diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-01-12 07:13:36 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:50:55 -0500 |
commit | adab8d3968ce2bf18eab6b89375050ebf6630f08 (patch) | |
tree | 088f31dda14e99f490ee454bcb8d65d5cf621b4d /source4 | |
parent | 3f8ee534bafa149c00f050abea8ae111fea61287 (diff) | |
download | samba-adab8d3968ce2bf18eab6b89375050ebf6630f08.tar.gz samba-adab8d3968ce2bf18eab6b89375050ebf6630f08.tar.bz2 samba-adab8d3968ce2bf18eab6b89375050ebf6630f08.zip |
r12863: As lha suggested to me a while back, it appears that the
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use
gss_krb5_get_subkey().
This is fortunate, as there was a segfault bug in 'initiator' version.
Andrew Bartlett
(This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 15 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos-notes.txt | 4 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/gssapi.h | 6 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/gssapi_locl.h | 3 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/wrap.c | 41 |
5 files changed, 9 insertions, 60 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index b71bee03ea..4eb7b95d6d 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -734,22 +734,21 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length) && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) { - OM_uint32 maj_stat, min_stat; - gss_buffer_desc skey; + OM_uint32 maj_stat; + krb5_keyblock *skey; - maj_stat = gsskrb5_get_initiator_subkey(&min_stat, - gensec_gssapi_state->gssapi_context, - &skey); + maj_stat = gss_krb5_get_subkey(gensec_gssapi_state->gssapi_context, + &skey); if (maj_stat == 0) { DEBUG(10, ("Got KRB5 session key of length %d\n", - (int)skey.length)); + (int)KRB5_KEY_LENGTH(skey))); gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state, - skey.value, skey.length); + KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); *session_key = gensec_gssapi_state->session_key; dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); - gss_release_buffer(&min_stat, &skey); + krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, skey); return NT_STATUS_OK; } return NT_STATUS_NO_USER_SESSION_KEY; diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt index 43881a20d3..26cfa4dfba 100644 --- a/source4/auth/kerberos/kerberos-notes.txt +++ b/source4/auth/kerberos/kerberos-notes.txt @@ -247,10 +247,6 @@ the kerberos libraries - DCE_STYLE - - gsskrb5_get_initiator_subkey() (return the exact key that Samba3 - has always asked for. gsskrb5_get_subkey() might do what we need - anyway) - - gsskrb5_acquire_creds() (takes keytab and/or ccache as input parameters, see keytab and state machine discussion) diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h index b93ad4e481..6d48359b32 100644 --- a/source4/heimdal/lib/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi.h @@ -815,10 +815,8 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, time_t *authtime); OM_uint32 -gsskrb5_get_initiator_subkey - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t context_handle, - gss_buffer_t /* subkey */); +gss_krb5_get_subkey(const gss_ctx_id_t context_handle, + struct EncryptionKey **key); #define GSS_C_KRB5_COMPAT_DES3_MIC 1 diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h index bd5d0db2b5..6fd8b0a4ac 100644 --- a/source4/heimdal/lib/gssapi/gssapi_locl.h +++ b/source4/heimdal/lib/gssapi/gssapi_locl.h @@ -226,9 +226,6 @@ gss_verify_mic_internal(OM_uint32 * minor_status, gss_qop_t * qop_state, char * type); -OM_uint32 -gss_krb5_get_subkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); krb5_error_code gss_address_to_krb5addr(OM_uint32 gss_addr_type, diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c index 50249d2d7f..502137329c 100644 --- a/source4/heimdal/lib/gssapi/wrap.c +++ b/source4/heimdal/lib/gssapi/wrap.c @@ -36,47 +36,6 @@ RCSID("$Id: wrap.c,v 1.31 2005/01/05 02:52:12 lukeh Exp $"); OM_uint32 -gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t key) -{ - krb5_error_code ret; - krb5_keyblock *skey = NULL; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->more_flags & LOCAL) { - ret = krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if (ret) { - *minor_status = ret; - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - } - - } else { - ret = krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if (ret) { - *minor_status = ret; - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - } - - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - key->length = skey->keyvalue.length; - key->value = malloc (key->length); - if (!key->value) { - krb5_free_keyblock(gssapi_krb5_context, skey); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(key->value, skey->keyvalue.data, key->length); - krb5_free_keyblock(gssapi_krb5_context, skey); - return 0; -} - -OM_uint32 gss_krb5_get_subkey(const gss_ctx_id_t context_handle, krb5_keyblock **key) { |