summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2012-05-08 12:38:20 -0400
committerAlexander Bokovoy <ab@samba.org>2012-05-23 17:51:49 +0300
commitad945bc68f6b1e73a47bc0a33b35fcbf182f8137 (patch)
tree76f7be6394314cb68f210b0e3bda6fb4837a936b
parent302abe61900af3bd9b4fffe1b9e9d7e39cac599a (diff)
downloadsamba-ad945bc68f6b1e73a47bc0a33b35fcbf182f8137.tar.gz
samba-ad945bc68f6b1e73a47bc0a33b35fcbf182f8137.tar.bz2
samba-ad945bc68f6b1e73a47bc0a33b35fcbf182f8137.zip
gensec_gssapi: Make it possible to build with MIT krb5
We need to ifdef out some minor things here because there is no available API to set these options in MIT. The realm and canonicalize options should be not interesting in the client case. Same for the send_to_kdc hacks. Also the OLD DES3 enctype is not at all interesting. I am not aware that Windows will ever use DES3 and no modern implementation relies on that enctype anymore as it has been fully deprecated long ago, so we can simply ignore it.
-rw-r--r--lib/krb5_wrap/krb5_samba.h3
-rw-r--r--source4/auth/gensec/gensec_gssapi.c30
-rwxr-xr-xsource4/heimdal_build/wscript_configure2
-rw-r--r--wscript_configure_krb516
4 files changed, 40 insertions, 11 deletions
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 15da39c037..8d55a32f15 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -53,6 +53,9 @@
#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC)
#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
#endif
+#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC_EXP)
+#define ENCTYPE_ARCFOUR_HMAC_EXP ENCTYPE_ARCFOUR_HMAC_MD5_56
+#endif
/* The older versions of heimdal that don't have this
define don't seem to use it anyway. I'm told they
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index dde481a41c..6d6ea3cf28 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -42,6 +42,12 @@
#include "lib/util/util_net.h"
#include "auth/kerberos/pac_utils.h"
+#ifndef gss_mech_spnego
+gss_OID_desc spnego_mech_oid_desc =
+ { 6, discard_const_p(void, "\x2b\x06\x01\x05\x05\x02") };
+#define gss_mech_spnego (&spnego_mech_oid_desc)
+#endif
+
_PUBLIC_ NTSTATUS gensec_gssapi_init(void);
static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
@@ -166,7 +172,8 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
break;
case DCERPC_AUTH_TYPE_KRB5:
default:
- gensec_gssapi_state->gss_oid = gss_mech_krb5;
+ gensec_gssapi_state->gss_oid =
+ discard_const_p(void, gss_mech_krb5);
break;
}
@@ -199,6 +206,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
+#ifdef SAMBA4_USES_HEIMDAL
realm = lpcfg_realm(gensec_security->settings->lp_ctx);
if (realm != NULL) {
ret = gsskrb5_set_default_realm(realm);
@@ -216,7 +224,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
-
+#endif
return NT_STATUS_OK;
}
@@ -433,7 +441,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
{
+#ifdef SAMBA4_USES_HEIMDAL
struct gsskrb5_send_to_kdc send_to_kdc;
+#endif
krb5_error_code ret;
nt_status = gensec_gssapi_client_creds(gensec_security, ev);
@@ -444,14 +454,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
#ifdef SAMBA4_USES_HEIMDAL
send_to_kdc.func = smb_krb5_send_and_recv_func;
send_to_kdc.ptr = ev;
-#endif
min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
if (min_stat) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
return NT_STATUS_INTERNAL_ERROR;
}
-
+#endif
maj_stat = gss_init_sec_context(&min_stat,
gensec_gssapi_state->client_cred->creds,
&gensec_gssapi_state->gssapi_context,
@@ -472,14 +481,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
#ifdef SAMBA4_USES_HEIMDAL
send_to_kdc.func = smb_krb5_send_and_recv_func;
send_to_kdc.ptr = NULL;
-#endif
ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
if (ret) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
return NT_STATUS_INTERNAL_ERROR;
}
-
+#endif
break;
}
case GENSEC_SERVER:
@@ -1435,22 +1443,24 @@ static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, si
}
} else if (gensec_gssapi_state->lucid->protocol == 0) {
switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
- case KEYTYPE_DES:
- case KEYTYPE_ARCFOUR:
- case KEYTYPE_ARCFOUR_56:
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_ARCFOUR_HMAC:
+ case ENCTYPE_ARCFOUR_HMAC_EXP:
if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
gensec_gssapi_state->sig_size = 45;
} else {
gensec_gssapi_state->sig_size = 37;
}
break;
- case KEYTYPE_DES3:
+#ifdef SAMBA4_USES_HEIMDAL
+ case ENCTYPE_OLD_DES3_CBC_SHA1:
if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
gensec_gssapi_state->sig_size = 57;
} else {
gensec_gssapi_state->sig_size = 49;
}
break;
+#endif
}
}
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 17b7361cad..0b6ae88a35 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -147,9 +147,9 @@ conf.define('HAVE_ETYPE_IN_ENCRYPTEDDATA', 1)
conf.define('KRB5_PRINC_REALM_RETURNS_REALM', 1)
conf.define('HAVE_KRB5_PRINCIPAL_GET_REALM', 1)
conf.define('HAVE_KRB5_H', 1)
-conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
conf.define('HAVE_AP_OPTS_USE_SUBKEY', 1)
conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
+conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', 1)
conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC', 1)
conf.define('HAVE_KRB5_PDU_NONE_DECL', 1)
conf.define('HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96', 1)
diff --git a/wscript_configure_krb5 b/wscript_configure_krb5
index 26a92a8a94..ba7ecf3c16 100644
--- a/wscript_configure_krb5
+++ b/wscript_configure_krb5
@@ -158,6 +158,13 @@ conf.CHECK_CODE('''
headers='krb5.h', lib='krb5',
msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type definition is available");
conf.CHECK_CODE('''
+ krb5_enctype enctype;
+ enctype = ENCTYPE_ARCFOUR_HMAC_MD5_56;
+ ''',
+ '_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56',
+ headers='krb5.h', lib='krb5',
+ msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5_56 key type definition is available");
+conf.CHECK_CODE('''
krb5_keytype keytype;
keytype = KEYTYPE_ARCFOUR_56;
''',
@@ -166,6 +173,8 @@ conf.CHECK_CODE('''
msg="Checking whether the HAVE_KEYTYPE_ARCFOUR_56 key type definition is available");
if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'):
conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', '1')
+if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'):
+ conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', '1')
conf.CHECK_CODE('''
krb5_enctype enctype;
@@ -174,6 +183,13 @@ conf.CHECK_CODE('''
'HAVE_ENCTYPE_ARCFOUR_HMAC',
headers='krb5.h', lib='krb5',
msg="Checking whether the ENCTYPE_ARCFOUR_HMAC key type definition is available");
+conf.CHECK_CODE('''
+ krb5_enctype enctype;
+ enctype = ENCTYPE_ARCFOUR_HMAC_EXP;
+ ''',
+ 'HAVE_ENCTYPE_ARCFOUR_HMAC_EXP',
+ headers='krb5.h', lib='krb5',
+ msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_EXP key type definition is available");
conf.CHECK_CODE('''
krb5_context context;