implement kerberos auth for server (and proxy) including constrained delegation

CMakeLists.txt

@@ -1,9 +1,9 @@
 if(NOT ESP_PLATFORM)
-  
+
   if(CMAKE_SYSTEM_NAME MATCHES NintendoSwitch OR CMAKE_SYSTEM_NAME MATCHES Nintendo3DS OR CMAKE_SYSTEM_NAME MATCHES Dreamcast OR CMAKE_SYSTEM_NAME MATCHES NintendoGameCube OR CMAKE_SYSTEM_NAME MATCHES NintendoDS OR CMAKE_SYSTEM_NAME MATCHES NintendoWii OR CMAKE_SYSTEM_NAME MATCHES CafeOS)
     cmake_minimum_required(VERSION 3.13)
   elseif(VITA)
-    cmake_minimum_required(VERSION 3.2)  
+    cmake_minimum_required(VERSION 3.2)
   elseif(PICO_BOARD)
     cmake_minimum_required(VERSION 3.12)
     message(STATUS "Configuring libsmb2 for ${PICO_BOARD}")
@@ -16,7 +16,7 @@ if(NOT ESP_PLATFORM)
             LANGUAGES C
             VERSION 2.3.0
     )
-    set(VERSION 2.3.0)    
+    set(VERSION 2.3.0)
     set(PACKAGE "smb2man")
     set(PACKAGE_BUGREPORT "[email protected] or [email protected]")
     set(PACKAGE_NAME "smb2man")
@@ -30,7 +30,7 @@ if(NOT ESP_PLATFORM)
     project(libsmb2
             LANGUAGES C
             VERSION 6.1.0
-    )  
+    )
     set(VERSION 6.1.0)
     set(PACKAGE "libsmb2")
     set(PACKAGE_BUGREPORT "[email protected]")
@@ -52,7 +52,7 @@ endif()
       set(INSTALL_CMAKE_DIR "${CMAKE_INSTALL_PREFIX}/lib${LIB_SUFFIX}/cmake/libsmb2" CACHE PATH "Installation directory for cmake (.cmake) files")
     endif()
     if(CMAKE_SYSTEM_NAME MATCHES NintendoSwitch OR CMAKE_SYSTEM_NAME MATCHES Nintendo3DS OR PS4 OR PS2 OR VITA OR CMAKE_SYSTEM_NAME MATCHES Dreamcast OR CMAKE_SYSTEM_NAME MATCHES NintendoGameCube OR CMAKE_SYSTEM_NAME MATCHES NintendoDS OR CMAKE_SYSTEM_NAME MATCHES NintendoWii OR CMAKE_SYSTEM_NAME MATCHES CafeOS)
-      option(BUILD_SHARED_LIBS "Build shared libraries" OFF)  
+      option(BUILD_SHARED_LIBS "Build shared libraries" OFF)
     else()
       option(BUILD_SHARED_LIBS "Build shared libraries" ON)
     endif()
@@ -68,7 +68,7 @@ endif()
     endif()
   elseif(IOS)
     if (ENABLE_GSSAPI)
-      find_package(GSSAPI)  
+      find_package(GSSAPI)
     endif()
   endif()
 
@@ -98,14 +98,14 @@ endif()
                         include/smb2
       )
     endif()
-    
+
     if(CMAKE_SYSTEM_NAME MATCHES Linux)
       if (ENABLE_LIBKRB5)
-        set(core_DEPENDS ${LIBKRB5_LIBRARY} CACHE STRING "" FORCE)  
+        set(core_DEPENDS ${LIBKRB5_LIBRARY} CACHE STRING "" FORCE)
       endif()
     elseif(IOS)
       if (ENABLE_GSSAPI)
-        set(core_DEPENDS ${GSSAPI_LIBRARIES} CACHE STRING "" FORCE)   
+        set(core_DEPENDS ${GSSAPI_LIBRARIES} CACHE STRING "" FORCE)
       endif()
     endif()
 
@@ -139,36 +139,36 @@ endif()
       add_compile_options("${CMAKE_C_FLAGS} ${CMAKE_LDFLAGS}")
     elseif(CMAKE_SYSTEM_NAME MATCHES NintendoDS)
       add_definitions(-DARM9 -D__NDS__ -DNEED_READV -DHAVE_SOCKADDR_STORAGE -DNEED_WRITEV -DNEED_GETLOGIN_R -DNEED_GETADDRINFO -DNEED_FREEADDRINFO -DNEED_POLL)
-      set(CMAKE_C_FLAGS "-Wno-format -Wpointer-arith")      
+      set(CMAKE_C_FLAGS "-Wno-format -Wpointer-arith")
       set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS} -fno-rtti -fno-exceptions -std=gnu11")
       set(CMAKE_C_LDFLAGS "${CMAKE_C_FLAGS} -specs=ds_arm9.specs -g")
-      add_compile_options("${CMAKE_C_FLAGS} ${CMAKE_LDFLAGS}")      
-    elseif(CMAKE_SYSTEM_NAME MATCHES NintendoGameCube)      
+      add_compile_options("${CMAKE_C_FLAGS} ${CMAKE_LDFLAGS}")
+    elseif(CMAKE_SYSTEM_NAME MATCHES NintendoGameCube)
       add_definitions(-DGEKKO -D__GC__ -DNEED_READV -DNEED_WRITEV -DNEED_GETLOGIN_R -DNEED_GETADDRINFO -DNEED_FREEADDRINFO -DNEED_POLL)
       set(CMAKE_C_FLAGS "-g")
-      #-O3 -Wall      
-      add_compile_options("${CMAKE_C_FLAGS}")    
+      #-O3 -Wall
+      add_compile_options("${CMAKE_C_FLAGS}")
     elseif(CMAKE_SYSTEM_NAME MATCHES NintendoWii)
       add_definitions(-DGEKKO -D__WII__ -DNEED_READV -DNEED_WRITEV -DNEED_GETLOGIN_R -DNEED_GETADDRINFO -DNEED_FREEADDRINFO -DNEED_POLL)
       set(CMAKE_C_FLAGS "-g")
-      #-O3 -Wall      
+      #-O3 -Wall
       add_compile_options("${CMAKE_C_FLAGS}")
     elseif(CMAKE_SYSTEM_NAME MATCHES CafeOS)
       add_definitions(-D__WIIU__ -DNEED_READV -DNEED_WRITEV -DNEED_GETLOGIN_R)
       set(CMAKE_C_FLAGS "-g")
-      #-O3 -Wall      
-      add_compile_options("${CMAKE_C_FLAGS}")    
+      #-O3 -Wall
+      add_compile_options("${CMAKE_C_FLAGS}")
     elseif(PS4)
       add_definitions(-DPS4_PLATFORM)
       set(CMAKE_C_FLAGS "-funwind-tables")
       #-fuse-init-array -emit-llvm broken...
-      set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS}")    
+      set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS}")
       add_compile_options("${CMAKE_C_FLAGS}")
     elseif(EE)
       add_definitions(-DNEED_BE64TOH -DNEED_POLL -DNEED_WRITEV -DNEED_READV -DNEED_GETLOGIN_R)
       if(EE AND PS2RPC)
         add_definitions(-DPS2RPC)
-      endif()      
+      endif()
     elseif(IOP)
       add_definitions(-DHAVE_CONFIG_H -DNEED_BE64TOH -DNEED_STRDUP -DNEED_READV -DNEED_WRITEV -DNEED_POLL -DNEED_GETPID -DNEED_RANDOM -DNEED_SRANDOM -DNEED_GETLOGIN_R -DHAVE_STRING_H -DHAVE_SYS_FCNTL_H)
       if(IOP AND BUILD_IRX)
@@ -177,22 +177,22 @@ endif()
           add_definitions(-DDEBUG)
         endif()
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -fno-builtin")
-        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -s")                
+        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -s")
       endif()
-      set(CMAKE_C_FLAGS "-Wall") 
+      set(CMAKE_C_FLAGS "-Wall")
       include_directories(${CMAKE_CURRENT_BINARY_DIR} include/ps2)
       add_compile_options("${CMAKE_C_FLAGS}")
     elseif(VITA)
-      add_definitions(-DNEED_READV -DNEED_WRITEV -DNEED_GETLOGIN_R)  
+      add_definitions(-DNEED_READV -DNEED_WRITEV -DNEED_GETLOGIN_R)
     elseif(PICO_BOARD)
       add_definitions(-DNEED_BE64TOH -DNEED_POLL -DNEED_GETLOGIN_R)
-    elseif(ESP_PLATFORM)    
+    elseif(ESP_PLATFORM)
       if(NOT CMAKE_BUILD_EARLY_EXPANSION)
         add_definitions(-DHAVE_CONFIG_H)
       endif()
-      add_definitions(-DNEED_READV -DNEED_WRITEV -DNEED_GETLOGIN_R -DNEED_RANDOM -DNEED_SRANDOM)    
+      add_definitions(-DNEED_READV -DNEED_WRITEV -DNEED_GETLOGIN_R -DNEED_RANDOM -DNEED_SRANDOM)
     elseif(CMAKE_SYSTEM_NAME MATCHES Dreamcast)
-      add_definitions(-DNEED_WRITEV -DNEED_READV -DHAVE_CONFIG_H -DNEED_GETLOGIN_R)             
+      add_definitions(-DNEED_WRITEV -DNEED_READV -DHAVE_CONFIG_H -DNEED_GETLOGIN_R)
     elseif(CMAKE_SYSTEM_NAME STREQUAL Solaris)
       find_library(SOCKET_LIBRARY socket)
       find_library(NSL_LIBRARY nsl)
@@ -225,5 +225,5 @@ endif()
       install(FILES ${CMAKE_CURRENT_BINARY_DIR}/libsmb2.pc
             DESTINATION ${INSTALL_PKGCONFIG_DIR})
     endif()
-  endif() 
+  endif()
 

examples/smb2-lsa-lookupsids.c

@@ -53,7 +53,7 @@ void print_sid(RPC_SID *sid)
                 ia <<= 8;
                 ia |= sid->IdentifierAuthority[i];
         }
-        printf("%ld", ia);
+        printf("%lld", ia);
         for (i = 0; i < sid->SubAuthorityCount; i++) {
                 printf("-%d", sid->SubAuthority[i]);
         }
@@ -63,7 +63,7 @@ void cl_cb(struct dcerpc_context *dce, int status,
            void *command_data, void *cb_data)
 {
         struct lsa_close_rep *rep = command_data;
-        
+
         if (status) {
                 dcerpc_free_data(dce, rep);
                 printf("failed to close policy handle (%s) %s\n",
@@ -287,6 +287,6 @@ int main(int argc, char *argv[])
         smb2_disconnect_share(smb2);
         smb2_destroy_url(url);
         smb2_destroy_context(smb2);
-        
+
 	return 0;
 }

include/libsmb2-private.h

@@ -106,12 +106,6 @@ enum smb2_recv_state {
         SMB2_RECV_TRFM,
 };
 
-enum smb2_sec {
-        SMB2_SEC_UNDEFINED = 0,
-        SMB2_SEC_NTLMSSP,
-        SMB2_SEC_KRB5,
-};
-
 /* current tree id stack, note: index 0 in the stack is not used
 */
 #define SMB2_MAX_TREE_NESTING 32
@@ -340,7 +334,7 @@ struct smb2dir {
         int index;
 };
 
-        
+
 #define smb2_is_server(ctx) ((ctx)->owning_server != NULL)
 
 void smb2_set_nterror(struct smb2_context *smb2, int nterror,

include/smb2/libsmb2.h

@@ -24,7 +24,7 @@ extern "C" {
 #endif
 
 #define LIBSMB2_SHARE_ENUM_V2 1
-        
+
 struct smb2_iovec {
         uint8_t *buf;
         size_t len;
@@ -356,6 +356,12 @@ void smb2_set_seal(struct smb2_context *smb2, int val);
  */
 void smb2_set_sign(struct smb2_context *smb2, int val);
 
+enum smb2_sec {
+        SMB2_SEC_UNDEFINED = 0,
+        SMB2_SEC_NTLMSSP,
+        SMB2_SEC_KRB5,
+};
+
 /*
  * Set authentication method.
  * SMB2_SEC_UNDEFINED (use KRB if available or NTLM if not)
@@ -376,6 +382,18 @@ void smb2_set_user(struct smb2_context *smb2, const char *user);
  */
 const char *smb2_get_user(struct smb2_context *smb2);
 
+/*
+ * Get the workstation associated with a context.
+ * returns NULL if none
+ */
+const char *smb2_get_workstation(struct smb2_context *smb2);
+
+/*
+ * Get the domain associated with a context.
+ * returns NULL if none
+ */
+const char *smb2_get_domain(struct smb2_context *smb2);
+
 /*
  * Set the password that we will try to authenticate as.
  * This function is only needed when libsmb2 is built --without-libkrb5
@@ -564,6 +582,15 @@ struct smb2_pdu;
 int smb2_get_tree_id_for_pdu(struct smb2_context *smb2, struct smb2_pdu *pdu, uint32_t *tree_id);
 int smb2_set_tree_id_for_pdu(struct smb2_context *smb2, struct smb2_pdu *pdu, uint32_t tree_id);
 
+/*
+ * Get session id
+ *
+ * Returns:
+ * 0      : OK
+ * -errno :
+ */
+int smb2_get_session_id(struct smb2_context *smb2, uint64_t *session_id);
+
 /*
  * This function returns a description of the last encountered error.
  */

lib/asn1-ber.c

@@ -66,7 +66,7 @@ int asn1ber_next_byte(struct asn1ber_context *actx, uint8_t *outb)
     if (!actx || !actx->src || actx->src_tail >= actx->src_count) {
         return -1;
     }
-    
+
     actx->src_tail++;
     *outb = actx->src[actx->src_tail - 1];
     return 0;
@@ -77,7 +77,7 @@ int asn1ber_out_byte(struct asn1ber_context *actx, uint8_t inb)
     if (!actx || !actx->dst || actx->dst_head >= actx->dst_size) {
         return -1;
     }
-    
+
     actx->dst[actx->dst_head++] = inb;
     return 0;
 }
@@ -87,7 +87,7 @@ int asn1ber_save_out_state(struct asn1ber_context *actx, int *out_pos)
     if (!out_pos || !actx || !actx->dst || actx->dst_head >= actx->dst_size) {
         return -1;
     }
-    
+
     *out_pos = actx->dst_head;
     return 0;
 }
@@ -101,7 +101,7 @@ int asn1ber_annotate_length(struct asn1ber_context *actx, int out_pos, int reser
     if (!actx || !actx->dst || actx->dst_head >= actx->dst_size) {
         return -1;
     }
-    
+
     /* bytes added since out_pos snap-shot */
     bytes_made = actx->dst_head - out_pos;
     bytes_made -= reserved;
@@ -138,9 +138,9 @@ int asn1ber_length_from_ber(struct asn1ber_context *actx, uint32_t *len)
     if (b & 0x80)
     {
         uint32_t vallen;
-        
+
         val = 0;
-        
+
         /* length is number of bytes of length, not actual length */
         vallen = b & 0x7F;
         if (vallen > 4)
@@ -218,7 +218,7 @@ int asn1ber_request_from_ber(struct asn1ber_context *actx, ber_type_t *opcode, u
     {
         return result;
     }
-    
+
     return 0;
 }
 
@@ -539,7 +539,7 @@ int asn1ber_oid_from_ber(struct asn1ber_context *actx, struct asn1ber_oid_value
 {
     int result;
     int i;
-    uint16_t oval;
+    beroid_type_t oval;
     uint32_t vallen;
     uint8_t b = 0;
 
@@ -598,6 +598,7 @@ int asn1ber_oid_from_ber(struct asn1ber_context *actx, struct asn1ber_oid_value
             return result;
         }
         oval = (beroid_type_t)(b & 0x7F);
+        vallen--;
 
         while ((b & 0x80) && (vallen > 0))
         {
@@ -608,9 +609,9 @@ int asn1ber_oid_from_ber(struct asn1ber_context *actx, struct asn1ber_oid_value
             }
             oval <<= 7;
             oval |= (beroid_type_t)(b & 0x7F);
+            vallen--;
         }
         ((beroid_type_t*)(oid->elements))[i++] = oval;
-        vallen--;
     }
     if (vallen != 0)
     {

lib/init.c

@@ -632,6 +632,14 @@ const char *smb2_get_user(struct smb2_context *smb2)
         return NULL;
 }
 
+const char *smb2_get_workstation(struct smb2_context *smb2)
+{
+        if (smb2 && smb2->workstation) {
+                return smb2->workstation;
+        }
+        return NULL;
+}
+
 void smb2_set_password(struct smb2_context *smb2, const char *password)
 {
         if (smb2->password) {
@@ -648,6 +656,10 @@ void smb2_set_domain(struct smb2_context *smb2, const char *domain)
 {
         if (smb2->domain) {
                 free(discard_const(smb2->domain));
+                smb2->domain = NULL;
+        }
+        if (domain == NULL) {
+                return;
         }
         smb2->domain = strdup(domain);
 }
@@ -664,6 +676,10 @@ void smb2_set_workstation(struct smb2_context *smb2, const char *workstation)
 {
         if (smb2->workstation) {
                 free(discard_const(smb2->workstation));
+                smb2->workstation = NULL;
+        }
+        if (workstation == NULL) {
+                return;
         }
         smb2->workstation = strdup(workstation);
 }