return GSS_S_BAD_BINDINGS;
}
- /* This is the case where Samba3 has built GSSAPI out of
- * krb5 the 'dodgy' way. We have to accept the non-GSSAPI
- * checksum because windows does */
-
if(cksum->cksumtype != CKSUMTYPE_GSSAPI) {
- *flags = 0;
- return GSS_S_COMPLETE;
+ *minor_status = 0;
+ return GSS_S_BAD_BINDINGS;
}
/* XXX should handle checksums > 24 bytes */
return ret;
}
- ret = gssapi_krb5_verify_8003_checksum(minor_status,
- input_chan_bindings,
- authenticator->cksum,
- &flags,
- &(*context_handle)->fwd_data);
- krb5_free_authenticator(gssapi_krb5_context, &authenticator);
- if (ret) {
- return ret;
- }
+ if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+ ret = gssapi_krb5_verify_8003_checksum(minor_status,
+ input_chan_bindings,
+ authenticator->cksum,
+ &flags,
+ &(*context_handle)->fwd_data);
+
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+ if (ret) {
+ return ret;
+ }
+ } else {
+ krb5_crypto crypto;
+
+ kret = krb5_crypto_init(gssapi_krb5_context,
+ (*context_handle)->auth_context->keyblock,
+ 0, &crypto);
+ if(kret) {
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
+ }
+
+ /* Windows accepts Samba3's use of a kerberos,
+ rather than GSSAPI checksum here */
+ kret = krb5_verify_checksum(gssapi_krb5_context,
+ crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
+ authenticator->cksum);
+ krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+
+ if(kret) {
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ gssapi_krb5_set_error_string ();
+ return ret;
+ }
+
+ flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ }
}
if(flags & GSS_C_MUTUAL_FLAG) {
}
keyed_checksum = (ct->flags & F_KEYED) != 0;
if(keyed_checksum && crypto == NULL) {
- krb5_clear_error_string (context);
+ krb5_set_error_string (context, "checksum type %s is keyed, and requires a crypto context",
+ ct->name);
return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
}
if(keyed_checksum)