[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problem with session keys and CFX gssapi



This patch matches the server-side behaviour for setting up the keys
that I get back from gss_krb5_get_subkey(), which I used to avoid the
non-standard gsskrb5_get_initiator_subkey().

I'm not sure what this breaks, but without this, calling
gss_krb5_get_subkey returns different values in the client and server
(causing problems for samba4).

So, what have I broken? :-)

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net


Author: abartlet
Date: 2006-01-25 22:47:10 +0000 (Wed, 25 Jan 2006)
New Revision: 13144

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13144

Log:
This seems to be required for Samba4 to talk to Samba4, and to get the
same session key.  I need to understand this more, but it works
samba/samba, and I don't have access to windows doing AES (longhorn)
yet.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c	2006-01-25 22:07:27 UTC (rev 13143)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c	2006-01-25 22:47:10 UTC (rev 13144)
@@ -358,6 +358,7 @@
     Checksum cksum;
     krb5_enctype enctype;
     krb5_data fwd_data;
+    int is_cfx;
 
     krb5_data_zero(&outbuf);
     krb5_data_zero(&fwd_data);
@@ -486,6 +487,16 @@
 
 	enctype = (*context_handle)->auth_context->keyblock->keytype;
 
+	gsskrb5_is_cfx(*context_handle, &is_cfx);
+	
+	if (is_cfx != 0) {
+		kret = krb5_auth_con_addflags(gssapi_krb5_context,
+					      (*context_handle)->auth_context,
+					      KRB5_AUTH_CONTEXT_USE_SUBKEY,
+					      NULL);
+		(*context_handle)->more_flags |= ACCEPTOR_SUBKEY;
+	}
+	    
 	/* We need to create an Authenticator */
 	{
 		kret = krb5_build_authenticator (gssapi_krb5_context,



This is a digitally signed message part