cifs.upcall: handle MSKRB5 OID properly

When the kernel sends the upcall a sec=mskrb5 parameter, that means
the the MSKRB5 OID is preferred by the server. This patch fixes the
upcall to use that OID in place of the "normal" krb5 OID when it
gets a sec=mskrb5 parameter.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <smfrench@gmail.com>

diff --git a/source/client/cifs.upcall.c b/source/client/cifs.upcall.c
index aa5eb57310a9e2bb823519451ce23e4df99accbe..fd3ed17d2dd2c1b28dda23c7fa622ee2c050dd79 100644 (file)
--- a/source/client/cifs.upcall.c
+++ b/source/client/cifs.upcall.c
@@ -29,7 +29,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
 
 #include "cifs_spnego.h"
 
-const char *CIFSSPNEGO_VERSION = "1.1";
+const char *CIFSSPNEGO_VERSION = "1.2";
 static const char *prog = "cifs.upcall";
 typedef enum _secType {
        KRB5,
@@ -73,7 +73,7 @@ int handle_krb5_mech(const char *oid, const char *principal,
        tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
 
        /* and wrap that in a shiny SPNEGO wrapper */
-       *secblob = gen_negTokenInit(OID_KERBEROS5, tkt_wrapped);
+       *secblob = gen_negTokenInit(oid, tkt_wrapped);
 
        data_blob_free(&tkt_wrapped);
        data_blob_free(&tkt);
@@ -118,6 +118,9 @@ int decode_key_description(const char *desc, int *ver, secType_t * sec,
                        if (strncmp(tkn + 4, "krb5", 4) == 0) {
                                retval |= DKD_HAVE_SEC;
                                *sec = KRB5;
+                       } else if (strncmp(tkn + 4, "mskrb5", 6) == 0) {
+                               retval |= DKD_HAVE_SEC;
+                               *sec = MS_KRB5;
                        }
                } else if (strncmp(tkn, "uid=", 4) == 0) {
                        errno = 0;
@@ -219,7 +222,7 @@ int main(const int argc, char *const argv[])
        uid_t uid;
        int kernel_upcall_version;
        int c, use_cifs_service_prefix = 0;
-       char *buf, *hostname = NULL;
+       char *buf, *oid, *hostname = NULL;
 
        openlog(prog, 0, LOG_DAEMON);
 
@@ -301,6 +304,7 @@ int main(const int argc, char *const argv[])
 
        // do mech specific authorization
        switch (sectype) {
+       case MS_KRB5:
        case KRB5:{
                        char *princ;
                        size_t len;
@@ -319,8 +323,12 @@ int main(const int argc, char *const argv[])
                        }
                        strlcpy(princ + 5, hostname, len - 5);
 
-                       rc = handle_krb5_mech(OID_KERBEROS5, princ,
-                                             &secblob, &sess_key);
+                       if (sectype == MS_KRB5)
+                               oid = OID_KERBEROS5_OLD;
+                       else
+                               oid = OID_KERBEROS5;
+
+                       rc = handle_krb5_mech(oid, princ, &secblob, &sess_key);
                        SAFE_FREE(princ);
                        break;
                }