#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc =
- {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
-
struct gensec_gssapi_state {
gss_ctx_id_t gssapi_context;
struct gss_channel_bindings_struct *input_chan_bindings;
#endif
}
- gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc;
+ gensec_gssapi_state->gss_oid = gss_mech_krb5;
ret = krb5_init_context(&gensec_gssapi_state->krb5_context);
if (ret) {
} else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
return NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
+ if (maj_stat == GSS_S_FAILURE
+ && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) {
+ /* garbage input, possibly from the auto-mech detection */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
DEBUG(1, ("GSS Update failed: %s\n",
gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
return nt_status;
}
if (feature & GENSEC_FEATURE_SESSION_KEY) {
#ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
- if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
- && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, gensec_gssapi_state->gss_oid->length) == 0)) {
+ if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+ && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) {
return True;
}
#endif
#ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
/* Ensure we only call this for GSSAPI/krb5, otherwise things could get very ugly */
- if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
- && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements,
+ if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+ && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
gensec_gssapi_state->gss_oid->length) == 0)) {
OM_uint32 maj_stat, min_stat;
gss_buffer_desc skey;
#include "lib/ldb/include/ldb.h"
#include "db_wrap.h"
-/* a reasonable amount of time to keep credentials live */
-#define SCHANNEL_CREDENTIALS_EXPIRY 600
-
/*
connect to the schannel ldb
*/
struct ldb_context *ldb;
struct ldb_message *msg;
struct ldb_val val, seed;
- char *s;
char *f;
char *sct;
char *rid;
- time_t expiry = time(NULL) + SCHANNEL_CREDENTIALS_EXPIRY;
int ret;
ldb = schannel_db_connect(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
- s = talloc_asprintf(mem_ctx, "%u", (unsigned int)expiry);
-
- if (s == NULL) {
- talloc_free(ldb);
- return NT_STATUS_NO_MEMORY;
- }
-
f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags);
if (f == NULL) {
ldb_msg_add_value(ldb, msg, "sessionKey", &val);
ldb_msg_add_value(ldb, msg, "seed", &seed);
- ldb_msg_add_string(ldb, msg, "expiry", s);
ldb_msg_add_string(ldb, msg, "negotiateFlags", f);
ldb_msg_add_string(ldb, msg, "secureChannelType", sct);
ldb_msg_add_string(ldb, msg, "accountName", creds->account_name);
ret = ldb_add(ldb, msg);
- talloc_free(s);
-
if (ret != 0) {
DEBUG(0,("Unable to add %s to session key db - %s\n",
msg->dn, ldb_errstring(ldb)));
struct creds_CredentialState **creds)
{
struct ldb_context *ldb;
- time_t expiry;
struct ldb_message **res;
int ret;
const struct ldb_val *val;
return NT_STATUS_INVALID_HANDLE;
}
- expiry = ldb_msg_find_uint(res[0], "expiry", 0);
- if (expiry < time(NULL)) {
- DEBUG(1,("schannel: attempt to use expired session key for %s\n", computer_name));
- talloc_free(ldb);
- return NT_STATUS_INVALID_HANDLE;
- }
-
val = ldb_msg_find_ldb_val(res[0], "sessionKey");
if (val == NULL || val->length != 16) {
DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name));
# now check for gssapi headers. This is also done here to allow for
# different kerberos include paths
- AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
+ AC_CHECK_HEADERS(gssapi.h gssapi_krb5.h gssapi/gssapi.h gssapi/gssapi_generic.h gssapi/gssapi_krb5.h com_err.h)
##################################################################
# we might need the k5crypto and com_err libraries on some systems
#undef HAVE_KRB5
#endif
-#ifdef HAVE_GSSAPI_H
+#ifdef HAVE_GSSAPI_KRB5_H
+#include <gssapi_krb5.h>
+#elif defined(HAVE_GSSAPI_KRB5_H)
+#include <gssapi/gssapi_krb5.h>
+#elif defined(HAVE_GSSAPI_H)
#include <gssapi.h>
#elif defined(HAVE_GSSAPI_GSSAPI_H)
#include <gssapi/gssapi.h>