The Samba-Bugzilla – Attachment 6171 Details for
Bug 7890
cifs-util: GSSAPI 0x8003 checksum uses wrong channel bindings
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches to use krb5_auth_con_set_req_cksumtype()
cifs-utils-gssapi-checksum-02.patches.txt (text/plain), 4.96 KB, created by
Stefan Metzmacher
on 2010-12-27 14:33:57 UTC
(
hide
)
Description:
Patches to use krb5_auth_con_set_req_cksumtype()
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2010-12-27 14:33:57 UTC
Size:
4.96 KB
patch
obsolete
>From 4d77fb44fe9b535be532c547ed74899b7cb06815 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 Dec 2010 16:00:28 +0100 >Subject: [PATCH 1/3] cifs.upcall: fix memory and call krb5_auth_con_free() > >metze >--- > cifs.upcall.c | 4 +++- > 1 files changed, 3 insertions(+), 1 deletions(-) > >diff --git a/cifs.upcall.c b/cifs.upcall.c >index 9b1436e..9116e56 100644 >--- a/cifs.upcall.c >+++ b/cifs.upcall.c >@@ -313,13 +313,15 @@ cifs_krb5_get_req(const char *principal, const char *ccname, > if (ret) { > syslog(LOG_DEBUG, "%s: unable to get session key for %s", > __func__, principal); >- goto out_free_creds; >+ goto out_free_auth; > } > > *mechtoken = data_blob(apreq_pkt.data, apreq_pkt.length); > *sess_key = data_blob(KRB5_KEY_DATA(tokb), KRB5_KEY_LENGTH(tokb)); > > krb5_free_keyblock(context, tokb); >+out_free_auth: >+ krb5_auth_con_free(context, auth_context); > out_free_creds: > krb5_free_creds(context, out_creds); > out_free_principal: >-- >1.7.0.4 > > >From 10613a740a817cfe8325b083a542361078ff7b55 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 Dec 2010 16:09:30 +0100 >Subject: [PATCH 2/3] cifs.upcall: use krb5_auth_con_init() to create an explicit auth_context > >metze >--- > cifs.upcall.c | 14 ++++++++++++-- > 1 files changed, 12 insertions(+), 2 deletions(-) > >diff --git a/cifs.upcall.c b/cifs.upcall.c >index 9116e56..d895ccd 100644 >--- a/cifs.upcall.c >+++ b/cifs.upcall.c >@@ -299,14 +299,24 @@ cifs_krb5_get_req(const char *principal, const char *ccname, > goto out_free_principal; > } > >- apreq_pkt.data = NULL; > in_data.length = 0; >+ in_data.data = NULL; >+ >+ ret = krb5_auth_con_init(context, &auth_context); >+ if (ret) { >+ syslog(LOG_DEBUG, "%s: unable to create auth_context: %d", >+ __func__, ret); >+ goto out_free_creds; >+ } >+ >+ apreq_pkt.length = 0; >+ apreq_pkt.data = NULL; > ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY, > &in_data, out_creds, &apreq_pkt); > if (ret) { > syslog(LOG_DEBUG, "%s: unable to make AP-REQ for %s", > __func__, principal); >- goto out_free_creds; >+ goto out_free_auth; > } > > ret = krb5_auth_con_getsendsubkey(context, auth_context, &tokb); >-- >1.7.0.4 > > >From 5afb02ef6349654feca886a9374db41b351ee1a7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 Dec 2010 16:10:49 +0100 >Subject: [PATCH 3/3] cifs.upcall: use krb5_auth_con_set_req_cksumtype() and pass a GSSAPI checksum (bug #7890) > >Some closed source SMB servers doesn't support all checksum types, >so we should try to match windows clients. > >This is almost the same logic which is used by Samba. > >metze >--- > cifs.upcall.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > configure.ac | 1 + > 2 files changed, 43 insertions(+), 0 deletions(-) > >diff --git a/cifs.upcall.c b/cifs.upcall.c >index d895ccd..906d02c 100644 >--- a/cifs.upcall.c >+++ b/cifs.upcall.c >@@ -261,6 +261,9 @@ cifs_krb5_get_req(const char *principal, const char *ccname, > krb5_creds in_creds, *out_creds; > krb5_data apreq_pkt, in_data; > krb5_auth_context auth_context = NULL; >+#if defined(HAVE_KRB5_AUTH_CON_SETADDRS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) >+ static const uint8_t gss_cksum[24] = { 0x10, 0x00, /* ... */}; >+#endif > > ret = krb5_init_context(&context); > if (ret) { >@@ -309,6 +312,45 @@ cifs_krb5_get_req(const char *principal, const char *ccname, > goto out_free_creds; > } > >+#if defined(HAVE_KRB5_AUTH_CON_SETADDRS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) >+ /* Ensure we will get an addressless ticket. */ >+ ret = krb5_auth_con_setaddrs(context, auth_context, NULL, NULL); >+ if (ret) { >+ syslog(LOG_DEBUG, "%s: unable to set NULL addrs: %d", >+ __func__, ret); >+ goto out_free_auth; >+ } >+ >+ /* >+ * GSS_C_NO_CHANNEL_BINDINGS means 16 zero bytes. >+ * This matches the behavior of heimdal and mit. >+ * >+ * And it is needed to work against some closed source >+ * SMB servers. >+ * >+ * See https://bugzilla.samba.org/show_bug.cgi?id=7890 >+ * >+ * The current layout is >+ * >+ * 0x10, 0x00, 0x00, 0x00 - length = 16 >+ * 0x00, 0x00, 0x00, 0x00 - 16 zero bytes >+ * 0x00, 0x00, 0x00, 0x00 >+ * 0x00, 0x00, 0x00, 0x00 >+ * 0x00, 0x00, 0x00, 0x00 >+ * 0x00, 0x00, 0x00, 0x00 - gss flags >+ */ >+ >+ in_data.data = discard_const_p(char, gss_cksum); >+ in_data.length = 24; >+ >+ ret = krb5_auth_con_set_req_cksumtype(context, auth_context, 0x8003); >+ if (ret) { >+ syslog(LOG_DEBUG, "%s: unable to set 0x8003 checksum", >+ __func__); >+ goto out_free_auth; >+ } >+#endif >+ > apreq_pkt.length = 0; > apreq_pkt.data = NULL; > ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY, >diff --git a/configure.ac b/configure.ac >index 093b48d..53b698d 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -133,6 +133,7 @@ fi > # non-critical functions (we have workarounds for these) > if test $enable_cifsupcall != "no"; then > AC_CHECK_FUNCS([krb5_principal_get_realm krb5_free_unparsed_name]) >+ AC_CHECK_FUNCS([krb5_auth_con_setaddrs krb5_auth_con_set_req_cksumtype]) > fi > > LIBS=$cu_saved_libs >-- >1.7.0.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6171">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 7890
: 6171