r15484: Make accept_security_context() more compatible with how Samba3 (and

author Andrew Bartlett <abartlet@samba.org>

Sun, 7 May 2006 09:28:49 +0000 (09:28 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 19:05:39 +0000 (14:05 -0500)
author Andrew Bartlett <abartlet@samba.org>
Sun, 7 May 2006 09:28:49 +0000 (09:28 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:05:39 +0000 (14:05 -0500)
diff --git a/source4/heimdal/lib/gssapi/8003.c b/source4/heimdal/lib/gssapi/8003.c

index ad580811a5515b150169ccff37e14805674ddb92..73ecc90ea83fb7b67a70e567bf42cdccf9c45c1b 100644 (file)
--- a/source4/heimdal/lib/gssapi/8003.c
+++ b/source4/heimdal/lib/gssapi/8003.c
@@ -185,13 +185,9 @@ gssapi_krb5_verify_8003_checksum(
         return GSS_S_BAD_BINDINGS;
      }
      
-    /* This is the case where Samba3 has built GSSAPI out of
-     * krb5 the 'dodgy' way.  We have to accept the non-GSSAPI
-     * checksum because windows does */
-    
      if(cksum->cksumtype != CKSUMTYPE_GSSAPI) {
-           *flags = 0;
-           return GSS_S_COMPLETE;
+       *minor_status = 0;
+       return GSS_S_BAD_BINDINGS;
      }
      
      /* XXX should handle checksums > 24 bytes */
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c

index 9ca60a6cddc9c5add5c71a8affcaa8e56080825d..afca449c5c15db8755c92eeae389e0cf4063f003 100644 (file)
--- a/source4/heimdal/lib/gssapi/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/accept_sec_context.c
@@ -371,15 +371,48 @@ gsskrb5_acceptor_start
             return ret;
         }
  
-       ret = gssapi_krb5_verify_8003_checksum(minor_status,
-                                              input_chan_bindings,
-                                              authenticator->cksum,
-                                              &flags,
-                                              &(*context_handle)->fwd_data);
-       krb5_free_authenticator(gssapi_krb5_context, &authenticator);
-       if (ret) {
-           return ret;
-       }
+        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+            ret = gssapi_krb5_verify_8003_checksum(minor_status,
+                                                   input_chan_bindings,
+                                                   authenticator->cksum,
+                                                   &flags,
+                                                   &(*context_handle)->fwd_data);
+
+           krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+           if (ret) {
+               return ret;
+           }
+        } else {
+           krb5_crypto crypto;
+
+           kret = krb5_crypto_init(gssapi_krb5_context, 
+                                  (*context_handle)->auth_context->keyblock, 
+                                  0, &crypto);
+           if(kret) {
+               krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+               ret = GSS_S_FAILURE;
+               *minor_status = kret;
+               gssapi_krb5_set_error_string ();
+               return ret;
+           }
+
+           /* Windows accepts Samba3's use of a kerberos, 
+              rather than GSSAPI checksum here */
+           kret = krb5_verify_checksum(gssapi_krb5_context,
+                                       crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
+                                       authenticator->cksum);
+           krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+           if(kret) {
+               ret = GSS_S_FAILURE;
+               *minor_status = kret;
+               gssapi_krb5_set_error_string ();
+               return ret;
+           }
+
+           flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+        }
      }
      
      if(flags & GSS_C_MUTUAL_FLAG) {
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c

index 2e8160518bba5c036b393b364b153e82bddfbc0b..1a37ec538b168800644130638a5f1e553cfab80a 100644 (file)
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -2042,7 +2042,8 @@ verify_checksum(krb5_context context,
      }
      keyed_checksum = (ct->flags & F_KEYED) != 0;
      if(keyed_checksum && crypto == NULL) {
-       krb5_clear_error_string (context);
+       krb5_set_error_string (context, "checksum type %s is keyed, and requires a crypto context",
+                              ct->name);
         return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
      }
      if(keyed_checksum)
author	Andrew Bartlett <abartlet@samba.org>
	Sun, 7 May 2006 09:28:49 +0000 (09:28 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 19:05:39 +0000 (14:05 -0500)
source4/heimdal/lib/gssapi/8003.c		patch \| blob \| history
source4/heimdal/lib/gssapi/accept_sec_context.c		patch \| blob \| history
source4/heimdal/lib/krb5/crypto.c		patch \| blob \| history