svn commit: samba r6803 - in branches/SAMBA_4_0/source: auth/gensec auth/kerberos include/system

abartlet at samba.org abartlet at samba.org
Mon May 16 01:31:24 GMT 2005 

Author: abartlet
Date: 2005-05-16 01:31:22 +0000 (Mon, 16 May 2005)
New Revision: 6803

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6803

Log:
Try to bring in the correct GSSAPI headers for the krb5 mech.  This
should allow us to ditch the local static storage for OIDs, as well as
fix the build on non-heimdal platforms.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/auth/gensec/schannel_state.c
   branches/SAMBA_4_0/source/auth/kerberos/kerberos.m4
   branches/SAMBA_4_0/source/include/system/kerberos.h


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2005-05-16 01:17:44 UTC (rev 6802)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2005-05-16 01:31:22 UTC (rev 6803)
@@ -32,9 +32,6 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
-static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc =
-        {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
-
 struct gensec_gssapi_state {
 	gss_ctx_id_t gssapi_context;
 	struct gss_channel_bindings_struct *input_chan_bindings;
@@ -162,7 +159,7 @@
 #endif
 	}
 
-	gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc;
+	gensec_gssapi_state->gss_oid = gss_mech_krb5;
 	
 	ret = krb5_init_context(&gensec_gssapi_state->krb5_context);
 	if (ret) {
@@ -359,6 +356,11 @@
 	} else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
 		return NT_STATUS_MORE_PROCESSING_REQUIRED;
 	} else {
+		if (maj_stat == GSS_S_FAILURE
+		    && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) {
+			/* garbage input, possibly from the auto-mech detection */
+			return NT_STATUS_INVALID_PARAMETER;
+		}
 		DEBUG(1, ("GSS Update failed: %s\n", 
 			  gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
 		return nt_status;
@@ -641,8 +643,8 @@
 	}
 	if (feature & GENSEC_FEATURE_SESSION_KEY) {
 #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
-		if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
-		    && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, gensec_gssapi_state->gss_oid->length) == 0)) {
+		if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+		    && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) {
 			return True;
 		}
 #endif 
@@ -662,8 +664,8 @@
 
 #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
 	/* Ensure we only call this for GSSAPI/krb5, otherwise things could get very ugly */
-	if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
-	    && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, 
+	if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+	    && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
 		       gensec_gssapi_state->gss_oid->length) == 0)) {
 		OM_uint32 maj_stat, min_stat;
 		gss_buffer_desc skey;

Modified: branches/SAMBA_4_0/source/auth/gensec/schannel_state.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/schannel_state.c	2005-05-16 01:17:44 UTC (rev 6802)
+++ branches/SAMBA_4_0/source/auth/gensec/schannel_state.c	2005-05-16 01:31:22 UTC (rev 6803)
@@ -26,9 +26,6 @@
 #include "lib/ldb/include/ldb.h"
 #include "db_wrap.h"
 
-/* a reasonable amount of time to keep credentials live */
-#define SCHANNEL_CREDENTIALS_EXPIRY 600
-
 /*
   connect to the schannel ldb
 */
@@ -72,11 +69,9 @@
 	struct ldb_context *ldb;
 	struct ldb_message *msg;
 	struct ldb_val val, seed;
-	char *s;
 	char *f;
 	char *sct;
 	char *rid;
-	time_t expiry = time(NULL) + SCHANNEL_CREDENTIALS_EXPIRY;
 	int ret;
 
 	ldb = schannel_db_connect(mem_ctx);
@@ -84,13 +79,6 @@
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	s = talloc_asprintf(mem_ctx, "%u", (unsigned int)expiry);
-
-	if (s == NULL) {
-		talloc_free(ldb);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags);
 
 	if (f == NULL) {
@@ -133,7 +121,6 @@
 
 	ldb_msg_add_value(ldb, msg, "sessionKey", &val);
 	ldb_msg_add_value(ldb, msg, "seed", &seed);
-	ldb_msg_add_string(ldb, msg, "expiry", s);
 	ldb_msg_add_string(ldb, msg, "negotiateFlags", f);
 	ldb_msg_add_string(ldb, msg, "secureChannelType", sct);
 	ldb_msg_add_string(ldb, msg, "accountName", creds->account_name);
@@ -145,8 +132,6 @@
 
 	ret = ldb_add(ldb, msg);
 
-	talloc_free(s);
-
 	if (ret != 0) {
 		DEBUG(0,("Unable to add %s to session key db - %s\n", 
 			 msg->dn, ldb_errstring(ldb)));
@@ -171,7 +156,6 @@
 				    struct creds_CredentialState **creds)
 {
 	struct ldb_context *ldb;
-	time_t expiry;
 	struct ldb_message **res;
 	int ret;
 	const struct ldb_val *val;
@@ -199,13 +183,6 @@
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	expiry = ldb_msg_find_uint(res[0], "expiry", 0);
-	if (expiry < time(NULL)) {
-		DEBUG(1,("schannel: attempt to use expired session key for %s\n", computer_name));
-		talloc_free(ldb);
-		return NT_STATUS_INVALID_HANDLE;
-	}
-
 	val = ldb_msg_find_ldb_val(res[0], "sessionKey");
 	if (val == NULL || val->length != 16) {
 		DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name));

Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.m4
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos.m4	2005-05-16 01:17:44 UTC (rev 6802)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos.m4	2005-05-16 01:31:22 UTC (rev 6803)
@@ -195,7 +195,7 @@
 
 	# now check for gssapi headers.  This is also done here to allow for
 	# different kerberos include paths
-	AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
+	AC_CHECK_HEADERS(gssapi.h gssapi_krb5.h gssapi/gssapi.h gssapi/gssapi_generic.h gssapi/gssapi_krb5.h com_err.h)
 
 	##################################################################
 	# we might need the k5crypto and com_err libraries on some systems

Modified: branches/SAMBA_4_0/source/include/system/kerberos.h
===================================================================
--- branches/SAMBA_4_0/source/include/system/kerberos.h	2005-05-16 01:17:44 UTC (rev 6802)
+++ branches/SAMBA_4_0/source/include/system/kerberos.h	2005-05-16 01:31:22 UTC (rev 6803)
@@ -27,7 +27,11 @@
 #undef HAVE_KRB5
 #endif
 
-#ifdef HAVE_GSSAPI_H
+#ifdef HAVE_GSSAPI_KRB5_H
+#include <gssapi_krb5.h>
+#elif defined(HAVE_GSSAPI_KRB5_H)
+#include <gssapi/gssapi_krb5.h>
+#elif defined(HAVE_GSSAPI_H)
 #include <gssapi.h>
 #elif defined(HAVE_GSSAPI_GSSAPI_H)
 #include <gssapi/gssapi.h>

More information about the samba-cvs mailing list