From dd35840d9be4acff6fe2ff4f268039adf828d871 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Aug 2008 15:27:40 +0200 Subject: gensec_gssapi: use gsskrb5_get_subkey() to get the session key This is needed to get the correct key, when aes keys are used. metze (This used to be commit 7587a7d8b65f27a5865d6873f63a450488da02c9) --- source4/auth/gensec/gensec_gssapi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth/gensec/gensec_gssapi.c') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 1541c88e07..0b1b9d851c 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1165,9 +1165,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_OK; } - maj_stat = gsskrb5_get_initiator_subkey(&min_stat, - gensec_gssapi_state->gssapi_context, - &subkey); + maj_stat = gsskrb5_get_subkey(&min_stat, + gensec_gssapi_state->gssapi_context, + &subkey); if (maj_stat != 0) { DEBUG(1, ("NO session key for this mech\n")); return NT_STATUS_NO_USER_SESSION_KEY; -- cgit From 50fb2059c023600259e21051a29d1613ef19459f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Aug 2008 12:39:11 +0200 Subject: gensec_gssapi: use the correct signature size for cfx/rfc4121 style signatures metze (This used to be commit fcabe24f96c9677146ca754a502f336c23050339) --- source4/auth/gensec/gensec_gssapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/gensec/gensec_gssapi.c') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 0b1b9d851c..ff4a23e7fc 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1416,7 +1416,7 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da * TODO: windows uses 76 here, but we don't know * gss_wrap works with aes keys yet */ - gensec_gssapi_state->sig_size = 60; + gensec_gssapi_state->sig_size = 76; } else { gensec_gssapi_state->sig_size = 28; } -- cgit From b686328039f117d1fa097085996d0c8c0d747d67 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 12 Aug 2008 14:56:36 +0200 Subject: gensec_gssapi: add a function to load the lucid structure once metze (This used to be commit daa986d1d04e59550bb5d33b5075daa414d087ba) --- source4/auth/gensec/gensec_gssapi.c | 59 +++++++++++++++++++++++++++---------- 1 file changed, 44 insertions(+), 15 deletions(-) (limited to 'source4/auth/gensec/gensec_gssapi.c') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index ff4a23e7fc..6910a6ecbe 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -65,6 +65,7 @@ struct gensec_gssapi_state { struct smb_krb5_context *smb_krb5_context; struct gssapi_creds_container *client_cred; struct gssapi_creds_container *server_cred; + gss_krb5_lucid_context_v1_t *lucid; gss_cred_id_t delegated_cred_handle; @@ -143,9 +144,45 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) { maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name); } + + if (gensec_gssapi_state->lucid) { + gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid); + } + return 0; } +static NTSTATUS gensec_gssapi_init_lucid(struct gensec_gssapi_state *gensec_gssapi_state) +{ + OM_uint32 maj_stat, min_stat; + + if (gensec_gssapi_state->lucid) { + return NT_STATUS_OK; + } + + maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, + &gensec_gssapi_state->gssapi_context, + 1, + (void **)&gensec_gssapi_state->lucid); + if (maj_stat != GSS_S_COMPLETE) { + DEBUG(0,("gensec_gssapi_init_lucid: %s\n", + gssapi_error_string(gensec_gssapi_state, + maj_stat, min_stat, + gensec_gssapi_state->gss_oid))); + return NT_STATUS_INTERNAL_ERROR; + } + + if (gensec_gssapi_state->lucid->version != 1) { + DEBUG(0,("gensec_gssapi_init_lucid: lucid version[%d] != 1\n", + gensec_gssapi_state->lucid->version)); + gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid); + gensec_gssapi_state->lucid = NULL; + return NT_STATUS_INTERNAL_ERROR; + } + + return NT_STATUS_OK; +} + static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) { struct gensec_gssapi_state *gensec_gssapi_state; @@ -169,6 +206,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT; gensec_gssapi_state->server_name = GSS_C_NO_NAME; gensec_gssapi_state->client_name = GSS_C_NO_NAME; + gensec_gssapi_state->lucid = NULL; /* TODO: Fill in channel bindings */ gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS; @@ -1386,8 +1424,7 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da { struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); - OM_uint32 maj_stat, min_stat; - gss_krb5_lucid_context_v1_t *lucid = NULL; + NTSTATUS status; if (gensec_gssapi_state->sig_size) { return gensec_gssapi_state->sig_size; @@ -1399,18 +1436,12 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da gensec_gssapi_state->sig_size = 37; } - maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, - &gensec_gssapi_state->gssapi_context, - 1, (void **)&lucid); - if (maj_stat != GSS_S_COMPLETE) { + status = gensec_gssapi_init_lucid(gensec_gssapi_state); + if (!NT_STATUS_IS_OK(status)) { return gensec_gssapi_state->sig_size; } - if (lucid->version != 1) { - return gensec_gssapi_state->sig_size; - } - - if (lucid->protocol == 1) { + if (gensec_gssapi_state->lucid->protocol == 1) { if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) { /* * TODO: windows uses 76 here, but we don't know @@ -1420,8 +1451,8 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da } else { gensec_gssapi_state->sig_size = 28; } - } else if (lucid->protocol == 0) { - switch (lucid->rfc1964_kd.ctx_key.type) { + } else if (gensec_gssapi_state->lucid->protocol == 0) { + switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) { case KEYTYPE_DES: case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: @@ -1441,8 +1472,6 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da } } - gss_krb5_free_lucid_sec_context(&min_stat, lucid); - return gensec_gssapi_state->sig_size; } -- cgit From 588cc81760b5bac201afd039855f93b1592d16d4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 12 Aug 2008 14:57:14 +0200 Subject: gensec_gssapi: fix compiler warnings metze (This used to be commit f4f4bb7fe977301e468ab164ba750b69d9a92306) --- source4/auth/gensec/gensec_gssapi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/gensec/gensec_gssapi.c') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 6910a6ecbe..7ded764095 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1121,10 +1121,10 @@ static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_securi if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { input_message.length = pdu_length; - input_message.value = whole_pdu; + input_message.value = discard_const(whole_pdu); } else { input_message.length = length; - input_message.value = data; + input_message.value = discard_const(data); } input_token.length = sig->length; -- cgit From 8c0fbbf6e927db9fdbffc28fcde0bea97c5e60e6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 12 Aug 2008 15:02:02 +0200 Subject: gensec_gssapi: add support for GENSEC_FEATURE_NEW_SPNEGO metze (This used to be commit 9246924effd4d0b08ca1ef87e45ad510020df93e) --- source4/auth/gensec/gensec_gssapi.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'source4/auth/gensec/gensec_gssapi.c') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 7ded764095..0df40dc82f 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1177,6 +1177,31 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security, if (feature & GENSEC_FEATURE_DCE_STYLE) { return gensec_gssapi_state->got_flags & GSS_C_DCE_STYLE; } + if (feature & GENSEC_FEATURE_NEW_SPNEGO) { + NTSTATUS status; + + if (!(gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG)) { + return false; + } + + if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "force_new_spnego", false)) { + return true; + } + if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "disable_new_spnego", false)) { + return false; + } + + status = gensec_gssapi_init_lucid(gensec_gssapi_state); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + if (gensec_gssapi_state->lucid->protocol == 1) { + return true; + } + + return false; + } /* We can always do async (rather than strict request/reply) packets. */ if (feature & GENSEC_FEATURE_ASYNC_REPLIES) { return true; -- cgit From 26853e4607573ec849aa663eb2dd7bcea9acca24 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 07:18:35 +0200 Subject: gensec_gssapi: only cache the session key in STAGE_DONE The key may change because we switch from initiator to acceptor subkey. metze (This used to be commit 66244092a457b2cde6339cb31dcfa73b122ba9b5) --- source4/auth/gensec/gensec_gssapi.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source4/auth/gensec/gensec_gssapi.c') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 0df40dc82f..20d08078be 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1236,12 +1236,16 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_NO_USER_SESSION_KEY; } - DEBUG(10, ("Got KRB5 session key of length %d\n", - (int)KRB5_KEY_LENGTH(subkey))); - gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state, - KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); + DEBUG(10, ("Got KRB5 session key of length %d%s\n", + (int)KRB5_KEY_LENGTH(subkey), + (gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":"")); + *session_key = data_blob_talloc(gensec_gssapi_state, + KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey); - *session_key = gensec_gssapi_state->session_key; + if (gensec_gssapi_state->sasl_state == STAGE_DONE) { + /* only cache in the done stage */ + gensec_gssapi_state->session_key = *session_key; + } dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); return NT_STATUS_OK; -- cgit