The branch, v4-0-test has been updated via 697cd1896bccaa55ee422f17d9312d787ca699ed (commit) via 6a8b07c39558f240b89e833ecba15d8b9fc020e8 (commit) via 66244092a457b2cde6339cb31dcfa73b122ba9b5 (commit) from 6d8fd4c0089d7e632ec91027a77321aca8c6acc7 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit 697cd1896bccaa55ee422f17d9312d787ca699ed Author: Stefan Metzmacher <[EMAIL PROTECTED]> Date: Wed Aug 13 07:22:36 2008 +0200 Revert "krb5: always generate the acceptor subkey as the same enctype as the used service key" This reverts commit dbb94133e0313cae933d261af0bf1210807a6d11. As we fixed gensec_gssapi to only return a session key when it's have the correct session key, this hack isn't needed anymore. metze commit 6a8b07c39558f240b89e833ecba15d8b9fc020e8 Author: Stefan Metzmacher <[EMAIL PROTECTED]> Date: Wed Aug 13 09:52:20 2008 +0200 gsskrb5: always return an acceptor subkey For non cfx keys it's the same as the intiator subkey. This matches windows behavior. metze commit 66244092a457b2cde6339cb31dcfa73b122ba9b5 Author: Stefan Metzmacher <[EMAIL PROTECTED]> Date: Wed Aug 13 07:18:35 2008 +0200 gensec_gssapi: only cache the session key in STAGE_DONE The key may change because we switch from initiator to acceptor subkey. metze ----------------------------------------------------------------------- Summary of changes: source/auth/gensec/gensec_gssapi.c | 14 ++++++++---- .../heimdal/lib/gssapi/krb5/accept_sec_context.c | 22 ++++++++++++++++--- source/heimdal/lib/krb5/rd_req.c | 3 -- 3 files changed, 27 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/source/auth/gensec/gensec_gssapi.c b/source/auth/gensec/gensec_gssapi.c index 0df40dc..20d0807 100644 --- a/source/auth/gensec/gensec_gssapi.c +++ b/source/auth/gensec/gensec_gssapi.c @@ -1236,12 +1236,16 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_NO_USER_SESSION_KEY; } - DEBUG(10, ("Got KRB5 session key of length %d\n", - (int)KRB5_KEY_LENGTH(subkey))); - gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state, - KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); + DEBUG(10, ("Got KRB5 session key of length %d%s\n", + (int)KRB5_KEY_LENGTH(subkey), + (gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":"")); + *session_key = data_blob_talloc(gensec_gssapi_state, + KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey); - *session_key = gensec_gssapi_state->session_key; + if (gensec_gssapi_state->sasl_state == STAGE_DONE) { + /* only cache in the done stage */ + gensec_gssapi_state->session_key = *session_key; + } dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); return NT_STATUS_OK; diff --git a/source/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source/heimdal/lib/gssapi/krb5/accept_sec_context.c index 8dbd087..a6f0f31 100644 --- a/source/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -520,16 +520,30 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, if(ctx->flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; + int use_subkey = 0; _gsskrb5i_is_cfx(ctx, &is_cfx); if (is_cfx != 0 || (ap_options & AP_OPTS_USE_SUBKEY)) { - kret = krb5_auth_con_addflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_USE_SUBKEY, - NULL); + use_subkey = 1; + } else { + krb5_keyblock *rkey; + kret = krb5_auth_con_getremotesubkey(context, ctx->auth_context, &rkey); + if (kret == 0) { + kret = krb5_auth_con_setlocalsubkey(context, ctx->auth_context, rkey); + if (kret == 0) { + use_subkey = 1; + } + krb5_free_keyblock(context, rkey); + } + } + if (use_subkey) { ctx->more_flags |= ACCEPTOR_SUBKEY; + krb5_auth_con_addflags(context, + ctx->auth_context, + KRB5_AUTH_CONTEXT_USE_SUBKEY, + NULL); } kret = krb5_mk_rep(context, diff --git a/source/heimdal/lib/krb5/rd_req.c b/source/heimdal/lib/krb5/rd_req.c index e80aaa6..ddf1f69 100644 --- a/source/heimdal/lib/krb5/rd_req.c +++ b/source/heimdal/lib/krb5/rd_req.c @@ -463,8 +463,6 @@ krb5_verify_ap_req2(krb5_context context, ac->keytype = ETYPE_NULL; -#if 0 -/* it's bad to use a different enctype as the client */ if (etypes.val) { int i; @@ -475,7 +473,6 @@ krb5_verify_ap_req2(krb5_context context, } } } -#endif /* save key */ ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); -- Samba Shared Repository