DATA_BLOB blob = data_blob_null;
DATA_BLOB secblob = data_blob_null;
bool got_kerberos_mechanism = false;
+ char *kerb_mech = NULL;
blob = data_blob_const(*ppdata, *p_data_size);
- status = parse_spnego_mechanisms(blob, &secblob, &got_kerberos_mechanism);
+ status = parse_spnego_mechanisms(blob, &secblob, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
return nt_status_squash(status);
}
srv_free_encryption_context(&partial_srv_trans_enc_ctx);
- if (got_kerberos_mechanism) {
+ if (kerb_mech) {
+ SAFE_FREE(kerb_mech);
+
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, secblob);
#else
static void reply_spnego_kerberos(struct smb_request *req,
DATA_BLOB *secblob,
+ const char *mechOID,
uint16 vuid,
bool *p_invalidate_vuid)
{
ap_rep_wrapped = data_blob_null;
}
response = spnego_gen_auth_response(&ap_rep_wrapped, ret,
- OID_KERBEROS5_OLD);
+ mechOID);
reply_sesssetup_blob(req, response, ret);
data_blob_free(&ap_rep);
Is this a krb5 mechanism ?
****************************************************************************/
-NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in, DATA_BLOB *pblob_out,
- bool *p_is_krb5)
+NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in,
+ DATA_BLOB *pblob_out,
+ char **kerb_mechOID)
{
char *OIDs[ASN1_MAX_OIDS];
int i;
+ NTSTATUS ret = NT_STATUS_OK;
- *p_is_krb5 = False;
+ *kerb_mechOID = NULL;
/* parse out the OIDs and the first sec blob */
if (!parse_negTokenTarg(blob_in, OIDs, pblob_out)) {
#ifdef HAVE_KRB5
if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 ||
strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
- *p_is_krb5 = True;
+ *kerb_mechOID = SMB_STRDUP(OIDs[0]);
+ if (*kerb_mechOID == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ }
}
#endif
DEBUG(5,("parse_spnego_mechanisms: Got OID %s\n", OIDs[i]));
free(OIDs[i]);
}
- return NT_STATUS_OK;
+ return ret;
}
/****************************************************************************
{
DATA_BLOB secblob;
DATA_BLOB chal;
- bool got_kerberos_mechanism = False;
+ char *kerb_mech = NULL;
NTSTATUS status;
- status = parse_spnego_mechanisms(blob1, &secblob,
- &got_kerberos_mechanism);
+ status = parse_spnego_mechanisms(blob1, &secblob, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(vuid);
(unsigned long)secblob.length));
#ifdef HAVE_KRB5
- if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) ||
+ if (kerb_mech && ((lp_security()==SEC_ADS) ||
lp_use_kerberos_keytab()) ) {
bool destroy_vuid = True;
- reply_spnego_kerberos(req, &secblob, vuid,
- &destroy_vuid);
+ reply_spnego_kerberos(req, &secblob, kerb_mech,
+ vuid, &destroy_vuid);
data_blob_free(&secblob);
if (destroy_vuid) {
/* Kill the intermediate vuid */
invalidate_vuid(vuid);
}
+ SAFE_FREE(kerb_mech);
return;
}
#endif
auth_ntlmssp_end(auth_ntlmssp_state);
}
- if (got_kerberos_mechanism) {
+ if (kerb_mech) {
data_blob_free(&secblob);
/* The mechtoken is a krb5 ticket, but
* we need to fall back to NTLM. */
- reply_spnego_downgrade_to_ntlmssp(req,
- vuid);
+ reply_spnego_downgrade_to_ntlmssp(req, vuid);
+ SAFE_FREE(kerb_mech);
return;
}
if (auth.data[0] == ASN1_APPLICATION(0)) {
/* Might be a second negTokenTarg packet */
+ char *kerb_mech = NULL;
- bool got_krb5_mechanism = False;
- status = parse_spnego_mechanisms(auth, &secblob,
- &got_krb5_mechanism);
+ status = parse_spnego_mechanisms(auth, &secblob, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
DEBUG(3,("reply_spnego_auth: Got secblob of size %lu\n",
(unsigned long)secblob.length));
#ifdef HAVE_KRB5
- if ( got_krb5_mechanism && ((lp_security()==SEC_ADS) ||
+ if (kerb_mech && ((lp_security()==SEC_ADS) ||
lp_use_kerberos_keytab()) ) {
bool destroy_vuid = True;
- reply_spnego_kerberos(req, &secblob,
+ reply_spnego_kerberos(req, &secblob, kerb_mech,
vuid, &destroy_vuid);
data_blob_free(&secblob);
data_blob_free(&auth);
/* Kill the intermediate vuid */
invalidate_vuid(vuid);
}
+ SAFE_FREE(kerb_mech);
return;
}
#endif
/* Can't blunder into NTLMSSP auth if we have
* a krb5 ticket. */
- if (got_krb5_mechanism) {
+ if (kerb_mech) {
/* Kill the intermediate vuid */
invalidate_vuid(vuid);
DEBUG(3,("reply_spnego_auth: network "
"not enabled"));
reply_nterror(req, nt_status_squash(
NT_STATUS_LOGON_FAILURE));
+ SAFE_FREE(kerb_mech);
}
}
projects / thirdparty / samba.git / commitdiff
