
+ &sealed,
+ iov, ARRAY_SIZE(iov));
+ if (maj_stat) {
+ DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n",
+ gssapi_error_string(frame,
+ maj_stat,
+ min_stat,
+ mech)));
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
+ sig_size = iov[0].buffer.length;
+ } else if (gss_want_flags & GSS_C_INTEG_FLAG) {
+ NTSTATUS status;
+ uint32_t keytype;
+
+ status = gssapi_get_session_key(frame,
+ gssapi_context,
+ NULL, &keytype);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
+ switch (keytype) {
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_ARCFOUR_HMAC:
+ case ENCTYPE_ARCFOUR_HMAC_EXP:
+ sig_size = 37;
+ break;
+ default:
+ sig_size = 28;
+ break;
+ }
+ }
+
+ TALLOC_FREE(frame);
+ return sig_size;
+}
+
+NTSTATUS gssapi_seal_packet(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ bool hdr_signing, size_t sig_size,
+ uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *sig)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_iov_buffer_desc iov[4];
+ int req_seal = 1;
+ int sealed = 0;
+ const uint8_t *pre_sign_ptr = NULL;
+ size_t pre_sign_len = 0;
+ const uint8_t *post_sign_ptr = NULL;
+ size_t post_sign_len = 0;
+
+ if (hdr_signing) {
+ const uint8_t *de = data + length;
+ const uint8_t *we = whole_pdu + pdu_length;
+
+ if (data < whole_pdu) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (de > we) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ pre_sign_len = data - whole_pdu;
+ if (pre_sign_len > 0) {
+ pre_sign_ptr = whole_pdu;
+ }
+ post_sign_len = we - de;
+ if (post_sign_len > 0) {
+ post_sign_ptr = de;
+ }
+ }
+
+ sig->length = sig_size;
+ if (sig->length == 0) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ sig->data = talloc_zero_array(mem_ctx, uint8_t, sig->length);
+ if (sig->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+ iov[0].buffer.length = sig->length;
+ iov[0].buffer.value = sig->data;
+
+ if (pre_sign_ptr != NULL) {
+ iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[1].buffer.length = pre_sign_len;
+ iov[1].buffer.value = discard_const(pre_sign_ptr);
+ } else {
+ iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+ iov[1].buffer.length = 0;
+ iov[1].buffer.value = NULL;
+ }
+
+ /* data is encrypted in place, which is ok */
+ iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[2].buffer.length = length;
+ iov[2].buffer.value = data;
+
+ if (post_sign_ptr != NULL) {
+ iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[3].buffer.length = post_sign_len;
+ iov[3].buffer.value = discard_const(post_sign_ptr);
+ } else {
+ iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+ iov[3].buffer.length = 0;
+ iov[3].buffer.value = NULL;
+ }
+
+ maj_stat = gss_wrap_iov(&min_stat,
+ gssapi_context,
+ req_seal,
+ GSS_C_QOP_DEFAULT,
+ &sealed,
+ iov, ARRAY_SIZE(iov));
+ if (GSS_ERROR(maj_stat)) {
+ char *error_string = gssapi_error_string(mem_ctx,
+ maj_stat,
+ min_stat,
+ mech);
+ DEBUG(1, ("gss_wrap_iov failed: %s\n", error_string));
+ talloc_free(error_string);
+ data_blob_free(sig);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (req_seal == 1 && sealed == 0) {
+ DEBUG(0, ("gss_wrap_iov says data was not sealed!\n"));
+ data_blob_free(sig);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ dump_data_pw("gssapi_seal_packet: sig\n", sig->data, sig->length);
+ dump_data_pw("gssapi_seal_packet: sealed\n", data, length);
+
+ DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n",
+ (int)iov[2].buffer.length, (int)iov[0].buffer.length));
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gssapi_unseal_packet(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ bool hdr_signing,
+ uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+ const DATA_BLOB *sig)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_iov_buffer_desc iov[4];
+ gss_qop_t qop_state;
+ int sealed = 0;
+ const uint8_t *pre_sign_ptr = NULL;
+ size_t pre_sign_len = 0;
+ const uint8_t *post_sign_ptr = NULL;
+ size_t post_sign_len = 0;
+
+ if (hdr_signing) {
+ const uint8_t *de = data + length;
+ const uint8_t *we = whole_pdu + pdu_length;
+
+ if (data < whole_pdu) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (de > we) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ pre_sign_len = data - whole_pdu;
+ if (pre_sign_len > 0) {
+ pre_sign_ptr = whole_pdu;
+ }
+ post_sign_len = we - de;
+ if (post_sign_len > 0) {
+ post_sign_ptr = de;
+ }
+ }
+
+ dump_data_pw("gssapi_unseal_packet: sig\n", sig->data, sig->length);
+ dump_data_pw("gssapi_unseal_packet: sealed\n", data, length);
+
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+ iov[0].buffer.length = sig->length;
+ iov[0].buffer.value = sig->data;
+
+ if (pre_sign_ptr != NULL) {
+ iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[1].buffer.length = pre_sign_len;
+ iov[1].buffer.value = discard_const(pre_sign_ptr);
+ } else {
+ iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+ iov[1].buffer.length = 0;
+ iov[1].buffer.value = NULL;
+ }
+
+ /* data is encrypted in place, which is ok */
+ iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[2].buffer.length = length;
+ iov[2].buffer.value = data;
+
+ if (post_sign_ptr != NULL) {
+ iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[3].buffer.length = post_sign_len;
+ iov[3].buffer.value = discard_const(post_sign_ptr);
+ } else {
+ iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+ iov[3].buffer.length = 0;
+ iov[3].buffer.value = NULL;
+ }
+
+ maj_stat = gss_unwrap_iov(&min_stat,
+ gssapi_context,
+ &sealed,
+ &qop_state,
+ iov, ARRAY_SIZE(iov));
+ if (GSS_ERROR(maj_stat)) {
+ char *error_string = gssapi_error_string(NULL,
+ maj_stat,
+ min_stat,
+ mech);
+ DEBUG(1, ("gss_unwrap_iov failed: %s\n", error_string));
+ talloc_free(error_string);
+
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (sealed == 0) {
+ DEBUG(0, ("gss_unwrap_iov says data was not sealed!\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n",
+ (int)iov[2].buffer.length, (int)iov[0].buffer.length));
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gssapi_sign_packet(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ bool hdr_signing,
+ const uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *sig)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc input_token, output_token;
+
+ if (hdr_signing) {
+ input_token.length = pdu_length;
+ input_token.value = discard_const_p(uint8_t *, whole_pdu);
+ } else {
+ input_token.length = length;
+ input_token.value = discard_const_p(uint8_t *, data);
+ }
+
+ maj_stat = gss_get_mic(&min_stat,
+ gssapi_context,
+ GSS_C_QOP_DEFAULT,
+ &input_token,
+ &output_token);
+ if (GSS_ERROR(maj_stat)) {
+ char *error_string = gssapi_error_string(mem_ctx,
+ maj_stat,
+ min_stat,
+ mech);
+ DEBUG(1, ("GSS GetMic failed: %s\n", error_string));
+ talloc_free(error_string);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value,
output_token.length);
+ gss_release_buffer(&min_stat, &output_token);
+ if (sig->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ dump_data_pw("gssapi_sign_packet: sig\n", sig->data, sig->length);
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gssapi_check_packet(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ bool hdr_signing,
+ const uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+ const DATA_BLOB *sig)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc input_token;
+ gss_buffer_desc input_message;
+ gss_qop_t qop_state;
+
+ dump_data_pw("gssapi_check_packet: sig\n", sig->data, sig->length);
+
+ if (hdr_signing) {
+ input_message.length = pdu_length;
+ input_message.value = discard_const(whole_pdu);
+ } else {
+ input_message.length = length;
+ input_message.value = discard_const(data);
+ }
+
+ input_token.length = sig->length;
+ input_token.value = sig->data;
+
+ maj_stat = gss_verify_mic(&min_stat,
+ gssapi_context,
+ &input_message,
+ &input_token,
+ &qop_state);
+ if (GSS_ERROR(maj_stat)) {
+ char *error_string = gssapi_error_string(NULL,
+ maj_stat,
+ min_stat,
+ mech);
+ DEBUG(1, ("GSS VerifyMic failed: %s\n", error_string));
+ talloc_free(error_string);
+
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/auth/kerberos/gssapi_helper.h b/auth/kerberos/gssapi_helper.h
new file mode 100644
index 0000000..f40adf1
--- /dev/null
+++ b/auth/kerberos/gssapi_helper.h
@@ -0,0 +1,55 @@
+/*
+ Unix SMB/CIFS implementation.
+ GSSAPI helper functions
+
+ Copyright (C) Stefan Metzmacher 2008,2015
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef AUTH_KERBEROS_GSSAPI_HELPER_H
+#define AUTH_KERBEROS_GSSAPI_HELPER_H 1
+
+size_t gssapi_get_sig_size(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ uint32_t gss_want_flags,
+ size_t data_size);
+NTSTATUS gssapi_seal_packet(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ bool hdr_signing, size_t sig_size,
+ uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *sig);
+NTSTATUS gssapi_unseal_packet(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ bool hdr_signing,
+ uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+ const DATA_BLOB *sig);
+NTSTATUS gssapi_sign_packet(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ bool hdr_signing,
+ const uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *sig);
+NTSTATUS gssapi_check_packet(gss_ctx_id_t gssapi_context,
+ const gss_OID mech,
+ bool hdr_signing,
+ const uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+ const DATA_BLOB *sig);
+
+#endif /* AUTH_KERBEROS_GSSAPI_HELPER_H */
diff --git a/auth/kerberos/wscript_build b/auth/kerberos/wscript_build
index 97b8879..1fa1b51 100755
--- a/auth/kerberos/wscript_build
+++ b/auth/kerberos/wscript_build
@@ -1,4 +1,4 @@
#!/usr/bin/env python
bld.SAMBA_SUBSYSTEM('KRB5_PAC',
- source='gssapi_pac.c kerberos_pac.c',
+ source='gssapi_pac.c kerberos_pac.c gssapi_helper.c',
deps='gssapi_krb5 ndr-krb5pac krb5samba')
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 8db3cdd..46b5c6d 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -33,15 +33,19 @@
#if defined(HAVE_KRB5)
#include "auth/kerberos/pac_utils.h"
+#include "auth/kerberos/gssapi_helper.h"
#include "gse_krb5.h"
static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
+static size_t gensec_gse_sig_size(struct gensec_security *gensec_security,
+ size_t data_size);
struct gse_context {
gss_ctx_id_t gssapi_context;
gss_name_t server_name;
gss_name_t client_name;
OM_uint32 gss_want_flags, gss_got_flags;
+ size_t sig_size;
gss_cred_id_t delegated_cred_handle;
@@ -541,193 +545,6 @@ done:
return errstr;
}
--
Samba Shared Repository
