From 2157835b7554da2846c3877397ec0e3e6783bd0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Mon, 24 Apr 2006 08:23:47 +0000 Subject: [PATCH] Pass down realm to pk_verify_host so the function can verify the certificate is from the right realm. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17196 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/krb5/pkinit.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c index 3aedbe4b6..cfac633f3 100644 --- a/lib/krb5/pkinit.c +++ b/lib/krb5/pkinit.c @@ -710,6 +710,8 @@ get_reply_key(krb5_context context, static krb5_error_code pk_verify_host(krb5_context context, + const char *realm, + const krb5_krbhst_info *hi, struct krb5_pk_init_ctx_data *ctx, struct krb5_pk_cert *host) { @@ -738,6 +740,7 @@ pk_verify_host(krb5_context context, for (i = 0; i < list.len; i++) { KRB5PrincipalName r; + ret = decode_KRB5PrincipalName(list.val[i].data, list.val[i].length, &r, @@ -747,13 +750,14 @@ pk_verify_host(krb5_context context, break; } -#if 0 - if (r.principalName.name.len != 2) { + if (r.principalName.name_string.len != 2 || + strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 || + strcmp(r.principalName.name_string.val[1], realm) != 0 || + strcmp(r.realm, realm) != 0) + { krb5_clear_error_string(context); ret = EINVAL; } -#endif - /* XXX verify realm */ free_KRB5PrincipalName(&r); if (ret) @@ -768,7 +772,8 @@ pk_verify_host(krb5_context context, static krb5_error_code pk_rd_pa_reply_enckey(krb5_context context, int type, - ContentInfo *rep, + const ContentInfo *rep, + const char *realm, krb5_pk_init_ctx ctx, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -846,7 +851,7 @@ pk_rd_pa_reply_enckey(krb5_context context, goto out; /* make sure that it is the kdc's certificate */ - ret = pk_verify_host(context, ctx, host); + ret = pk_verify_host(context, realm, hi, ctx, host); if (ret) { krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret); goto out; @@ -894,7 +899,8 @@ pk_rd_pa_reply_enckey(krb5_context context, static krb5_error_code pk_rd_pa_reply_dh(krb5_context context, - ContentInfo *rep, + const ContentInfo *rep, + const char *realm, krb5_pk_init_ctx ctx, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -938,7 +944,7 @@ pk_rd_pa_reply_dh(krb5_context context, goto out; /* make sure that it is the kdc's certificate */ - ret = pk_verify_host(context, ctx, host); + ret = pk_verify_host(context, realm, hi, ctx, host); if (ret) goto out; @@ -1066,6 +1072,7 @@ pk_rd_pa_reply_dh(krb5_context context, krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_rd_pa_reply(krb5_context context, + const char *realm, void *c, krb5_enctype etype, const krb5_krbhst_info *hi, @@ -1106,7 +1113,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, free_PA_PK_AS_REP(&rep); break; } - ret = pk_rd_pa_reply_dh(context, &ci, ctx, etype, hi, + ret = pk_rd_pa_reply_dh(context, &ci, realm, ctx, etype, hi, ctx->clientDHNonce, rep.u.dhInfo.serverDHNonce, nonce, pa, key); @@ -1126,7 +1133,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, "ContentInfo: %d", ret); break; } - ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, ctx, + ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, realm, ctx, etype, hi, nonce, req_buffer, pa, key); free_ContentInfo(&ci); return ret; @@ -1173,7 +1180,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, ret); return ret; } - ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, ctx, + ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, realm, ctx, etype, hi, nonce, req_buffer, pa, key); free_ContentInfo(&ci); break;