mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.
We do need the gsskrb5_get_initiator_subkey() routine. But we should
ensure that we do always get a valid key, to prevent any segfaults.
Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.
Andrew Bartlett
(This used to be commit cfd0df16b7
)
This commit is contained in:
parent
e9815c38dd
commit
26421fb2dc
@ -1058,21 +1058,22 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
|
||||
if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
|
||||
&& (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
|
||||
gensec_gssapi_state->gss_oid->length) == 0)) {
|
||||
OM_uint32 maj_stat;
|
||||
krb5_keyblock *skey;
|
||||
OM_uint32 maj_stat, min_stat;
|
||||
gss_buffer_desc skey;
|
||||
|
||||
maj_stat = gss_krb5_get_subkey(gensec_gssapi_state->gssapi_context,
|
||||
&skey);
|
||||
maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
|
||||
gensec_gssapi_state->gssapi_context,
|
||||
&skey);
|
||||
|
||||
if (maj_stat == 0) {
|
||||
DEBUG(10, ("Got KRB5 session key of length %d\n",
|
||||
(int)KRB5_KEY_LENGTH(skey)));
|
||||
(int)skey.length));
|
||||
gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state,
|
||||
KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
|
||||
skey.value, skey.length);
|
||||
*session_key = gensec_gssapi_state->session_key;
|
||||
dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
|
||||
|
||||
krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, skey);
|
||||
gss_release_buffer(&min_stat, &skey);
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
return NT_STATUS_NO_USER_SESSION_KEY;
|
||||
|
@ -247,6 +247,10 @@ the kerberos libraries
|
||||
|
||||
- DCE_STYLE
|
||||
|
||||
- gsskrb5_get_initiator_subkey() (return the exact key that Samba3
|
||||
has always asked for. gsskrb5_get_subkey() might do what we need
|
||||
anyway)
|
||||
|
||||
- gsskrb5_acquire_creds() (takes keytab and/or ccache as input
|
||||
parameters, see keytab and state machine discussion)
|
||||
|
||||
|
@ -815,8 +815,10 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
|
||||
gss_ctx_id_t context_handle,
|
||||
time_t *authtime);
|
||||
OM_uint32
|
||||
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
|
||||
struct EncryptionKey **key);
|
||||
gsskrb5_get_initiator_subkey
|
||||
(OM_uint32 * /*minor_status*/,
|
||||
const gss_ctx_id_t context_handle,
|
||||
gss_buffer_t /* subkey */);
|
||||
|
||||
#define GSS_C_KRB5_COMPAT_DES3_MIC 1
|
||||
|
||||
|
@ -226,6 +226,9 @@ gss_verify_mic_internal(OM_uint32 * minor_status,
|
||||
gss_qop_t * qop_state,
|
||||
char * type);
|
||||
|
||||
OM_uint32
|
||||
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
|
||||
krb5_keyblock **key);
|
||||
|
||||
krb5_error_code
|
||||
gss_address_to_krb5addr(OM_uint32 gss_addr_type,
|
||||
|
@ -35,6 +35,61 @@
|
||||
|
||||
RCSID("$Id: wrap.c,v 1.31 2005/01/05 02:52:12 lukeh Exp $");
|
||||
|
||||
OM_uint32
|
||||
gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
|
||||
gss_ctx_id_t context_handle,
|
||||
gss_buffer_t key)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_keyblock *skey = NULL;
|
||||
|
||||
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
|
||||
if (context_handle->more_flags & LOCAL) {
|
||||
ret = krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
|
||||
context_handle->auth_context,
|
||||
&skey);
|
||||
if (ret) {
|
||||
*minor_status = ret;
|
||||
return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
|
||||
}
|
||||
|
||||
} else {
|
||||
ret = krb5_auth_con_getremotesubkey(gssapi_krb5_context,
|
||||
context_handle->auth_context,
|
||||
&skey);
|
||||
if (ret) {
|
||||
*minor_status = ret;
|
||||
return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/* If there was no subkey, perhaps try this... */
|
||||
if(skey == NULL) {
|
||||
krb5_auth_con_getkey(gssapi_krb5_context,
|
||||
context_handle->auth_context,
|
||||
&skey);
|
||||
}
|
||||
|
||||
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
|
||||
|
||||
/* ensure never to segfault */
|
||||
if(skey == NULL) {
|
||||
return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
|
||||
}
|
||||
|
||||
key->length = skey->keyvalue.length;
|
||||
key->value = malloc (key->length);
|
||||
if (!key->value) {
|
||||
krb5_free_keyblock(gssapi_krb5_context, skey);
|
||||
*minor_status = ENOMEM;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
memcpy(key->value, skey->keyvalue.data, key->length);
|
||||
krb5_free_keyblock(gssapi_krb5_context, skey);
|
||||
return 0;
|
||||
}
|
||||
|
||||
OM_uint32
|
||||
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
|
||||
krb5_keyblock **key)
|
||||
|
Loading…
Reference in New Issue
Block a user