The branch, v4-0-test has been updated
via 697cd1896bccaa55ee422f17d9312d787ca699ed (commit)
via 6a8b07c39558f240b89e833ecba15d8b9fc020e8 (commit)
via 66244092a457b2cde6339cb31dcfa73b122ba9b5 (commit)
from 6d8fd4c0089d7e632ec91027a77321aca8c6acc7 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 697cd1896bccaa55ee422f17d9312d787ca699ed
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Wed Aug 13 07:22:36 2008 +0200
Revert "krb5: always generate the acceptor subkey as the same enctype as
the used service key"
This reverts commit dbb94133e0313cae933d261af0bf1210807a6d11.
As we fixed gensec_gssapi to only return a session key when it's
have the correct session key, this hack isn't needed anymore.
metze
commit 6a8b07c39558f240b89e833ecba15d8b9fc020e8
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Wed Aug 13 09:52:20 2008 +0200
gsskrb5: always return an acceptor subkey
For non cfx keys it's the same as the intiator subkey.
This matches windows behavior.
metze
commit 66244092a457b2cde6339cb31dcfa73b122ba9b5
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Wed Aug 13 07:18:35 2008 +0200
gensec_gssapi: only cache the session key in STAGE_DONE
The key may change because we switch from initiator to acceptor
subkey.
metze
-----------------------------------------------------------------------
Summary of changes:
source/auth/gensec/gensec_gssapi.c | 14 ++++++++----
.../heimdal/lib/gssapi/krb5/accept_sec_context.c | 22 ++++++++++++++++---
source/heimdal/lib/krb5/rd_req.c | 3 --
3 files changed, 27 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/gensec/gensec_gssapi.c
b/source/auth/gensec/gensec_gssapi.c
index 0df40dc..20d0807 100644
--- a/source/auth/gensec/gensec_gssapi.c
+++ b/source/auth/gensec/gensec_gssapi.c
@@ -1236,12 +1236,16 @@ static NTSTATUS gensec_gssapi_session_key(struct
gensec_security *gensec_securit
return NT_STATUS_NO_USER_SESSION_KEY;
}
- DEBUG(10, ("Got KRB5 session key of length %d\n",
- (int)KRB5_KEY_LENGTH(subkey)));
- gensec_gssapi_state->session_key =
data_blob_talloc(gensec_gssapi_state,
-
KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
+ DEBUG(10, ("Got KRB5 session key of length %d%s\n",
+ (int)KRB5_KEY_LENGTH(subkey),
+ (gensec_gssapi_state->sasl_state == STAGE_DONE)?"
(done)":""));
+ *session_key = data_blob_talloc(gensec_gssapi_state,
+ KRB5_KEY_DATA(subkey),
KRB5_KEY_LENGTH(subkey));
krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
subkey);
- *session_key = gensec_gssapi_state->session_key;
+ if (gensec_gssapi_state->sasl_state == STAGE_DONE) {
+ /* only cache in the done stage */
+ gensec_gssapi_state->session_key = *session_key;
+ }
dump_data_pw("KRB5 Session Key:\n", session_key->data,
session_key->length);
return NT_STATUS_OK;
diff --git a/source/heimdal/lib/gssapi/krb5/accept_sec_context.c
b/source/heimdal/lib/gssapi/krb5/accept_sec_context.c
index 8dbd087..a6f0f31 100644
--- a/source/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -520,16 +520,30 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
krb5_data outbuf;
+ int use_subkey = 0;
_gsskrb5i_is_cfx(ctx, &is_cfx);
if (is_cfx != 0
|| (ap_options & AP_OPTS_USE_SUBKEY)) {
- kret = krb5_auth_con_addflags(context,
- ctx->auth_context,
- KRB5_AUTH_CONTEXT_USE_SUBKEY,
- NULL);
+ use_subkey = 1;
+ } else {
+ krb5_keyblock *rkey;
+ kret = krb5_auth_con_getremotesubkey(context, ctx->auth_context,
&rkey);
+ if (kret == 0) {
+ kret = krb5_auth_con_setlocalsubkey(context, ctx->auth_context,
rkey);
+ if (kret == 0) {
+ use_subkey = 1;
+ }
+ krb5_free_keyblock(context, rkey);
+ }
+ }
+ if (use_subkey) {
ctx->more_flags |= ACCEPTOR_SUBKEY;
+ krb5_auth_con_addflags(context,
+ ctx->auth_context,
+ KRB5_AUTH_CONTEXT_USE_SUBKEY,
+ NULL);
}
kret = krb5_mk_rep(context,
diff --git a/source/heimdal/lib/krb5/rd_req.c b/source/heimdal/lib/krb5/rd_req.c
index e80aaa6..ddf1f69 100644
--- a/source/heimdal/lib/krb5/rd_req.c
+++ b/source/heimdal/lib/krb5/rd_req.c
@@ -463,8 +463,6 @@ krb5_verify_ap_req2(krb5_context context,
ac->keytype = ETYPE_NULL;
-#if 0
-/* it's bad to use a different enctype as the client */
if (etypes.val) {
int i;
@@ -475,7 +473,6 @@ krb5_verify_ap_req2(krb5_context context,
}
}
}
-#endif
/* save key */
ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
--
Samba Shared Repository
