svn commit: samba r15484 - in
branches/SAMBA_4_0/source/heimdal/lib: gssapi krb5
abartlet at samba.org
abartlet at samba.org
Sun May 7 09:28:50 GMT 2006
Author: abartlet
Date: 2006-05-07 09:28:49 +0000 (Sun, 07 May 2006)
New Revision: 15484
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=15484
Log:
Make accept_security_context() more compatible with how Samba3 (and
similarly built clients) behave.
This is better than just ignoring the checksum, if it isn't the GSSAPI
checksum. (Samba4 clients in Samba3 mode use more than just the MD5
checksum, and will use a signed AES checksum if available. Actual
samba3 may well do the same in future, against a suitable KDC).
Also a change for easier debugging of checksum issues.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/heimdal/lib/gssapi/8003.c
branches/SAMBA_4_0/source/heimdal/lib/gssapi/accept_sec_context.c
branches/SAMBA_4_0/source/heimdal/lib/krb5/crypto.c
Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/8003.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/8003.c 2006-05-07 09:21:39 UTC (rev 15483)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/8003.c 2006-05-07 09:28:49 UTC (rev 15484)
@@ -185,13 +185,9 @@
return GSS_S_BAD_BINDINGS;
}
- /* This is the case where Samba3 has built GSSAPI out of
- * krb5 the 'dodgy' way. We have to accept the non-GSSAPI
- * checksum because windows does */
-
if(cksum->cksumtype != CKSUMTYPE_GSSAPI) {
- *flags = 0;
- return GSS_S_COMPLETE;
+ *minor_status = 0;
+ return GSS_S_BAD_BINDINGS;
}
/* XXX should handle checksums > 24 bytes */
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/accept_sec_context.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/accept_sec_context.c 2006-05-07 09:21:39 UTC (rev 15483)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/accept_sec_context.c 2006-05-07 09:28:49 UTC (rev 15484)
@@ -371,15 +371,48 @@
return ret;
}
- ret = gssapi_krb5_verify_8003_checksum(minor_status,
- input_chan_bindings,
- authenticator->cksum,
- &flags,
- &(*context_handle)->fwd_data);
- krb5_free_authenticator(gssapi_krb5_context, &authenticator);
- if (ret) {
- return ret;
- }
+ if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+ ret = gssapi_krb5_verify_8003_checksum(minor_status,
+ input_chan_bindings,
+ authenticator->cksum,
+ &flags,
+ &(*context_handle)->fwd_data);
+
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+ if (ret) {
+ return ret;
+ }
+ } else {
+ krb5_crypto crypto;
+
+ kret = krb5_crypto_init(gssapi_krb5_context,
+ (*context_handle)->auth_context->keyblock,
+ 0, &crypto);
+ if(kret) {
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
+ }
+
+ /* Windows accepts Samba3's use of a kerberos,
+ rather than GSSAPI checksum here */
+ kret = krb5_verify_checksum(gssapi_krb5_context,
+ crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
+ authenticator->cksum);
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+ if(kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
+ }
+
+ flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ }
}
if(flags & GSS_C_MUTUAL_FLAG) {
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/crypto.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/crypto.c 2006-05-07 09:21:39 UTC (rev 15483)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/crypto.c 2006-05-07 09:28:49 UTC (rev 15484)
@@ -2042,7 +2042,8 @@
}
keyed_checksum = (ct->flags & F_KEYED) != 0;
if(keyed_checksum && crypto == NULL) {
- krb5_clear_error_string (context);
+ krb5_set_error_string (context, "checksum type %s is keyed, and requires a crypto context",
+ ct->name);
return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
}
if(keyed_checksum)
More information about the samba-cvs
mailing list