diff options
Diffstat (limited to 'source4/heimdal/lib')
| -rw-r--r-- | source4/heimdal/lib/gssapi/8003.c | 8 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/accept_sec_context.c | 51 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/crypto.c | 3 |
3 files changed, 46 insertions, 16 deletions
diff --git a/source4/heimdal/lib/gssapi/8003.c b/source4/heimdal/lib/gssapi/8003.c index ad580811a5..73ecc90ea8 100644 --- a/source4/heimdal/lib/gssapi/8003.c +++ b/source4/heimdal/lib/gssapi/8003.c @@ -185,13 +185,9 @@ gssapi_krb5_verify_8003_checksum( return GSS_S_BAD_BINDINGS; } - /* This is the case where Samba3 has built GSSAPI out of - * krb5 the 'dodgy' way. We have to accept the non-GSSAPI - * checksum because windows does */ - if(cksum->cksumtype != CKSUMTYPE_GSSAPI) { - *flags = 0; - return GSS_S_COMPLETE; + *minor_status = 0; + return GSS_S_BAD_BINDINGS; } /* XXX should handle checksums > 24 bytes */ diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c index 9ca60a6cdd..afca449c5c 100644 --- a/source4/heimdal/lib/gssapi/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/accept_sec_context.c @@ -371,15 +371,48 @@ gsskrb5_acceptor_start return ret; } - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &(*context_handle)->fwd_data); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) { - return ret; - } + if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { + ret = gssapi_krb5_verify_8003_checksum(minor_status, + input_chan_bindings, + authenticator->cksum, + &flags, + &(*context_handle)->fwd_data); + + krb5_free_authenticator(gssapi_krb5_context, &authenticator); + if (ret) { + return ret; + } + } else { + krb5_crypto crypto; + + kret = krb5_crypto_init(gssapi_krb5_context, + (*context_handle)->auth_context->keyblock, + 0, &crypto); + if(kret) { + krb5_free_authenticator(gssapi_krb5_context, &authenticator); + + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + return ret; + } + + /* Windows accepts Samba3's use of a kerberos, + rather than GSSAPI checksum here */ + kret = krb5_verify_checksum(gssapi_krb5_context, + crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0, + authenticator->cksum); + krb5_free_authenticator(gssapi_krb5_context, &authenticator); + + if(kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + gssapi_krb5_set_error_string (); + return ret; + } + + flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; + } } if(flags & GSS_C_MUTUAL_FLAG) { diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index 2e8160518b..1a37ec538b 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -2042,7 +2042,8 @@ verify_checksum(krb5_context context, } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); + krb5_set_error_string (context, "checksum type %s is keyed, and requires a crypto context", + ct->name); return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } if(keyed_checksum) |