diff options
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/credentials/credentials_krb5.c | 23 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 47 |
2 files changed, 35 insertions, 35 deletions
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index a880486f0f..c4c58398c3 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -360,6 +360,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, struct gssapi_creds_container *gcc; struct ccache_container *ccache; gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + krb5_enctype *etypes = NULL; if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold && cred->client_gss_creds_obtained > CRED_UNINITIALISED) { @@ -391,6 +392,28 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, return ret; } + /* transfer the enctypes from the smb_krb5_context to the gssapi layer */ + min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context, + &etypes); + if (min_stat == 0) { + OM_uint32 num_ktypes; + + for (num_ktypes = 0; etypes[num_ktypes]; num_ktypes++); + + maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds, + num_ktypes, etypes); + krb5_xfree (etypes); + if (maj_stat) { + talloc_free(gcc); + if (min_stat) { + ret = min_stat; + } else { + ret = EINVAL; + } + return ret; + } + } + /* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */ maj_stat = gss_set_cred_option(&min_stat, &gcc->creds, GSS_KRB5_CRED_NO_CI_FLAGS_X, diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index cc0d40469e..205d8a0f9b 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1034,35 +1034,22 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); OM_uint32 maj_stat, min_stat; gss_buffer_desc input_token, output_token; - int conf_state; - ssize_t sig_length = 0; input_token.length = length; input_token.value = discard_const_p(uint8_t *, data); - maj_stat = gss_wrap(&min_stat, + maj_stat = gss_get_mic(&min_stat, gensec_gssapi_state->gssapi_context, - 0, GSS_C_QOP_DEFAULT, &input_token, - &conf_state, &output_token); if (GSS_ERROR(maj_stat)) { - DEBUG(1, ("GSS Wrap failed: %s\n", + DEBUG(1, ("GSS GetMic failed: %s\n", gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); return NT_STATUS_ACCESS_DENIED; } - if (output_token.length < input_token.length) { - DEBUG(1, ("gensec_gssapi_sign_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n", - (long)output_token.length, (long)length)); - return NT_STATUS_INTERNAL_ERROR; - } - - /* Caller must pad to right boundary */ - sig_length = output_token.length - input_token.length; - - *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length); + *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, output_token.length); dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length); @@ -1080,39 +1067,29 @@ static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_securi struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); OM_uint32 maj_stat, min_stat; - gss_buffer_desc input_token, output_token; - int conf_state; + gss_buffer_desc input_token; + gss_buffer_desc input_message; gss_qop_t qop_state; - DATA_BLOB in; dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length); - in = data_blob_talloc(mem_ctx, NULL, sig->length + length); + input_message.length = length; + input_message.value = data; - memcpy(in.data, sig->data, sig->length); - memcpy(in.data + sig->length, data, length); + input_token.length = sig->length; + input_token.value = sig->data; - input_token.length = in.length; - input_token.value = in.data; - - maj_stat = gss_unwrap(&min_stat, + maj_stat = gss_verify_mic(&min_stat, gensec_gssapi_state->gssapi_context, + &input_message, &input_token, - &output_token, - &conf_state, &qop_state); if (GSS_ERROR(maj_stat)) { - DEBUG(1, ("GSS UnWrap failed: %s\n", + DEBUG(1, ("GSS VerifyMic failed: %s\n", gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); return NT_STATUS_ACCESS_DENIED; } - if (output_token.length != length) { - return NT_STATUS_INTERNAL_ERROR; - } - - gss_release_buffer(&min_stat, &output_token); - return NT_STATUS_OK; } |