mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
gensec_gssapi: Make it possible to build with MIT krb5
We need to ifdef out some minor things here because there is no available API to set these options in MIT. The realm and canonicalize options should be not interesting in the client case. Same for the send_to_kdc hacks. Also the OLD DES3 enctype is not at all interesting. I am not aware that Windows will ever use DES3 and no modern implementation relies on that enctype anymore as it has been fully deprecated long ago, so we can simply ignore it.
This commit is contained in:
parent
302abe6190
commit
ad945bc68f
@ -53,6 +53,9 @@
|
||||
#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC)
|
||||
#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
|
||||
#endif
|
||||
#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC_EXP)
|
||||
#define ENCTYPE_ARCFOUR_HMAC_EXP ENCTYPE_ARCFOUR_HMAC_MD5_56
|
||||
#endif
|
||||
|
||||
/* The older versions of heimdal that don't have this
|
||||
define don't seem to use it anyway. I'm told they
|
||||
|
@ -42,6 +42,12 @@
|
||||
#include "lib/util/util_net.h"
|
||||
#include "auth/kerberos/pac_utils.h"
|
||||
|
||||
#ifndef gss_mech_spnego
|
||||
gss_OID_desc spnego_mech_oid_desc =
|
||||
{ 6, discard_const_p(void, "\x2b\x06\x01\x05\x05\x02") };
|
||||
#define gss_mech_spnego (&spnego_mech_oid_desc)
|
||||
#endif
|
||||
|
||||
_PUBLIC_ NTSTATUS gensec_gssapi_init(void);
|
||||
|
||||
static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
|
||||
@ -166,7 +172,8 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
|
||||
break;
|
||||
case DCERPC_AUTH_TYPE_KRB5:
|
||||
default:
|
||||
gensec_gssapi_state->gss_oid = gss_mech_krb5;
|
||||
gensec_gssapi_state->gss_oid =
|
||||
discard_const_p(void, gss_mech_krb5);
|
||||
break;
|
||||
}
|
||||
|
||||
@ -199,6 +206,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
|
||||
|
||||
talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
|
||||
|
||||
#ifdef SAMBA4_USES_HEIMDAL
|
||||
realm = lpcfg_realm(gensec_security->settings->lp_ctx);
|
||||
if (realm != NULL) {
|
||||
ret = gsskrb5_set_default_realm(realm);
|
||||
@ -216,7 +224,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
|
||||
talloc_free(gensec_gssapi_state);
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
#endif
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
@ -433,7 +441,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
|
||||
switch (gensec_security->gensec_role) {
|
||||
case GENSEC_CLIENT:
|
||||
{
|
||||
#ifdef SAMBA4_USES_HEIMDAL
|
||||
struct gsskrb5_send_to_kdc send_to_kdc;
|
||||
#endif
|
||||
krb5_error_code ret;
|
||||
|
||||
nt_status = gensec_gssapi_client_creds(gensec_security, ev);
|
||||
@ -444,14 +454,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
|
||||
#ifdef SAMBA4_USES_HEIMDAL
|
||||
send_to_kdc.func = smb_krb5_send_and_recv_func;
|
||||
send_to_kdc.ptr = ev;
|
||||
#endif
|
||||
|
||||
min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
|
||||
if (min_stat) {
|
||||
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
#endif
|
||||
maj_stat = gss_init_sec_context(&min_stat,
|
||||
gensec_gssapi_state->client_cred->creds,
|
||||
&gensec_gssapi_state->gssapi_context,
|
||||
@ -472,14 +481,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
|
||||
#ifdef SAMBA4_USES_HEIMDAL
|
||||
send_to_kdc.func = smb_krb5_send_and_recv_func;
|
||||
send_to_kdc.ptr = NULL;
|
||||
#endif
|
||||
|
||||
ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
|
||||
if (ret) {
|
||||
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
case GENSEC_SERVER:
|
||||
@ -1435,22 +1443,24 @@ static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, si
|
||||
}
|
||||
} else if (gensec_gssapi_state->lucid->protocol == 0) {
|
||||
switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
|
||||
case KEYTYPE_DES:
|
||||
case KEYTYPE_ARCFOUR:
|
||||
case KEYTYPE_ARCFOUR_56:
|
||||
case ENCTYPE_DES_CBC_CRC:
|
||||
case ENCTYPE_ARCFOUR_HMAC:
|
||||
case ENCTYPE_ARCFOUR_HMAC_EXP:
|
||||
if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
|
||||
gensec_gssapi_state->sig_size = 45;
|
||||
} else {
|
||||
gensec_gssapi_state->sig_size = 37;
|
||||
}
|
||||
break;
|
||||
case KEYTYPE_DES3:
|
||||
#ifdef SAMBA4_USES_HEIMDAL
|
||||
case ENCTYPE_OLD_DES3_CBC_SHA1:
|
||||
if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
|
||||
gensec_gssapi_state->sig_size = 57;
|
||||
} else {
|
||||
gensec_gssapi_state->sig_size = 49;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -147,9 +147,9 @@ conf.define('HAVE_ETYPE_IN_ENCRYPTEDDATA', 1)
|
||||
conf.define('KRB5_PRINC_REALM_RETURNS_REALM', 1)
|
||||
conf.define('HAVE_KRB5_PRINCIPAL_GET_REALM', 1)
|
||||
conf.define('HAVE_KRB5_H', 1)
|
||||
conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
|
||||
conf.define('HAVE_AP_OPTS_USE_SUBKEY', 1)
|
||||
conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
|
||||
conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', 1)
|
||||
conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC', 1)
|
||||
conf.define('HAVE_KRB5_PDU_NONE_DECL', 1)
|
||||
conf.define('HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96', 1)
|
||||
|
@ -157,6 +157,13 @@ conf.CHECK_CODE('''
|
||||
'_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5',
|
||||
headers='krb5.h', lib='krb5',
|
||||
msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type definition is available");
|
||||
conf.CHECK_CODE('''
|
||||
krb5_enctype enctype;
|
||||
enctype = ENCTYPE_ARCFOUR_HMAC_MD5_56;
|
||||
''',
|
||||
'_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56',
|
||||
headers='krb5.h', lib='krb5',
|
||||
msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5_56 key type definition is available");
|
||||
conf.CHECK_CODE('''
|
||||
krb5_keytype keytype;
|
||||
keytype = KEYTYPE_ARCFOUR_56;
|
||||
@ -166,6 +173,8 @@ conf.CHECK_CODE('''
|
||||
msg="Checking whether the HAVE_KEYTYPE_ARCFOUR_56 key type definition is available");
|
||||
if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'):
|
||||
conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', '1')
|
||||
if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'):
|
||||
conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', '1')
|
||||
|
||||
conf.CHECK_CODE('''
|
||||
krb5_enctype enctype;
|
||||
@ -174,6 +183,13 @@ conf.CHECK_CODE('''
|
||||
'HAVE_ENCTYPE_ARCFOUR_HMAC',
|
||||
headers='krb5.h', lib='krb5',
|
||||
msg="Checking whether the ENCTYPE_ARCFOUR_HMAC key type definition is available");
|
||||
conf.CHECK_CODE('''
|
||||
krb5_enctype enctype;
|
||||
enctype = ENCTYPE_ARCFOUR_HMAC_EXP;
|
||||
''',
|
||||
'HAVE_ENCTYPE_ARCFOUR_HMAC_EXP',
|
||||
headers='krb5.h', lib='krb5',
|
||||
msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_EXP key type definition is available");
|
||||
|
||||
conf.CHECK_CODE('''
|
||||
krb5_context context;
|
||||
|
Loading…
Reference in New Issue
Block a user