From 674278d5b0d68e96d68f7beab2289a502efa6bc4 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 17 Feb 2012 13:36:35 +1100
Subject: auth/kerberos: Move gse_get_session_key() to common code and use in
 gensec_gssapi

Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.

Andrew Bartlett
---
 source3/librpc/crypto/gse.c | 116 ++------------------------------------------
 1 file changed, 3 insertions(+), 113 deletions(-)

(limited to 'source3/librpc/crypto/gse.c')

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index d8f3af0897..1ce3761ae7 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -35,26 +35,6 @@
 #include "smb_krb5.h"
 #include "gse_krb5.h"
 
-#ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
-#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
-#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
-#endif
-
-gss_OID_desc gse_sesskey_inq_oid = {
-	GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH,
-	(void *)GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
-};
-
-#ifndef GSS_KRB5_SESSION_KEY_ENCTYPE_OID
-#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
-#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID  "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
-#endif
-
-gss_OID_desc gse_sesskeytype_oid = {
-	GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
-	(void *)GSS_KRB5_SESSION_KEY_ENCTYPE_OID
-};
-
 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
 
 struct gse_context {
@@ -563,96 +543,6 @@ done:
 	return errstr;
 }
 
-static NTSTATUS gse_get_session_key(TALLOC_CTX *mem_ctx,
-				    struct gse_context *gse_ctx, 
-				    DATA_BLOB *session_key, 
-				    uint32_t *keytype)
-{
-	OM_uint32 gss_min, gss_maj;
-	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
-
-	gss_maj = gss_inquire_sec_context_by_oid(
-				&gss_min, gse_ctx->gssapi_context,
-				&gse_sesskey_inq_oid, &set);
-	if (gss_maj) {
-		DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
-			  gse_errstr(talloc_tos(), gss_maj, gss_min)));
-		return NT_STATUS_NO_USER_SESSION_KEY;
-	}
-
-	if ((set == GSS_C_NO_BUFFER_SET) ||
-	    (set->count == 0)) {
-#ifdef HAVE_GSSKRB5_GET_SUBKEY
-		krb5_keyblock *subkey;
-		gss_maj = gsskrb5_get_subkey(&gss_min,
-					     gse_ctx->gssapi_context,
-					     &subkey);
-		if (gss_maj != 0) {
-			DEBUG(1, ("NO session key for this mech\n"));
-			return NT_STATUS_NO_USER_SESSION_KEY;
-		}
-		if (session_key) {
-			*session_key = data_blob_talloc(mem_ctx,
-							KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
-		}
-		if (keytype) {
-			*keytype = KRB5_KEY_TYPE(subkey);
-		}
-		krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
-		return NT_STATUS_OK;
-#else
-		DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
-			  "OID for data in results:\n"));
-		dump_data(1, (uint8_t *)set->elements[1].value,
-			     set->elements[1].length);
-		return NT_STATUS_NO_USER_SESSION_KEY;
-#endif
-	}
-
-	if (session_key) {
-		*session_key = data_blob_talloc(mem_ctx, set->elements[0].value,
-						set->elements[0].length);
-	}
-
-	if (keytype) {
-		char *oid;
-		char *p, *q = NULL;
-		
-		if (set->count < 2
-		    || memcmp(set->elements[1].value,
-			      gse_sesskeytype_oid.elements,
-			      gse_sesskeytype_oid.length) != 0) {
-			/* Perhaps a non-krb5 session key */
-			*keytype = 0;
-			gss_maj = gss_release_buffer_set(&gss_min, &set);
-			return NT_STATUS_OK;
-		}
-		if (!ber_read_OID_String(talloc_tos(), 
-					 data_blob_const(set->elements[1].value,
-							 set->elements[1].length), &oid)) {
-			TALLOC_FREE(oid);
-			gss_maj = gss_release_buffer_set(&gss_min, &set);
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-		p = strrchr(oid, '.');
-		if (!p) {
-			TALLOC_FREE(oid);
-			gss_maj = gss_release_buffer_set(&gss_min, &set);
-			return NT_STATUS_INVALID_PARAMETER;
-		} else {
-			p++;
-			*keytype = strtoul(p, &q, 10);
-			if (q == NULL || *q != '\0') {
-				return NT_STATUS_INVALID_PARAMETER;
-			}
-		}
-		TALLOC_FREE(oid);
-	}
-	
-	gss_maj = gss_release_buffer_set(&gss_min, &set);
-	return NT_STATUS_OK;
-}
-
 static size_t gse_get_signature_length(struct gse_context *gse_ctx,
 				       bool seal, size_t payload_size)
 {
@@ -1125,8 +1015,8 @@ static bool gensec_gse_have_feature(struct gensec_security *gensec_security,
 			return false;
 		}
 
-		status = gse_get_session_key(talloc_tos(), 
-					   gse_ctx, NULL, &keytype);
+		status = gssapi_get_session_key(talloc_tos(), 
+						gse_ctx->gssapi_context, NULL, &keytype);
 		/* 
 		 * We should do a proper sig on the mechListMic unless
 		 * we know we have to be backwards compatible with
@@ -1168,7 +1058,7 @@ static NTSTATUS gensec_gse_session_key(struct gensec_security *gensec_security,
 		talloc_get_type_abort(gensec_security->private_data,
 		struct gse_context);
 
-	return gse_get_session_key(mem_ctx, gse_ctx, session_key, NULL);
+	return gssapi_get_session_key(mem_ctx, gse_ctx->gssapi_context, session_key, NULL);
 }
 
 /* Get some basic (and authorization) information about the user on
-- 
cgit