From 21592142c3b198aba9c371d7985b0aaf7e455017 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Jul 2008 16:00:50 +0200
Subject: auth/credentials: use the same enctypes when getting a TGT and a TGS

metze
(This used to be commit 9fc5750156467f579ea8d7755987d091f5b579c2)
---
 source4/auth/credentials/credentials_krb5.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'source4/auth')

diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index a880486f0f..c4c58398c3 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -360,6 +360,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 	struct gssapi_creds_container *gcc;
 	struct ccache_container *ccache;
 	gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+	krb5_enctype *etypes = NULL;
 
 	if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold && 
 	    cred->client_gss_creds_obtained > CRED_UNINITIALISED) {
@@ -391,6 +392,28 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		return ret;
 	}
 
+	/* transfer the enctypes from the smb_krb5_context to the gssapi layer */
+	min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context,
+						  &etypes);
+	if (min_stat == 0) {
+		OM_uint32 num_ktypes;
+
+		for (num_ktypes = 0; etypes[num_ktypes]; num_ktypes++);
+
+		maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds,
+							   num_ktypes, etypes);
+		krb5_xfree (etypes);
+		if (maj_stat) {
+			talloc_free(gcc);
+			if (min_stat) {
+				ret = min_stat;
+			} else {
+				ret = EINVAL;
+			}
+			return ret;
+		}
+	}
+
 	/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
 	maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
 				       GSS_KRB5_CRED_NO_CI_FLAGS_X,
-- 
cgit 


From 55ea54ec640e4a76df397becc211a81aaec6f09d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Jul 2008 18:26:31 +0200
Subject: gensec_gssapi: add support for signing RPC messages

metze
(This used to be commit dc2847c0acb0adaede4db72a7517046b93221162)
---
 source4/auth/gensec/gensec_gssapi.c | 47 ++++++++++---------------------------
 1 file changed, 12 insertions(+), 35 deletions(-)

(limited to 'source4/auth')

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index cc0d40469e..205d8a0f9b 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1034,35 +1034,22 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit
 		= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
 	OM_uint32 maj_stat, min_stat;
 	gss_buffer_desc input_token, output_token;
-	int conf_state;
-	ssize_t sig_length = 0;
 
 	input_token.length = length;
 	input_token.value = discard_const_p(uint8_t *, data);
 
-	maj_stat = gss_wrap(&min_stat, 
+	maj_stat = gss_get_mic(&min_stat,
 			    gensec_gssapi_state->gssapi_context,
-			    0,
 			    GSS_C_QOP_DEFAULT,
 			    &input_token,
-			    &conf_state,
 			    &output_token);
 	if (GSS_ERROR(maj_stat)) {
-		DEBUG(1, ("GSS Wrap failed: %s\n", 
+		DEBUG(1, ("GSS GetMic failed: %s\n",
 			  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	if (output_token.length < input_token.length) {
-		DEBUG(1, ("gensec_gssapi_sign_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n", 
-			  (long)output_token.length, (long)length));
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	/* Caller must pad to right boundary */
-	sig_length = output_token.length - input_token.length;
-
-	*sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
+	*sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, output_token.length);
 
 	dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
 
@@ -1080,39 +1067,29 @@ static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_securi
 	struct gensec_gssapi_state *gensec_gssapi_state
 		= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
 	OM_uint32 maj_stat, min_stat;
-	gss_buffer_desc input_token, output_token;
-	int conf_state;
+	gss_buffer_desc input_token;
+	gss_buffer_desc input_message;
 	gss_qop_t qop_state;
-	DATA_BLOB in;
 
 	dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
 
-	in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
+	input_message.length = length;
+	input_message.value = data;
 
-	memcpy(in.data, sig->data, sig->length);
-	memcpy(in.data + sig->length, data, length);
+	input_token.length = sig->length;
+	input_token.value = sig->data;
 
-	input_token.length = in.length;
-	input_token.value = in.data;
-	
-	maj_stat = gss_unwrap(&min_stat, 
+	maj_stat = gss_verify_mic(&min_stat,
 			      gensec_gssapi_state->gssapi_context, 
+			      &input_message,
 			      &input_token,
-			      &output_token, 
-			      &conf_state,
 			      &qop_state);
 	if (GSS_ERROR(maj_stat)) {
-		DEBUG(1, ("GSS UnWrap failed: %s\n", 
+		DEBUG(1, ("GSS VerifyMic failed: %s\n",
 			  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	if (output_token.length != length) {
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	gss_release_buffer(&min_stat, &output_token);
-
 	return NT_STATUS_OK;
 }
 
-- 
cgit