svn commit: samba r13481 - in branches/SAMBA_4_0/source:
auth/gensec auth/kerberos heimdal/lib/gssapi
abartlet at samba.org
abartlet at samba.org
Mon Feb 13 00:08:17 GMT 2006
Author: abartlet
Date: 2006-02-13 00:08:16 +0000 (Mon, 13 Feb 2006)
New Revision: 13481
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13481
Log:
As far as I can tell, my changes in -r 12863 were dangerously untested.
We do need the gsskrb5_get_initiator_subkey() routine. But we should
ensure that we do always get a valid key, to prevent any segfaults.
Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi.h
branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi_locl.h
branches/SAMBA_4_0/source/heimdal/lib/gssapi/wrap.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2006-02-13 00:04:28 UTC (rev 13480)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2006-02-13 00:08:16 UTC (rev 13481)
@@ -1058,21 +1058,22 @@
if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
&& (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
gensec_gssapi_state->gss_oid->length) == 0)) {
- OM_uint32 maj_stat;
- krb5_keyblock *skey;
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc skey;
- maj_stat = gss_krb5_get_subkey(gensec_gssapi_state->gssapi_context,
- &skey);
+ maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
+ gensec_gssapi_state->gssapi_context,
+ &skey);
if (maj_stat == 0) {
DEBUG(10, ("Got KRB5 session key of length %d\n",
- (int)KRB5_KEY_LENGTH(skey)));
+ (int)skey.length));
gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state,
- KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
+ skey.value, skey.length);
*session_key = gensec_gssapi_state->session_key;
dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
- krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, skey);
+ gss_release_buffer(&min_stat, &skey);
return NT_STATUS_OK;
}
return NT_STATUS_NO_USER_SESSION_KEY;
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt 2006-02-13 00:04:28 UTC (rev 13480)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt 2006-02-13 00:08:16 UTC (rev 13481)
@@ -247,6 +247,10 @@
- DCE_STYLE
+ - gsskrb5_get_initiator_subkey() (return the exact key that Samba3
+ has always asked for. gsskrb5_get_subkey() might do what we need
+ anyway)
+
- gsskrb5_acquire_creds() (takes keytab and/or ccache as input
parameters, see keytab and state machine discussion)
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi.h
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi.h 2006-02-13 00:04:28 UTC (rev 13480)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi.h 2006-02-13 00:08:16 UTC (rev 13481)
@@ -815,8 +815,10 @@
gss_ctx_id_t context_handle,
time_t *authtime);
OM_uint32
-gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
- struct EncryptionKey **key);
+gsskrb5_get_initiator_subkey
+ (OM_uint32 * /*minor_status*/,
+ const gss_ctx_id_t context_handle,
+ gss_buffer_t /* subkey */);
#define GSS_C_KRB5_COMPAT_DES3_MIC 1
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi_locl.h
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi_locl.h 2006-02-13 00:04:28 UTC (rev 13480)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi_locl.h 2006-02-13 00:08:16 UTC (rev 13481)
@@ -226,6 +226,9 @@
gss_qop_t * qop_state,
char * type);
+OM_uint32
+gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
+ krb5_keyblock **key);
krb5_error_code
gss_address_to_krb5addr(OM_uint32 gss_addr_type,
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/wrap.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/wrap.c 2006-02-13 00:04:28 UTC (rev 13480)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/wrap.c 2006-02-13 00:08:16 UTC (rev 13481)
@@ -36,6 +36,61 @@
RCSID("$Id: wrap.c,v 1.31 2005/01/05 02:52:12 lukeh Exp $");
OM_uint32
+gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_buffer_t key)
+{
+ krb5_error_code ret;
+ krb5_keyblock *skey = NULL;
+
+ HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+ if (context_handle->more_flags & LOCAL) {
+ ret = krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+ context_handle->auth_context,
+ &skey);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+ }
+
+ } else {
+ ret = krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+ context_handle->auth_context,
+ &skey);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+ }
+
+ }
+
+ /* If there was no subkey, perhaps try this... */
+ if(skey == NULL) {
+ krb5_auth_con_getkey(gssapi_krb5_context,
+ context_handle->auth_context,
+ &skey);
+ }
+
+ HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+ /* ensure never to segfault */
+ if(skey == NULL) {
+ return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+ }
+
+ key->length = skey->keyvalue.length;
+ key->value = malloc (key->length);
+ if (!key->value) {
+ krb5_free_keyblock(gssapi_krb5_context, skey);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ memcpy(key->value, skey->keyvalue.data, key->length);
+ krb5_free_keyblock(gssapi_krb5_context, skey);
+ return 0;
+}
+
+OM_uint32
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
krb5_keyblock **key)
{
More information about the samba-cvs
mailing list