From 26421fb2dc995c4fc10195f451c4d7dce07034bf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 13 Feb 2006 00:08:16 +0000 Subject: [PATCH] r13481: As far as I can tell, my changes in -r 12863 were dangerously untested. We do need the gsskrb5_get_initiator_subkey() routine. But we should ensure that we do always get a valid key, to prevent any segfaults. Without this code, we get a different session key compared with Win2k3, and so kerberised smb signing fails. Andrew Bartlett (This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde) --- source4/auth/gensec/gensec_gssapi.c | 15 ++++--- source4/auth/kerberos/kerberos-notes.txt | 4 ++ source4/heimdal/lib/gssapi/gssapi.h | 6 ++- source4/heimdal/lib/gssapi/gssapi_locl.h | 3 ++ source4/heimdal/lib/gssapi/wrap.c | 55 ++++++++++++++++++++++++ 5 files changed, 74 insertions(+), 9 deletions(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index aaa79aa407b..eab8211525a 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1058,21 +1058,22 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length) && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) { - OM_uint32 maj_stat; - krb5_keyblock *skey; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc skey; - maj_stat = gss_krb5_get_subkey(gensec_gssapi_state->gssapi_context, - &skey); + maj_stat = gsskrb5_get_initiator_subkey(&min_stat, + gensec_gssapi_state->gssapi_context, + &skey); if (maj_stat == 0) { DEBUG(10, ("Got KRB5 session key of length %d\n", - (int)KRB5_KEY_LENGTH(skey))); + (int)skey.length)); gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state, - KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); + skey.value, skey.length); *session_key = gensec_gssapi_state->session_key; dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); - krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, skey); + gss_release_buffer(&min_stat, &skey); return NT_STATUS_OK; } return NT_STATUS_NO_USER_SESSION_KEY; diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt index 26cfa4dfba6..43881a20d33 100644 --- a/source4/auth/kerberos/kerberos-notes.txt +++ b/source4/auth/kerberos/kerberos-notes.txt @@ -247,6 +247,10 @@ the kerberos libraries - DCE_STYLE + - gsskrb5_get_initiator_subkey() (return the exact key that Samba3 + has always asked for. gsskrb5_get_subkey() might do what we need + anyway) + - gsskrb5_acquire_creds() (takes keytab and/or ccache as input parameters, see keytab and state machine discussion) diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h index 6d48359b32f..b93ad4e481d 100644 --- a/source4/heimdal/lib/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi.h @@ -815,8 +815,10 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, time_t *authtime); OM_uint32 -gss_krb5_get_subkey(const gss_ctx_id_t context_handle, - struct EncryptionKey **key); +gsskrb5_get_initiator_subkey + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t context_handle, + gss_buffer_t /* subkey */); #define GSS_C_KRB5_COMPAT_DES3_MIC 1 diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h index 6fd8b0a4acf..bd5d0db2b5a 100644 --- a/source4/heimdal/lib/gssapi/gssapi_locl.h +++ b/source4/heimdal/lib/gssapi/gssapi_locl.h @@ -226,6 +226,9 @@ gss_verify_mic_internal(OM_uint32 * minor_status, gss_qop_t * qop_state, char * type); +OM_uint32 +gss_krb5_get_subkey(const gss_ctx_id_t context_handle, + krb5_keyblock **key); krb5_error_code gss_address_to_krb5addr(OM_uint32 gss_addr_type, diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c index 502137329cb..d07a4d25990 100644 --- a/source4/heimdal/lib/gssapi/wrap.c +++ b/source4/heimdal/lib/gssapi/wrap.c @@ -35,6 +35,61 @@ RCSID("$Id: wrap.c,v 1.31 2005/01/05 02:52:12 lukeh Exp $"); +OM_uint32 +gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t key) +{ + krb5_error_code ret; + krb5_keyblock *skey = NULL; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + if (context_handle->more_flags & LOCAL) { + ret = krb5_auth_con_getlocalsubkey(gssapi_krb5_context, + context_handle->auth_context, + &skey); + if (ret) { + *minor_status = ret; + return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ + } + + } else { + ret = krb5_auth_con_getremotesubkey(gssapi_krb5_context, + context_handle->auth_context, + &skey); + if (ret) { + *minor_status = ret; + return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ + } + + } + + /* If there was no subkey, perhaps try this... */ + if(skey == NULL) { + krb5_auth_con_getkey(gssapi_krb5_context, + context_handle->auth_context, + &skey); + } + + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + /* ensure never to segfault */ + if(skey == NULL) { + return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ + } + + key->length = skey->keyvalue.length; + key->value = malloc (key->length); + if (!key->value) { + krb5_free_keyblock(gssapi_krb5_context, skey); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy(key->value, skey->keyvalue.data, key->length); + krb5_free_keyblock(gssapi_krb5_context, skey); + return 0; +} + OM_uint32 gss_krb5_get_subkey(const gss_ctx_id_t context_handle, krb5_keyblock **key)