diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-05-16 01:31:22 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:16:45 -0500 |
| commit | 1d0e2b9569be6f2e8a5495ead1f92c9855f0e7f9 (patch) | |
| tree | e3f821c9a79f24292f4cf34d04ed880de69e57ef /source4/auth/gensec/gensec_gssapi.c | |
| parent | 03435f5de11b364d6a7bb8bf99c12afd5cdd286e (diff) | |
| download | samba-1d0e2b9569be6f2e8a5495ead1f92c9855f0e7f9.tar.gz samba-1d0e2b9569be6f2e8a5495ead1f92c9855f0e7f9.tar.bz2 samba-1d0e2b9569be6f2e8a5495ead1f92c9855f0e7f9.zip | |
r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. This
should allow us to ditch the local static storage for OIDs, as well as
fix the build on non-heimdal platforms.
Andrew Bartlett
(This used to be commit a7e2ecfac9aaacd673e3583b62139e4f4e114429)
Diffstat (limited to 'source4/auth/gensec/gensec_gssapi.c')
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index e57739c85c..d186e3ed1f 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -32,9 +32,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc = - {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; - struct gensec_gssapi_state { gss_ctx_id_t gssapi_context; struct gss_channel_bindings_struct *input_chan_bindings; @@ -162,7 +159,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) #endif } - gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc; + gensec_gssapi_state->gss_oid = gss_mech_krb5; ret = krb5_init_context(&gensec_gssapi_state->krb5_context); if (ret) { @@ -359,6 +356,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, } else if (maj_stat == GSS_S_CONTINUE_NEEDED) { return NT_STATUS_MORE_PROCESSING_REQUIRED; } else { + if (maj_stat == GSS_S_FAILURE + && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) { + /* garbage input, possibly from the auto-mech detection */ + return NT_STATUS_INVALID_PARAMETER; + } DEBUG(1, ("GSS Update failed: %s\n", gssapi_error_string(out_mem_ctx, maj_stat, min_stat))); return nt_status; @@ -641,8 +643,8 @@ static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security, } if (feature & GENSEC_FEATURE_SESSION_KEY) { #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY - if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length) - && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, gensec_gssapi_state->gss_oid->length) == 0)) { + if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length) + && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) { return True; } #endif @@ -662,8 +664,8 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY /* Ensure we only call this for GSSAPI/krb5, otherwise things could get very ugly */ - if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length) - && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, + if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length) + && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) { OM_uint32 maj_stat, min_stat; gss_buffer_desc skey; |