Merge pull request #134 from abartlet/allow-null-authenticator
gssapi: Allow a NULL authenticator
This commit is contained in:
Love Hörnquist Åstrand
@@ -511,13 +511,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (authenticator->cksum == NULL) {
|
if (authenticator->cksum != NULL
|
||||||
krb5_free_authenticator(context, &authenticator);
|
&& authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
|
||||||
*minor_status = 0;
|
|
||||||
return GSS_S_BAD_BINDINGS;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
|
|
||||||
ret = _gsskrb5_verify_8003_checksum(minor_status,
|
ret = _gsskrb5_verify_8003_checksum(minor_status,
|
||||||
input_chan_bindings,
|
input_chan_bindings,
|
||||||
authenticator->cksum,
|
authenticator->cksum,
|
||||||
@@ -529,44 +524,48 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
krb5_crypto crypto;
|
if (authenticator->cksum != NULL) {
|
||||||
|
krb5_crypto crypto;
|
||||||
|
|
||||||
kret = krb5_crypto_init(context,
|
kret = krb5_crypto_init(context,
|
||||||
ctx->auth_context->keyblock,
|
ctx->auth_context->keyblock,
|
||||||
0, &crypto);
|
0, &crypto);
|
||||||
if(kret) {
|
if(kret) {
|
||||||
|
krb5_free_authenticator(context, &authenticator);
|
||||||
|
|
||||||
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Windows accepts Samba3's use of a kerberos, rather than
|
||||||
|
* GSSAPI checksum here
|
||||||
|
*/
|
||||||
|
|
||||||
|
kret = krb5_verify_checksum(context,
|
||||||
|
crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
|
||||||
|
authenticator->cksum);
|
||||||
krb5_free_authenticator(context, &authenticator);
|
krb5_free_authenticator(context, &authenticator);
|
||||||
|
krb5_crypto_destroy(context, crypto);
|
||||||
|
|
||||||
ret = GSS_S_FAILURE;
|
if(kret) {
|
||||||
*minor_status = kret;
|
ret = GSS_S_BAD_SIG;
|
||||||
return ret;
|
*minor_status = kret;
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Windows accepts Samba3's use of a kerberos, rather than
|
* If there is no checksum or a kerberos checksum (which Windows
|
||||||
* GSSAPI checksum here
|
* and Samba accept), we use the ap_options to guess the mutual
|
||||||
|
* flag.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
kret = krb5_verify_checksum(context,
|
ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
|
||||||
crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
|
|
||||||
authenticator->cksum);
|
|
||||||
krb5_free_authenticator(context, &authenticator);
|
|
||||||
krb5_crypto_destroy(context, crypto);
|
|
||||||
|
|
||||||
if(kret) {
|
|
||||||
ret = GSS_S_BAD_SIG;
|
|
||||||
*minor_status = kret;
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Samba style get some flags (but not DCE-STYLE), use
|
|
||||||
* ap_options to guess the mutual flag.
|
|
||||||
*/
|
|
||||||
ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
|
|
||||||
if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
|
if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
|
||||||
ctx->flags |= GSS_C_MUTUAL_FLAG;
|
ctx->flags |= GSS_C_MUTUAL_FLAG;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
|
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
|
||||||
|
|||||||
Reference in New Issue
Block a user