summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-01-12 07:13:36 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:50:55 -0500
commitadab8d3968ce2bf18eab6b89375050ebf6630f08 (patch)
tree088f31dda14e99f490ee454bcb8d65d5cf621b4d
parent3f8ee534bafa149c00f050abea8ae111fea61287 (diff)
downloadsamba-adab8d3968ce2bf18eab6b89375050ebf6630f08.tar.gz
samba-adab8d3968ce2bf18eab6b89375050ebf6630f08.tar.bz2
samba-adab8d3968ce2bf18eab6b89375050ebf6630f08.zip
r12863: As lha suggested to me a while back, it appears that the
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use gss_krb5_get_subkey(). This is fortunate, as there was a segfault bug in 'initiator' version. Andrew Bartlett (This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
-rw-r--r--source4/auth/gensec/gensec_gssapi.c15
-rw-r--r--source4/auth/kerberos/kerberos-notes.txt4
-rw-r--r--source4/heimdal/lib/gssapi/gssapi.h6
-rw-r--r--source4/heimdal/lib/gssapi/gssapi_locl.h3
-rw-r--r--source4/heimdal/lib/gssapi/wrap.c41
5 files changed, 9 insertions, 60 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index b71bee03ea..4eb7b95d6d 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -734,22 +734,21 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
&& (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
gensec_gssapi_state->gss_oid->length) == 0)) {
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc skey;
+ OM_uint32 maj_stat;
+ krb5_keyblock *skey;
- maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
- gensec_gssapi_state->gssapi_context,
- &skey);
+ maj_stat = gss_krb5_get_subkey(gensec_gssapi_state->gssapi_context,
+ &skey);
if (maj_stat == 0) {
DEBUG(10, ("Got KRB5 session key of length %d\n",
- (int)skey.length));
+ (int)KRB5_KEY_LENGTH(skey)));
gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state,
- skey.value, skey.length);
+ KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
*session_key = gensec_gssapi_state->session_key;
dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
- gss_release_buffer(&min_stat, &skey);
+ krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, skey);
return NT_STATUS_OK;
}
return NT_STATUS_NO_USER_SESSION_KEY;
diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt
index 43881a20d3..26cfa4dfba 100644
--- a/source4/auth/kerberos/kerberos-notes.txt
+++ b/source4/auth/kerberos/kerberos-notes.txt
@@ -247,10 +247,6 @@ the kerberos libraries
- DCE_STYLE
- - gsskrb5_get_initiator_subkey() (return the exact key that Samba3
- has always asked for. gsskrb5_get_subkey() might do what we need
- anyway)
-
- gsskrb5_acquire_creds() (takes keytab and/or ccache as input
parameters, see keytab and state machine discussion)
diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h
index b93ad4e481..6d48359b32 100644
--- a/source4/heimdal/lib/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi.h
@@ -815,10 +815,8 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
time_t *authtime);
OM_uint32
-gsskrb5_get_initiator_subkey
- (OM_uint32 * /*minor_status*/,
- const gss_ctx_id_t context_handle,
- gss_buffer_t /* subkey */);
+gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
+ struct EncryptionKey **key);
#define GSS_C_KRB5_COMPAT_DES3_MIC 1
diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h
index bd5d0db2b5..6fd8b0a4ac 100644
--- a/source4/heimdal/lib/gssapi/gssapi_locl.h
+++ b/source4/heimdal/lib/gssapi/gssapi_locl.h
@@ -226,9 +226,6 @@ gss_verify_mic_internal(OM_uint32 * minor_status,
gss_qop_t * qop_state,
char * type);
-OM_uint32
-gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
- krb5_keyblock **key);
krb5_error_code
gss_address_to_krb5addr(OM_uint32 gss_addr_type,
diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c
index 50249d2d7f..502137329c 100644
--- a/source4/heimdal/lib/gssapi/wrap.c
+++ b/source4/heimdal/lib/gssapi/wrap.c
@@ -36,47 +36,6 @@
RCSID("$Id: wrap.c,v 1.31 2005/01/05 02:52:12 lukeh Exp $");
OM_uint32
-gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- gss_buffer_t key)
-{
- krb5_error_code ret;
- krb5_keyblock *skey = NULL;
-
- HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
- if (context_handle->more_flags & LOCAL) {
- ret = krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
- context_handle->auth_context,
- &skey);
- if (ret) {
- *minor_status = ret;
- return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
- }
-
- } else {
- ret = krb5_auth_con_getremotesubkey(gssapi_krb5_context,
- context_handle->auth_context,
- &skey);
- if (ret) {
- *minor_status = ret;
- return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
- }
-
- }
- HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
- key->length = skey->keyvalue.length;
- key->value = malloc (key->length);
- if (!key->value) {
- krb5_free_keyblock(gssapi_krb5_context, skey);
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
- memcpy(key->value, skey->keyvalue.data, key->length);
- krb5_free_keyblock(gssapi_krb5_context, skey);
- return 0;
-}
-
-OM_uint32
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
krb5_keyblock **key)
{