This patch matches the server-side behaviour for setting up the keys that I get back from gss_krb5_get_subkey(), which I used to avoid the non-standard gsskrb5_get_initiator_subkey(). I'm not sure what this breaks, but without this, calling gss_krb5_get_subkey returns different values in the client and server (causing problems for samba4). So, what have I broken? :-) Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
- To: samba-cvs@samba.org
- Subject: svn commit: samba r13144 - inbranches/SAMBA_4_0/source/heimdal/lib/gssapi: .
- From: abartlet@samba.org
- Date: Wed, 25 Jan 2006 22:47:11 +0000 (GMT)
- Delivered-To: abartlet@samba.org
- Delivered-To: samba-cvs@samba.org
- List-Archive: <http://lists.samba.org/archive/samba-cvs>
- List-Help: <mailto:samba-cvs-request@lists.samba.org?subject=help>
- List-Id: Samba CVS and subversion commit messages<samba-cvs.lists.samba.org>
- List-Post: <mailto:samba-cvs@lists.samba.org>
- List-Subscribe: <https://lists.samba.org/mailman/listinfo/samba-cvs>,<mailto:samba-cvs-request@lists.samba.org?subject=subscribe>
- List-Unsubscribe: <https://lists.samba.org/mailman/listinfo/samba-cvs>,<mailto:samba-cvs-request@lists.samba.org?subject=unsubscribe>
- Reply-To: samba-technical@lists.samba.org
- Sender: samba-cvs-bounces+abartlet=samba.org@lists.samba.org
Author: abartlet Date: 2006-01-25 22:47:10 +0000 (Wed, 25 Jan 2006) New Revision: 13144 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13144 Log: This seems to be required for Samba4 to talk to Samba4, and to get the same session key. I need to understand this more, but it works samba/samba, and I don't have access to windows doing AES (longhorn) yet. Andrew Bartlett Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c Changeset: Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c =================================================================== --- branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c 2006-01-25 22:07:27 UTC (rev 13143) +++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c 2006-01-25 22:47:10 UTC (rev 13144) @@ -358,6 +358,7 @@ Checksum cksum; krb5_enctype enctype; krb5_data fwd_data; + int is_cfx; krb5_data_zero(&outbuf); krb5_data_zero(&fwd_data); @@ -486,6 +487,16 @@ enctype = (*context_handle)->auth_context->keyblock->keytype; + gsskrb5_is_cfx(*context_handle, &is_cfx); + + if (is_cfx != 0) { + kret = krb5_auth_con_addflags(gssapi_krb5_context, + (*context_handle)->auth_context, + KRB5_AUTH_CONTEXT_USE_SUBKEY, + NULL); + (*context_handle)->more_flags |= ACCEPTOR_SUBKEY; + } + /* We need to create an Authenticator */ { kret = krb5_build_authenticator (gssapi_krb5_context,
This is a digitally signed message part