summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi/accept_sec_context.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-05-07 09:28:49 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:05:39 -0500
commit1ec7132b3058fb9d20ac188ea1840db2b068bea1 (patch)
tree3b37df29ecb8fa6e045142187e327dfc3eceb0d0 /source4/heimdal/lib/gssapi/accept_sec_context.c
parent07767825b7ed8c533abe66d1695fe307f07177d4 (diff)
downloadsamba-1ec7132b3058fb9d20ac188ea1840db2b068bea1.tar.gz
samba-1ec7132b3058fb9d20ac188ea1840db2b068bea1.tar.bz2
samba-1ec7132b3058fb9d20ac188ea1840db2b068bea1.zip
r15484: Make accept_security_context() more compatible with how Samba3 (and
similarly built clients) behave. This is better than just ignoring the checksum, if it isn't the GSSAPI checksum. (Samba4 clients in Samba3 mode use more than just the MD5 checksum, and will use a signed AES checksum if available. Actual samba3 may well do the same in future, against a suitable KDC). Also a change for easier debugging of checksum issues. Andrew Bartlett (This used to be commit 120374f5f9e9af0653a26e0308e4bfdabbcaa3f3)
Diffstat (limited to 'source4/heimdal/lib/gssapi/accept_sec_context.c')
-rw-r--r--source4/heimdal/lib/gssapi/accept_sec_context.c51
1 files changed, 42 insertions, 9 deletions
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c
index 9ca60a6cdd..afca449c5c 100644
--- a/source4/heimdal/lib/gssapi/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/accept_sec_context.c
@@ -371,15 +371,48 @@ gsskrb5_acceptor_start
return ret;
}
- ret = gssapi_krb5_verify_8003_checksum(minor_status,
- input_chan_bindings,
- authenticator->cksum,
- &flags,
- &(*context_handle)->fwd_data);
- krb5_free_authenticator(gssapi_krb5_context, &authenticator);
- if (ret) {
- return ret;
- }
+ if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+ ret = gssapi_krb5_verify_8003_checksum(minor_status,
+ input_chan_bindings,
+ authenticator->cksum,
+ &flags,
+ &(*context_handle)->fwd_data);
+
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+ if (ret) {
+ return ret;
+ }
+ } else {
+ krb5_crypto crypto;
+
+ kret = krb5_crypto_init(gssapi_krb5_context,
+ (*context_handle)->auth_context->keyblock,
+ 0, &crypto);
+ if(kret) {
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
+ }
+
+ /* Windows accepts Samba3's use of a kerberos,
+ rather than GSSAPI checksum here */
+ kret = krb5_verify_checksum(gssapi_krb5_context,
+ crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
+ authenticator->cksum);
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+ if(kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
+ }
+
+ flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ }
}
if(flags & GSS_C_MUTUAL_FLAG) {