diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-02-13 00:08:16 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:51:55 -0500 |
| commit | 26421fb2dc995c4fc10195f451c4d7dce07034bf (patch) | |
| tree | 6d1f668aa31cc85927e1e00c88419dac7ee64b28 /source4/heimdal/lib/gssapi/wrap.c | |
| parent | e9815c38dddbb79c0cd47c3b81eae2cec850a760 (diff) | |
| download | samba-26421fb2dc995c4fc10195f451c4d7dce07034bf.tar.gz samba-26421fb2dc995c4fc10195f451c4d7dce07034bf.tar.bz2 samba-26421fb2dc995c4fc10195f451c4d7dce07034bf.zip | |
r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.
We do need the gsskrb5_get_initiator_subkey() routine. But we should
ensure that we do always get a valid key, to prevent any segfaults.
Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.
Andrew Bartlett
(This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde)
Diffstat (limited to 'source4/heimdal/lib/gssapi/wrap.c')
| -rw-r--r-- | source4/heimdal/lib/gssapi/wrap.c | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c index 502137329c..d07a4d2599 100644 --- a/source4/heimdal/lib/gssapi/wrap.c +++ b/source4/heimdal/lib/gssapi/wrap.c @@ -36,6 +36,61 @@ RCSID("$Id: wrap.c,v 1.31 2005/01/05 02:52:12 lukeh Exp $"); OM_uint32 +gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t key) +{ + krb5_error_code ret; + krb5_keyblock *skey = NULL; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + if (context_handle->more_flags & LOCAL) { + ret = krb5_auth_con_getlocalsubkey(gssapi_krb5_context, + context_handle->auth_context, + &skey); + if (ret) { + *minor_status = ret; + return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ + } + + } else { + ret = krb5_auth_con_getremotesubkey(gssapi_krb5_context, + context_handle->auth_context, + &skey); + if (ret) { + *minor_status = ret; + return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ + } + + } + + /* If there was no subkey, perhaps try this... */ + if(skey == NULL) { + krb5_auth_con_getkey(gssapi_krb5_context, + context_handle->auth_context, + &skey); + } + + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + /* ensure never to segfault */ + if(skey == NULL) { + return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ + } + + key->length = skey->keyvalue.length; + key->value = malloc (key->length); + if (!key->value) { + krb5_free_keyblock(gssapi_krb5_context, skey); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy(key->value, skey->keyvalue.data, key->length); + krb5_free_keyblock(gssapi_krb5_context, skey); + return 0; +} + +OM_uint32 gss_krb5_get_subkey(const gss_ctx_id_t context_handle, krb5_keyblock **key) { |