The branch, v4-0-test has been updated
via fcabe24f96c9677146ca754a502f336c23050339 (commit)
via 0fa41a94e466d5e11bcf362ccd8ff41b72733d1a (commit)
via 7587a7d8b65f27a5865d6873f63a450488da02c9 (commit)
via dbb94133e0313cae933d261af0bf1210807a6d11 (commit)
via 86848dd0f217774faed81af8fbf68618013e20a1 (commit)
from b345c9cf535af35c83da040ac965d9690dc802fe (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit fcabe24f96c9677146ca754a502f336c23050339
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Aug 8 12:39:11 2008 +0200
gensec_gssapi: use the correct signature size for cfx/rfc4121 style
signatures
metze
commit 0fa41a94e466d5e11bcf362ccd8ff41b72733d1a
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Aug 8 15:01:15 2008 +0200
gsskrb5: try to be compatible with windows for gss_wrap* and cfx
The good thing is that windows and heimdal both use EC=0
in the non DCE_STYLE case, so we need the windows compat hack
only in DCE_STYLE mode.
metze
commit 7587a7d8b65f27a5865d6873f63a450488da02c9
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Aug 8 15:27:40 2008 +0200
gensec_gssapi: use gsskrb5_get_subkey() to get the session key
This is needed to get the correct key, when aes keys are used.
metze
commit dbb94133e0313cae933d261af0bf1210807a6d11
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Aug 8 15:22:39 2008 +0200
krb5: always generate the acceptor subkey as the same enctype as the used
service key
With this patch samba4 can use gsskrb5_get_subkey() to get the session key.
metze
commit 86848dd0f217774faed81af8fbf68618013e20a1
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Jul 25 13:11:46 2008 +0200
gsskrb5: add support for DCE_STYLE and des and des3 keys
Only the des keys are tested as windows doesn't support des3
metze
-----------------------------------------------------------------------
Summary of changes:
source/auth/gensec/gensec_gssapi.c | 8 ++--
source/heimdal/lib/gssapi/krb5/cfx.c | 49 ++++++++++++++++-----
source/heimdal/lib/gssapi/krb5/gsskrb5-private.h | 1 +
source/heimdal/lib/gssapi/krb5/unwrap.c | 52 ++++++++++++++++------
source/heimdal/lib/gssapi/krb5/wrap.c | 34 +++++++++++---
source/heimdal/lib/krb5/rd_req.c | 3 +
6 files changed, 110 insertions(+), 37 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/gensec/gensec_gssapi.c
b/source/auth/gensec/gensec_gssapi.c
index 1541c88..ff4a23e 100644
--- a/source/auth/gensec/gensec_gssapi.c
+++ b/source/auth/gensec/gensec_gssapi.c
@@ -1165,9 +1165,9 @@ static NTSTATUS gensec_gssapi_session_key(struct
gensec_security *gensec_securit
return NT_STATUS_OK;
}
- maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
-
gensec_gssapi_state->gssapi_context,
- &subkey);
+ maj_stat = gsskrb5_get_subkey(&min_stat,
+ gensec_gssapi_state->gssapi_context,
+ &subkey);
if (maj_stat != 0) {
DEBUG(1, ("NO session key for this mech\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
@@ -1416,7 +1416,7 @@ size_t gensec_gssapi_sig_size(struct gensec_security
*gensec_security, size_t da
* TODO: windows uses 76 here, but we don't know
* gss_wrap works with aes keys yet
*/
- gensec_gssapi_state->sig_size = 60;
+ gensec_gssapi_state->sig_size = 76;
} else {
gensec_gssapi_state->sig_size = 28;
}
diff --git a/source/heimdal/lib/gssapi/krb5/cfx.c
b/source/heimdal/lib/gssapi/krb5/cfx.c
index 6452f80..bc0d736 100755
--- a/source/heimdal/lib/gssapi/krb5/cfx.c
+++ b/source/heimdal/lib/gssapi/krb5/cfx.c
@@ -43,7 +43,8 @@ RCSID("$Id: cfx.c 19031 2006-11-13 18:02:57Z lha $");
#define CFXAcceptorSubkey (1 << 2)
krb5_error_code
-_gsskrb5cfx_wrap_length_cfx(krb5_context context,
+_gsskrb5cfx_wrap_length_cfx(const gsskrb5_ctx context_handle,
+ krb5_context context,
krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
@@ -72,7 +73,11 @@ _gsskrb5cfx_wrap_length_cfx(krb5_context context,
/* Header is concatenated with data before encryption */
input_length += sizeof(gss_cfx_wrap_token_desc);
- ret = krb5_crypto_getpadsize(context, crypto, &padsize);
+ if (IS_DCE_STYLE(context_handle)) {
+ ret = krb5_crypto_getblocksize(context, crypto, &padsize);
+ } else {
+ ret = krb5_crypto_getpadsize(context, crypto, &padsize);
+ }
if (ret) {
return ret;
}
@@ -258,7 +263,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
- ret = _gsskrb5cfx_wrap_length_cfx(context,
+ ret = _gsskrb5cfx_wrap_length_cfx(context_handle, context,
crypto, conf_req_flag,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength);
@@ -380,7 +385,15 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = (rrc >> 8) & 0xFF;
token->RRC[1] = (rrc >> 0) & 0xFF;
- ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
+ /*
+ * this is really ugly, but needed against windows
+ * for DCERPC, as windows rotates by EC+RRC.
+ */
+ if (IS_DCE_STYLE(context_handle)) {
+ ret = rrc_rotate(cipher.data, cipher.length, rrc+padlength,
FALSE);
+ } else {
+ ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
+ }
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
@@ -553,14 +566,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
len = input_message_buffer->length;
len -= (p - (u_char *)input_message_buffer->value);
- /* Rotate by RRC; bogus to do this in-place XXX */
- *minor_status = rrc_rotate(p, len, rrc, TRUE);
- if (*minor_status != 0) {
- krb5_crypto_destroy(context, crypto);
- return GSS_S_FAILURE;
- }
-
if (token_flags & CFXSealed) {
+ /*
+ * this is really ugly, but needed against windows
+ * for DCERPC, as windows rotates by EC+RRC.
+ */
+ if (IS_DCE_STYLE(context_handle)) {
+ *minor_status = rrc_rotate(p, len, rrc+ec, TRUE);
+ } else {
+ *minor_status = rrc_rotate(p, len, rrc, TRUE);
+ }
+ if (*minor_status != 0) {
+ krb5_crypto_destroy(context, crypto);
+ return GSS_S_FAILURE;
+ }
+
ret = krb5_decrypt(context, crypto, usage,
p, len, &data);
if (ret != 0) {
@@ -594,6 +614,13 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
} else {
Checksum cksum;
+ /* Rotate by RRC; bogus to do this in-place XXX */
+ *minor_status = rrc_rotate(p, len, rrc, TRUE);
+ if (*minor_status != 0) {
+ krb5_crypto_destroy(context, crypto);
+ return GSS_S_FAILURE;
+ }
+
/* Determine checksum type */
ret = krb5_crypto_get_checksum_type(context,
crypto, &cksum.cksumtype);
diff --git a/source/heimdal/lib/gssapi/krb5/gsskrb5-private.h
b/source/heimdal/lib/gssapi/krb5/gsskrb5-private.h
index 64a0dd3..f6edb8b 100644
--- a/source/heimdal/lib/gssapi/krb5/gsskrb5-private.h
+++ b/source/heimdal/lib/gssapi/krb5/gsskrb5-private.h
@@ -661,6 +661,7 @@ _gsskrb5cfx_max_wrap_length_cfx (
krb5_error_code
_gsskrb5cfx_wrap_length_cfx (
+ const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
krb5_crypto /*crypto*/,
int /*conf_req_flag*/,
diff --git a/source/heimdal/lib/gssapi/krb5/unwrap.c
b/source/heimdal/lib/gssapi/krb5/unwrap.c
index eec4078..c287469 100644
--- a/source/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/source/heimdal/lib/gssapi/krb5/unwrap.c
@@ -59,10 +59,17 @@ unwrap_des
OM_uint32 ret;
int cstate;
int cmp;
+ int token_len;
+
+ if (IS_DCE_STYLE(context_handle)) {
+ token_len = 22 + 8 + 15; /* 45 */
+ } else {
+ token_len = input_message_buffer->length;
+ }
p = input_message_buffer->value;
ret = _gsskrb5_verify_header (&p,
- input_message_buffer->length,
+ token_len,
"\x02\x01",
GSS_KRB5_MECHANISM);
if (ret)
@@ -105,12 +112,17 @@ unwrap_des
memset (deskey, 0, sizeof(deskey));
memset (&schedule, 0, sizeof(schedule));
}
- /* check pad */
- ret = _gssapi_verify_pad(input_message_buffer,
- input_message_buffer->length - len,
- &padlength);
- if (ret)
- return ret;
+
+ if (IS_DCE_STYLE(context_handle)) {
+ padlength = 0;
+ } else {
+ /* check pad */
+ ret = _gssapi_verify_pad(input_message_buffer,
+ input_message_buffer->length - len,
+ &padlength);
+ if (ret)
+ return ret;
+ }
MD5_Init (&md5);
MD5_Update (&md5, p - 24, 8);
@@ -195,10 +207,17 @@ unwrap_des3
krb5_crypto crypto;
Checksum csum;
int cmp;
+ int token_len;
+
+ if (IS_DCE_STYLE(context_handle)) {
+ token_len = 34 + 8 + 15; /* 57 */
+ } else {
+ token_len = input_message_buffer->length;
+ }
p = input_message_buffer->value;
ret = _gsskrb5_verify_header (&p,
- input_message_buffer->length,
+ token_len,
"\x02\x01",
GSS_KRB5_MECHANISM);
if (ret)
@@ -245,12 +264,17 @@ unwrap_des3
memcpy (p, tmp.data, tmp.length);
krb5_data_free(&tmp);
}
- /* check pad */
- ret = _gssapi_verify_pad(input_message_buffer,
- input_message_buffer->length - len,
- &padlength);
- if (ret)
- return ret;
+
+ if (IS_DCE_STYLE(context_handle)) {
+ padlength = 0;
+ } else {
+ /* check pad */
+ ret = _gssapi_verify_pad(input_message_buffer,
+ input_message_buffer->length - len,
+ &padlength);
+ if (ret)
+ return ret;
+ }
/* verify sequence number */
diff --git a/source/heimdal/lib/gssapi/krb5/wrap.c
b/source/heimdal/lib/gssapi/krb5/wrap.c
index 6d00f2a..bedeace 100644
--- a/source/heimdal/lib/gssapi/krb5/wrap.c
+++ b/source/heimdal/lib/gssapi/krb5/wrap.c
@@ -210,10 +210,19 @@ wrap_des
int32_t seq_number;
size_t len, total_len, padlength, datalen;
- padlength = 8 - (input_message_buffer->length % 8);
- datalen = input_message_buffer->length + padlength + 8;
- len = datalen + 22;
- _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ if (IS_DCE_STYLE(ctx)) {
+ padlength = 0;
+ datalen = input_message_buffer->length;
+ len = 22 + 8;
+ _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ total_len += datalen;
+ datalen += 8;
+ } else {
+ padlength = 8 - (input_message_buffer->length % 8);
+ datalen = input_message_buffer->length + padlength + 8;
+ len = datalen + 22;
+ _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ }
output_message_buffer->length = total_len;
output_message_buffer->value = malloc (total_len);
@@ -336,10 +345,19 @@ wrap_des3
Checksum cksum;
krb5_data encdata;
- padlength = 8 - (input_message_buffer->length % 8);
- datalen = input_message_buffer->length + padlength + 8;
- len = datalen + 34;
- _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ if (IS_DCE_STYLE(ctx)) {
+ padlength = 0;
+ datalen = input_message_buffer->length;
+ len = 34 + 8;
+ _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ total_len += datalen;
+ datalen += 8;
+ } else {
+ padlength = 8 - (input_message_buffer->length % 8);
+ datalen = input_message_buffer->length + padlength + 8;
+ len = datalen + 34;
+ _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+ }
output_message_buffer->length = total_len;
output_message_buffer->value = malloc (total_len);
diff --git a/source/heimdal/lib/krb5/rd_req.c b/source/heimdal/lib/krb5/rd_req.c
index ddf1f69..e80aaa6 100644
--- a/source/heimdal/lib/krb5/rd_req.c
+++ b/source/heimdal/lib/krb5/rd_req.c
@@ -463,6 +463,8 @@ krb5_verify_ap_req2(krb5_context context,
ac->keytype = ETYPE_NULL;
+#if 0
+/* it's bad to use a different enctype as the client */
if (etypes.val) {
int i;
@@ -473,6 +475,7 @@ krb5_verify_ap_req2(krb5_context context,
}
}
}
+#endif
/* save key */
ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
--
Samba Shared Repository
