From patchwork Tue Dec 28 08:41:33 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Metzmacher X-Patchwork-Id: 435741 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id oBS8lE98026544 for ; Tue, 28 Dec 2010 08:47:14 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752462Ab0L1IrO (ORCPT ); Tue, 28 Dec 2010 03:47:14 -0500 Received: from cc-smtpout1.netcologne.de ([89.1.8.211]:49845 "EHLO cc-smtpout1.netcologne.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752390Ab0L1IrN (ORCPT ); Tue, 28 Dec 2010 03:47:13 -0500 X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]); Tue, 28 Dec 2010 08:47:33 +0000 (UTC) X-Greylist: delayed 332 seconds by postgrey-1.27 at vger.kernel.org; Tue, 28 Dec 2010 03:47:13 EST Received: from cc-smtpin3.netcologne.de (cc-smtpin3.netcologne.de [89.1.8.203]) by cc-smtpout1.netcologne.de (Postfix) with ESMTP id E870812621; Tue, 28 Dec 2010 09:41:50 +0100 (CET) Received: from localhost.localdomain (xdsl-78-34-105-125.netcologne.de [78.34.105.125]) by cc-smtpin3.netcologne.de (Postfix) with ESMTP id C5A1511E8A; Tue, 28 Dec 2010 09:41:48 +0100 (CET) From: Stefan Metzmacher To: linux-cifs@vger.kernel.org Cc: Stefan Metzmacher Subject: [PATCH 3/3] cifs.upcall: use krb5_auth_con_set_req_cksumtype() and pass a GSSAPI checksum (bug #7890) Date: Tue, 28 Dec 2010 09:41:33 +0100 Message-Id: <1293525693-11562-4-git-send-email-metze@samba.org> X-Mailer: git-send-email 1.7.0.4 In-Reply-To: <1293525693-11562-1-git-send-email-metze@samba.org> References: <1293525693-11562-1-git-send-email-metze@samba.org> Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org diff --git a/cifs.upcall.c b/cifs.upcall.c index d895ccd..648a138 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -261,6 +261,9 @@ cifs_krb5_get_req(const char *principal, const char *ccname, krb5_creds in_creds, *out_creds; krb5_data apreq_pkt, in_data; krb5_auth_context auth_context = NULL; +#if defined(HAVE_KRB5_AUTH_CON_SETADDRS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) + static const uint8_t gss_cksum[24] = { 0x10, 0x00, /* ... */}; +#endif ret = krb5_init_context(&context); if (ret) { @@ -309,6 +312,43 @@ cifs_krb5_get_req(const char *principal, const char *ccname, goto out_free_creds; } +#if defined(HAVE_KRB5_AUTH_CON_SETADDRS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) + /* Ensure we will get an addressless ticket. */ + ret = krb5_auth_con_setaddrs(context, auth_context, NULL, NULL); + if (ret) { + syslog(LOG_DEBUG, "%s: unable to set NULL addrs: %d", + __func__, ret); + goto out_free_auth; + } + + /* + * Create a GSSAPI checksum (0x8003), see RFC 4121. + * + * The current layout is + * + * 0x10, 0x00, 0x00, 0x00 - length = 16 + * 0x00, 0x00, 0x00, 0x00 - channel binding info - 16 zero bytes + * 0x00, 0x00, 0x00, 0x00 + * 0x00, 0x00, 0x00, 0x00 + * 0x00, 0x00, 0x00, 0x00 + * 0x00, 0x00, 0x00, 0x00 - flags + * + * GSS_C_NO_CHANNEL_BINDINGS means 16 zero bytes, + * this is needed to work against some closed source + * SMB servers. + * + * See https://bugzilla.samba.org/show_bug.cgi?id=7890 + */ + in_data.data = discard_const_p(char, gss_cksum); + in_data.length = 24; + ret = krb5_auth_con_set_req_cksumtype(context, auth_context, 0x8003); + if (ret) { + syslog(LOG_DEBUG, "%s: unable to set 0x8003 checksum", + __func__); + goto out_free_auth; + } +#endif + apreq_pkt.length = 0; apreq_pkt.data = NULL; ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY, diff --git a/configure.ac b/configure.ac index 093b48d..53b698d 100644 --- a/configure.ac +++ b/configure.ac @@ -133,6 +133,7 @@ fi # non-critical functions (we have workarounds for these) if test $enable_cifsupcall != "no"; then AC_CHECK_FUNCS([krb5_principal_get_realm krb5_free_unparsed_name]) + AC_CHECK_FUNCS([krb5_auth_con_setaddrs krb5_auth_con_set_req_cksumtype]) fi LIBS=$cu_saved_libs