summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c18
-rw-r--r--source4/auth/gensec/schannel_state.c23
-rw-r--r--source4/auth/kerberos/kerberos.m42
3 files changed, 11 insertions, 32 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e57739c85c..d186e3ed1f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -32,9 +32,6 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc =
- {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
-
struct gensec_gssapi_state {
gss_ctx_id_t gssapi_context;
struct gss_channel_bindings_struct *input_chan_bindings;
@@ -162,7 +159,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
#endif
}
- gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc;
+ gensec_gssapi_state->gss_oid = gss_mech_krb5;
ret = krb5_init_context(&gensec_gssapi_state->krb5_context);
if (ret) {
@@ -359,6 +356,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
} else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
return NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
+ if (maj_stat == GSS_S_FAILURE
+ && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) {
+ /* garbage input, possibly from the auto-mech detection */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
DEBUG(1, ("GSS Update failed: %s\n",
gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
return nt_status;
@@ -641,8 +643,8 @@ static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security,
}
if (feature & GENSEC_FEATURE_SESSION_KEY) {
#ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
- if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
- && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, gensec_gssapi_state->gss_oid->length) == 0)) {
+ if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+ && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) {
return True;
}
#endif
@@ -662,8 +664,8 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
#ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
/* Ensure we only call this for GSSAPI/krb5, otherwise things could get very ugly */
- if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
- && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements,
+ if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+ && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
gensec_gssapi_state->gss_oid->length) == 0)) {
OM_uint32 maj_stat, min_stat;
gss_buffer_desc skey;
diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c
index 99d5fdef53..0c5ce09637 100644
--- a/source4/auth/gensec/schannel_state.c
+++ b/source4/auth/gensec/schannel_state.c
@@ -26,9 +26,6 @@
#include "lib/ldb/include/ldb.h"
#include "db_wrap.h"
-/* a reasonable amount of time to keep credentials live */
-#define SCHANNEL_CREDENTIALS_EXPIRY 600
-
/*
connect to the schannel ldb
*/
@@ -72,11 +69,9 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb;
struct ldb_message *msg;
struct ldb_val val, seed;
- char *s;
char *f;
char *sct;
char *rid;
- time_t expiry = time(NULL) + SCHANNEL_CREDENTIALS_EXPIRY;
int ret;
ldb = schannel_db_connect(mem_ctx);
@@ -84,13 +79,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- s = talloc_asprintf(mem_ctx, "%u", (unsigned int)expiry);
-
- if (s == NULL) {
- talloc_free(ldb);
- return NT_STATUS_NO_MEMORY;
- }
-
f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags);
if (f == NULL) {
@@ -133,7 +121,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
ldb_msg_add_value(ldb, msg, "sessionKey", &val);
ldb_msg_add_value(ldb, msg, "seed", &seed);
- ldb_msg_add_string(ldb, msg, "expiry", s);
ldb_msg_add_string(ldb, msg, "negotiateFlags", f);
ldb_msg_add_string(ldb, msg, "secureChannelType", sct);
ldb_msg_add_string(ldb, msg, "accountName", creds->account_name);
@@ -145,8 +132,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
ret = ldb_add(ldb, msg);
- talloc_free(s);
-
if (ret != 0) {
DEBUG(0,("Unable to add %s to session key db - %s\n",
msg->dn, ldb_errstring(ldb)));
@@ -171,7 +156,6 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
struct creds_CredentialState **creds)
{
struct ldb_context *ldb;
- time_t expiry;
struct ldb_message **res;
int ret;
const struct ldb_val *val;
@@ -199,13 +183,6 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_HANDLE;
}
- expiry = ldb_msg_find_uint(res[0], "expiry", 0);
- if (expiry < time(NULL)) {
- DEBUG(1,("schannel: attempt to use expired session key for %s\n", computer_name));
- talloc_free(ldb);
- return NT_STATUS_INVALID_HANDLE;
- }
-
val = ldb_msg_find_ldb_val(res[0], "sessionKey");
if (val == NULL || val->length != 16) {
DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name));
diff --git a/source4/auth/kerberos/kerberos.m4 b/source4/auth/kerberos/kerberos.m4
index f9a2d66c0a..b78f96a877 100644
--- a/source4/auth/kerberos/kerberos.m4
+++ b/source4/auth/kerberos/kerberos.m4
@@ -195,7 +195,7 @@ if test x"$with_krb5_support" != x"no"; then
# now check for gssapi headers. This is also done here to allow for
# different kerberos include paths
- AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
+ AC_CHECK_HEADERS(gssapi.h gssapi_krb5.h gssapi/gssapi.h gssapi/gssapi_generic.h gssapi/gssapi_krb5.h com_err.h)
##################################################################
# we might need the k5crypto and com_err libraries on some systems