Pass down realm to pk_verify_host so the function can verify the
certificate is from the right realm. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17196 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -710,6 +710,8 @@ get_reply_key(krb5_context context,
|
|||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
pk_verify_host(krb5_context context,
|
pk_verify_host(krb5_context context,
|
||||||
|
const char *realm,
|
||||||
|
const krb5_krbhst_info *hi,
|
||||||
struct krb5_pk_init_ctx_data *ctx,
|
struct krb5_pk_init_ctx_data *ctx,
|
||||||
struct krb5_pk_cert *host)
|
struct krb5_pk_cert *host)
|
||||||
{
|
{
|
||||||
@@ -738,6 +740,7 @@ pk_verify_host(krb5_context context,
|
|||||||
|
|
||||||
for (i = 0; i < list.len; i++) {
|
for (i = 0; i < list.len; i++) {
|
||||||
KRB5PrincipalName r;
|
KRB5PrincipalName r;
|
||||||
|
|
||||||
ret = decode_KRB5PrincipalName(list.val[i].data,
|
ret = decode_KRB5PrincipalName(list.val[i].data,
|
||||||
list.val[i].length,
|
list.val[i].length,
|
||||||
&r,
|
&r,
|
||||||
@@ -747,13 +750,14 @@ pk_verify_host(krb5_context context,
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if 0
|
if (r.principalName.name_string.len != 2 ||
|
||||||
if (r.principalName.name.len != 2) {
|
strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 ||
|
||||||
|
strcmp(r.principalName.name_string.val[1], realm) != 0 ||
|
||||||
|
strcmp(r.realm, realm) != 0)
|
||||||
|
{
|
||||||
krb5_clear_error_string(context);
|
krb5_clear_error_string(context);
|
||||||
ret = EINVAL;
|
ret = EINVAL;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
/* XXX verify realm */
|
|
||||||
|
|
||||||
free_KRB5PrincipalName(&r);
|
free_KRB5PrincipalName(&r);
|
||||||
if (ret)
|
if (ret)
|
||||||
@@ -768,7 +772,8 @@ pk_verify_host(krb5_context context,
|
|||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
pk_rd_pa_reply_enckey(krb5_context context,
|
pk_rd_pa_reply_enckey(krb5_context context,
|
||||||
int type,
|
int type,
|
||||||
ContentInfo *rep,
|
const ContentInfo *rep,
|
||||||
|
const char *realm,
|
||||||
krb5_pk_init_ctx ctx,
|
krb5_pk_init_ctx ctx,
|
||||||
krb5_enctype etype,
|
krb5_enctype etype,
|
||||||
const krb5_krbhst_info *hi,
|
const krb5_krbhst_info *hi,
|
||||||
@@ -846,7 +851,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
/* make sure that it is the kdc's certificate */
|
/* make sure that it is the kdc's certificate */
|
||||||
ret = pk_verify_host(context, ctx, host);
|
ret = pk_verify_host(context, realm, hi, ctx, host);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret);
|
krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -894,7 +899,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
|
|||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
pk_rd_pa_reply_dh(krb5_context context,
|
pk_rd_pa_reply_dh(krb5_context context,
|
||||||
ContentInfo *rep,
|
const ContentInfo *rep,
|
||||||
|
const char *realm,
|
||||||
krb5_pk_init_ctx ctx,
|
krb5_pk_init_ctx ctx,
|
||||||
krb5_enctype etype,
|
krb5_enctype etype,
|
||||||
const krb5_krbhst_info *hi,
|
const krb5_krbhst_info *hi,
|
||||||
@@ -938,7 +944,7 @@ pk_rd_pa_reply_dh(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
/* make sure that it is the kdc's certificate */
|
/* make sure that it is the kdc's certificate */
|
||||||
ret = pk_verify_host(context, ctx, host);
|
ret = pk_verify_host(context, realm, hi, ctx, host);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -1066,6 +1072,7 @@ pk_rd_pa_reply_dh(krb5_context context,
|
|||||||
|
|
||||||
krb5_error_code KRB5_LIB_FUNCTION
|
krb5_error_code KRB5_LIB_FUNCTION
|
||||||
_krb5_pk_rd_pa_reply(krb5_context context,
|
_krb5_pk_rd_pa_reply(krb5_context context,
|
||||||
|
const char *realm,
|
||||||
void *c,
|
void *c,
|
||||||
krb5_enctype etype,
|
krb5_enctype etype,
|
||||||
const krb5_krbhst_info *hi,
|
const krb5_krbhst_info *hi,
|
||||||
@@ -1106,7 +1113,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
|
|||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
ret = pk_rd_pa_reply_dh(context, &ci, ctx, etype, hi,
|
ret = pk_rd_pa_reply_dh(context, &ci, realm, ctx, etype, hi,
|
||||||
ctx->clientDHNonce,
|
ctx->clientDHNonce,
|
||||||
rep.u.dhInfo.serverDHNonce,
|
rep.u.dhInfo.serverDHNonce,
|
||||||
nonce, pa, key);
|
nonce, pa, key);
|
||||||
@@ -1126,7 +1133,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
|
|||||||
"ContentInfo: %d", ret);
|
"ContentInfo: %d", ret);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, ctx,
|
ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, realm, ctx,
|
||||||
etype, hi, nonce, req_buffer, pa, key);
|
etype, hi, nonce, req_buffer, pa, key);
|
||||||
free_ContentInfo(&ci);
|
free_ContentInfo(&ci);
|
||||||
return ret;
|
return ret;
|
||||||
@@ -1173,7 +1180,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
|
|||||||
ret);
|
ret);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, ctx,
|
ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, realm, ctx,
|
||||||
etype, hi, nonce, req_buffer, pa, key);
|
etype, hi, nonce, req_buffer, pa, key);
|
||||||
free_ContentInfo(&ci);
|
free_ContentInfo(&ci);
|
||||||
break;
|
break;
|
||||||
|
|||||||
Reference in New Issue
Block a user