summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-02-13 00:08:16 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:51:55 -0500
commit26421fb2dc995c4fc10195f451c4d7dce07034bf (patch)
tree6d1f668aa31cc85927e1e00c88419dac7ee64b28 /source4/heimdal/lib
parente9815c38dddbb79c0cd47c3b81eae2cec850a760 (diff)
downloadsamba-26421fb2dc995c4fc10195f451c4d7dce07034bf.tar.gz
samba-26421fb2dc995c4fc10195f451c4d7dce07034bf.tar.bz2
samba-26421fb2dc995c4fc10195f451c4d7dce07034bf.zip
r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.
We do need the gsskrb5_get_initiator_subkey() routine. But we should ensure that we do always get a valid key, to prevent any segfaults. Without this code, we get a different session key compared with Win2k3, and so kerberised smb signing fails. Andrew Bartlett (This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde)
Diffstat (limited to 'source4/heimdal/lib')
-rw-r--r--source4/heimdal/lib/gssapi/gssapi.h6
-rw-r--r--source4/heimdal/lib/gssapi/gssapi_locl.h3
-rw-r--r--source4/heimdal/lib/gssapi/wrap.c55
3 files changed, 62 insertions, 2 deletions
diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h
index 6d48359b32..b93ad4e481 100644
--- a/source4/heimdal/lib/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi.h
@@ -815,8 +815,10 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
time_t *authtime);
OM_uint32
-gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
- struct EncryptionKey **key);
+gsskrb5_get_initiator_subkey
+ (OM_uint32 * /*minor_status*/,
+ const gss_ctx_id_t context_handle,
+ gss_buffer_t /* subkey */);
#define GSS_C_KRB5_COMPAT_DES3_MIC 1
diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h
index 6fd8b0a4ac..bd5d0db2b5 100644
--- a/source4/heimdal/lib/gssapi/gssapi_locl.h
+++ b/source4/heimdal/lib/gssapi/gssapi_locl.h
@@ -226,6 +226,9 @@ gss_verify_mic_internal(OM_uint32 * minor_status,
gss_qop_t * qop_state,
char * type);
+OM_uint32
+gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
+ krb5_keyblock **key);
krb5_error_code
gss_address_to_krb5addr(OM_uint32 gss_addr_type,
diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c
index 502137329c..d07a4d2599 100644
--- a/source4/heimdal/lib/gssapi/wrap.c
+++ b/source4/heimdal/lib/gssapi/wrap.c
@@ -36,6 +36,61 @@
RCSID("$Id: wrap.c,v 1.31 2005/01/05 02:52:12 lukeh Exp $");
OM_uint32
+gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_buffer_t key)
+{
+ krb5_error_code ret;
+ krb5_keyblock *skey = NULL;
+
+ HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+ if (context_handle->more_flags & LOCAL) {
+ ret = krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+ context_handle->auth_context,
+ &skey);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+ }
+
+ } else {
+ ret = krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+ context_handle->auth_context,
+ &skey);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+ }
+
+ }
+
+ /* If there was no subkey, perhaps try this... */
+ if(skey == NULL) {
+ krb5_auth_con_getkey(gssapi_krb5_context,
+ context_handle->auth_context,
+ &skey);
+ }
+
+ HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+ /* ensure never to segfault */
+ if(skey == NULL) {
+ return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+ }
+
+ key->length = skey->keyvalue.length;
+ key->value = malloc (key->length);
+ if (!key->value) {
+ krb5_free_keyblock(gssapi_krb5_context, skey);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ memcpy(key->value, skey->keyvalue.data, key->length);
+ krb5_free_keyblock(gssapi_krb5_context, skey);
+ return 0;
+}
+
+OM_uint32
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
krb5_keyblock **key)
{