1/* 2 Unix SMB/CIFS implementation. 3 4 simple GSSAPI wrappers 5 6 Copyright (C) Andrew Tridgell 2001 7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 8 Copyright (C) Luke Howard 2003 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License as published by 12 the Free Software Foundation; either version 3 of the License, or 13 (at your option) any later version. 14 15 This program is distributed in the hope that it will be useful, 16 but WITHOUT ANY WARRANTY; without even the implied warranty of 17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 GNU General Public License for more details. 19 20 You should have received a copy of the GNU General Public License 21 along with this program. If not, see <http://www.gnu.org/licenses/>. 22*/ 23 24#include "includes.h" 25#include "../lib/util/asn1.h" 26#include "auth/gensec/gensec.h" 27#include "system/kerberos.h" 28#include "auth/kerberos/kerberos.h" 29 30/* 31 generate a krb5 GSS-API wrapper packet given a ticket 32*/ 33DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2]) 34{ 35 struct asn1_data *data; 36 DATA_BLOB ret; 37 38 data = asn1_init(mem_ctx); 39 if (!data || !ticket->data) { 40 return data_blob(NULL,0); 41 } 42 43 asn1_push_tag(data, ASN1_APPLICATION(0)); 44 asn1_write_OID(data, GENSEC_OID_KERBEROS5); 45 46 asn1_write(data, tok_id, 2); 47 asn1_write(data, ticket->data, ticket->length); 48 asn1_pop_tag(data); 49 50 if (data->has_error) { 51 DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data->ofs)); 52 asn1_free(data); 53 return data_blob(NULL,0); 54 } 55 56 ret = data_blob_talloc(mem_ctx, data->data, data->length); 57 asn1_free(data); 58 59 return ret; 60} 61 62/* 63 parse a krb5 GSS-API wrapper packet giving a ticket 64*/ 65bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2]) 66{ 67 bool ret; 68 struct asn1_data *data = asn1_init(mem_ctx); 69 int data_remaining; 70 71 if (!data) { 72 return false; 73 } 74 75 asn1_load(data, *blob); 76 asn1_start_tag(data, ASN1_APPLICATION(0)); 77 asn1_check_OID(data, GENSEC_OID_KERBEROS5); 78 79 data_remaining = asn1_tag_remaining(data); 80 81 if (data_remaining < 3) { 82 data->has_error = true; 83 } else { 84 asn1_read(data, tok_id, 2); 85 data_remaining -= 2; 86 *ticket = data_blob_talloc(mem_ctx, NULL, data_remaining); 87 asn1_read(data, ticket->data, ticket->length); 88 } 89 90 asn1_end_tag(data); 91 92 ret = !data->has_error; 93 94 asn1_free(data); 95 96 return ret; 97} 98 99 100/* 101 check a GSS-API wrapper packet givin an expected OID 102*/ 103bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid) 104{ 105 bool ret; 106 struct asn1_data *data = asn1_init(NULL); 107 108 if (!data) return false; 109 110 asn1_load(data, *blob); 111 asn1_start_tag(data, ASN1_APPLICATION(0)); 112 asn1_check_OID(data, oid); 113 114 ret = !data->has_error; 115 116 asn1_free(data); 117 118 return ret; 119} 120 121 122