From 25d7675d695fc1325b954cd90e339b1879776e2b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 2 Jan 2012 22:17:06 +1100
Subject: s3-librpc Use gsskrb5_get_subkey() where available to get the session
 key

This allows gse_get_session_key() to work against Heimdal.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/librpc/crypto/gse.c             | 15 +++++++++++++++
 source4/heimdal_build/wscript_configure |  1 +
 2 files changed, 16 insertions(+)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index a61288b254..b4e59da475 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -628,11 +628,26 @@ DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
 	    (memcmp(set->elements[1].value,
 		    gse_sesskeytype_oid.elements,
 		    gse_sesskeytype_oid.length) != 0)) {
+#ifdef HAVE_GSSKRB5_GET_SUBKEY
+		krb5_keyblock *subkey;
+		gss_maj = gsskrb5_get_subkey(&gss_min,
+					     gse_ctx->gss_ctx,
+					     &subkey);
+		if (gss_maj != 0) {
+			DEBUG(1, ("NO session key for this mech\n"));
+			return data_blob_null;
+		}
+		ret = data_blob_talloc(mem_ctx,
+				       KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
+		krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
+		return ret;
+#else
 		DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
 			  "OID for data in results:\n"));
 		dump_data(1, (uint8_t *)set->elements[1].value,
 			     set->elements[1].length);
 		return data_blob_null;
+#endif
 	}
 
 	ret = data_blob_talloc(mem_ctx, set->elements[0].value,
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index a15070cfbd..5dc4aa14e1 100644
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -86,6 +86,7 @@ conf.define('HAVE_GSS_KRB5_IMPORT_CRED', 1)
 conf.define('HAVE_GSS_OID_EQUAL', 1)
 conf.define('HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID', 1)
 conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1)
+conf.define('HAVE_GSSKRB5_GET_SUBKEY', 1)
 conf.define('HAVE_LIBGSSAPI', 1)
 conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)
 conf.define('HAVE_CHECKSUM_IN_KRB5_CHECKSUM', 1)
-- 
cgit