From 26f1218a3678e648c73db3b34732703396ad48b2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 20 Jul 2010 20:00:12 -0400 Subject: [PATCH] s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keys --- source3/include/krb5_protos.h | 10 +++++++--- source3/libads/authdata.c | 3 ++- source3/libads/kerberos_verify.c | 3 ++- source3/libsmb/clikrb5.c | 27 +++++++++++++++++---------- source3/libsmb/clispnego.c | 11 ++++++----- source3/rpc_client/cli_pipe.c | 6 ++++-- source3/utils/ntlm_auth.c | 10 ++++++---- 7 files changed, 44 insertions(+), 26 deletions(-) diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h index b65fb17d9c5..97e6871c89d 100644 --- a/source3/include/krb5_protos.h +++ b/source3/include/krb5_protos.h @@ -46,7 +46,10 @@ krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, st krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); #endif krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); -bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote); +bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx, + krb5_context context, + krb5_auth_context auth_context, + DATA_BLOB *session_key, bool remote); krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype); void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype); @@ -141,9 +144,10 @@ char *smb_krb5_principal_get_realm(krb5_context context, krb5_principal principal); #endif /* HAVE_KRB5 */ -int cli_krb5_get_ticket(const char *principal, time_t time_offset, +int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, + const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, - uint32 extra_ap_opts, const char *ccname, + uint32_t extra_ap_opts, const char *ccname, time_t *tgs_expire, const char *impersonate_princ_s); diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 305b6072bc8..00062f4457e 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -406,7 +406,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_LOGON_TYPE; } - ret = cli_krb5_get_ticket(local_service, + ret = cli_krb5_get_ticket(mem_ctx, + local_service, time_offset, &tkt, &sesskey1, diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index c07259394b5..10edd076bb0 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -615,7 +615,8 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, ZERO_STRUCT(packet); } - get_krb5_smb_session_key(context, auth_context, session_key, True); + get_krb5_smb_session_key(mem_ctx, context, + auth_context, session_key, true); dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length); #if 0 diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index adec4357280..68b45d89089 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -828,9 +828,10 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -int cli_krb5_get_ticket(const char *principal, time_t time_offset, +int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, + const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, - uint32 extra_ap_opts, const char *ccname, + uint32_t extra_ap_opts, const char *ccname, time_t *tgs_expire, const char *impersonate_princ_s) @@ -881,10 +882,10 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, goto failed; } - get_krb5_smb_session_key(context, auth_context, - session_key_krb5, False); + get_krb5_smb_session_key(mem_ctx, context, auth_context, + session_key_krb5, false); - *ticket = data_blob(packet.data, packet.length); + *ticket = data_blob_talloc(mem_ctx, packet.data, packet.length); kerberos_free_data_contents(context, &packet); @@ -901,7 +902,8 @@ failed: return retval; } -bool get_krb5_smb_session_key(krb5_context context, +bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx, + krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote) { @@ -925,9 +927,12 @@ bool get_krb5_smb_session_key(krb5_context context, DEBUG(10, ("Got KRB5 session key of length %d\n", (int)KRB5_KEY_LENGTH(skey))); - *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); + *session_key = data_blob_talloc(mem_ctx, + KRB5_KEY_DATA(skey), + KRB5_KEY_LENGTH(skey)); dump_data_pw("KRB5 Session Key:\n", - session_key->data, session_key->length); + session_key->data, + session_key->length); ret = true; @@ -2277,8 +2282,10 @@ char *smb_krb5_principal_get_realm(krb5_context context, #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ - int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, + int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, + const char *principal, time_t time_offset, + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, + uint32_t extra_ap_opts, const char *ccname, time_t *tgs_expire, const char *impersonate_princ_s) { diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 66e023a91d1..539b4110569 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -301,12 +301,13 @@ int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx, const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL}; /* get a kerberos ticket for the service and extract the session key */ - retval = cli_krb5_get_ticket(principal, time_offset, - &tkt, session_key_krb5, extra_ap_opts, NULL, - expire_time, NULL); - - if (retval) + retval = cli_krb5_get_ticket(ctx, principal, time_offset, + &tkt, session_key_krb5, + extra_ap_opts, NULL, + expire_time, NULL); + if (retval) { return retval; + } /* wrap that up in a nice GSS-API wrapping */ tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 50b0efadb29..c3712f77bad 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -1288,8 +1288,10 @@ static NTSTATUS create_krb5_auth_bind_req(struct rpc_pipe_client *cli, /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */ - ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt, - &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, NULL); + ret = cli_krb5_get_ticket(a, a->service_principal, 0, + &tkt, &a->session_key, + AP_OPTS_MUTUAL_REQUIRED, NULL, + NULL, NULL); if (ret) { DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s " diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index bfdc369b150..971ba96220c 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1602,8 +1602,9 @@ static bool manage_client_krb5_init(struct spnego_data spnego) spnego.negTokenInit.mechListMIC.length); principal[spnego.negTokenInit.mechListMIC.length] = '\0'; - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL); - + retval = cli_krb5_get_ticket(ctx, principal, 0, + &tkt, &session_key_krb5, + 0, NULL, NULL, NULL); if (retval) { char *user = NULL; @@ -1626,8 +1627,9 @@ static bool manage_client_krb5_init(struct spnego_data spnego) return False; } - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL); - + retval = cli_krb5_get_ticket(ctx, principal, 0, + &tkt, &session_key_krb5, + 0, NULL, NULL, NULL); if (retval) { DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval))); return False; -- 2.34.1