diff options
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 18 | ||||
-rw-r--r-- | source4/auth/gensec/schannel_state.c | 23 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos.m4 | 2 | ||||
-rw-r--r-- | source4/include/system/kerberos.h | 6 |
4 files changed, 16 insertions, 33 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index e57739c85c..d186e3ed1f 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -32,9 +32,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc = - {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; - struct gensec_gssapi_state { gss_ctx_id_t gssapi_context; struct gss_channel_bindings_struct *input_chan_bindings; @@ -162,7 +159,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) #endif } - gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc; + gensec_gssapi_state->gss_oid = gss_mech_krb5; ret = krb5_init_context(&gensec_gssapi_state->krb5_context); if (ret) { @@ -359,6 +356,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, } else if (maj_stat == GSS_S_CONTINUE_NEEDED) { return NT_STATUS_MORE_PROCESSING_REQUIRED; } else { + if (maj_stat == GSS_S_FAILURE + && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) { + /* garbage input, possibly from the auto-mech detection */ + return NT_STATUS_INVALID_PARAMETER; + } DEBUG(1, ("GSS Update failed: %s\n", gssapi_error_string(out_mem_ctx, maj_stat, min_stat))); return nt_status; @@ -641,8 +643,8 @@ static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security, } if (feature & GENSEC_FEATURE_SESSION_KEY) { #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY - if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length) - && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, gensec_gssapi_state->gss_oid->length) == 0)) { + if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length) + && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) { return True; } #endif @@ -662,8 +664,8 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY /* Ensure we only call this for GSSAPI/krb5, otherwise things could get very ugly */ - if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length) - && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, + if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length) + && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) { OM_uint32 maj_stat, min_stat; gss_buffer_desc skey; diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c index 99d5fdef53..0c5ce09637 100644 --- a/source4/auth/gensec/schannel_state.c +++ b/source4/auth/gensec/schannel_state.c @@ -26,9 +26,6 @@ #include "lib/ldb/include/ldb.h" #include "db_wrap.h" -/* a reasonable amount of time to keep credentials live */ -#define SCHANNEL_CREDENTIALS_EXPIRY 600 - /* connect to the schannel ldb */ @@ -72,11 +69,9 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, struct ldb_context *ldb; struct ldb_message *msg; struct ldb_val val, seed; - char *s; char *f; char *sct; char *rid; - time_t expiry = time(NULL) + SCHANNEL_CREDENTIALS_EXPIRY; int ret; ldb = schannel_db_connect(mem_ctx); @@ -84,13 +79,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - s = talloc_asprintf(mem_ctx, "%u", (unsigned int)expiry); - - if (s == NULL) { - talloc_free(ldb); - return NT_STATUS_NO_MEMORY; - } - f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags); if (f == NULL) { @@ -133,7 +121,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, ldb_msg_add_value(ldb, msg, "sessionKey", &val); ldb_msg_add_value(ldb, msg, "seed", &seed); - ldb_msg_add_string(ldb, msg, "expiry", s); ldb_msg_add_string(ldb, msg, "negotiateFlags", f); ldb_msg_add_string(ldb, msg, "secureChannelType", sct); ldb_msg_add_string(ldb, msg, "accountName", creds->account_name); @@ -145,8 +132,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, ret = ldb_add(ldb, msg); - talloc_free(s); - if (ret != 0) { DEBUG(0,("Unable to add %s to session key db - %s\n", msg->dn, ldb_errstring(ldb))); @@ -171,7 +156,6 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, struct creds_CredentialState **creds) { struct ldb_context *ldb; - time_t expiry; struct ldb_message **res; int ret; const struct ldb_val *val; @@ -199,13 +183,6 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_HANDLE; } - expiry = ldb_msg_find_uint(res[0], "expiry", 0); - if (expiry < time(NULL)) { - DEBUG(1,("schannel: attempt to use expired session key for %s\n", computer_name)); - talloc_free(ldb); - return NT_STATUS_INVALID_HANDLE; - } - val = ldb_msg_find_ldb_val(res[0], "sessionKey"); if (val == NULL || val->length != 16) { DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name)); diff --git a/source4/auth/kerberos/kerberos.m4 b/source4/auth/kerberos/kerberos.m4 index f9a2d66c0a..b78f96a877 100644 --- a/source4/auth/kerberos/kerberos.m4 +++ b/source4/auth/kerberos/kerberos.m4 @@ -195,7 +195,7 @@ if test x"$with_krb5_support" != x"no"; then # now check for gssapi headers. This is also done here to allow for # different kerberos include paths - AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h) + AC_CHECK_HEADERS(gssapi.h gssapi_krb5.h gssapi/gssapi.h gssapi/gssapi_generic.h gssapi/gssapi_krb5.h com_err.h) ################################################################## # we might need the k5crypto and com_err libraries on some systems diff --git a/source4/include/system/kerberos.h b/source4/include/system/kerberos.h index 392300267e..d5fc0209e5 100644 --- a/source4/include/system/kerberos.h +++ b/source4/include/system/kerberos.h @@ -27,7 +27,11 @@ #undef HAVE_KRB5 #endif -#ifdef HAVE_GSSAPI_H +#ifdef HAVE_GSSAPI_KRB5_H +#include <gssapi_krb5.h> +#elif defined(HAVE_GSSAPI_KRB5_H) +#include <gssapi/gssapi_krb5.h> +#elif defined(HAVE_GSSAPI_H) #include <gssapi.h> #elif defined(HAVE_GSSAPI_GSSAPI_H) #include <gssapi/gssapi.h> |