(gssapi_krb5_verify_8003_checksum, gssapi_krb5_create_8003_checksum): make more consistent by always returning an gssapi error and setting minor status. update callers
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@10588 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
@@ -86,27 +86,35 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_error_code
|
/*
|
||||||
|
* create a checksum over the chanel bindings in
|
||||||
|
* `input_chan_bindings', `flags' and `fwd_data' and return it in
|
||||||
|
* `result'
|
||||||
|
*/
|
||||||
|
|
||||||
|
OM_uint32
|
||||||
gssapi_krb5_create_8003_checksum (
|
gssapi_krb5_create_8003_checksum (
|
||||||
|
OM_uint32 *minor_status,
|
||||||
const gss_channel_bindings_t input_chan_bindings,
|
const gss_channel_bindings_t input_chan_bindings,
|
||||||
OM_uint32 flags,
|
OM_uint32 flags,
|
||||||
krb5_data *fwd_data,
|
const krb5_data *fwd_data,
|
||||||
Checksum *result)
|
Checksum *result)
|
||||||
{
|
{
|
||||||
u_char *p;
|
u_char *p;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* see rfc1964 (section 1.1.1 (Initial Token), and the checksum value
|
* see rfc1964 (section 1.1.1 (Initial Token), and the checksum value
|
||||||
* field's format)
|
* field's format) */
|
||||||
*/
|
|
||||||
result->cksumtype = 0x8003;
|
result->cksumtype = 0x8003;
|
||||||
if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
|
if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
|
||||||
result->checksum.length = 24 + 4 + fwd_data->length;
|
result->checksum.length = 24 + 4 + fwd_data->length;
|
||||||
else
|
else
|
||||||
result->checksum.length = 24;
|
result->checksum.length = 24;
|
||||||
result->checksum.data = malloc (result->checksum.length);
|
result->checksum.data = malloc (result->checksum.length);
|
||||||
if (result->checksum.data == NULL)
|
if (result->checksum.data == NULL) {
|
||||||
return ENOMEM;
|
*minor_status = ENOMEM;
|
||||||
|
return GSS_S_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
p = result->checksum.data;
|
p = result->checksum.data;
|
||||||
encode_om_uint32 (16, p);
|
encode_om_uint32 (16, p);
|
||||||
@@ -139,18 +147,21 @@ gssapi_krb5_create_8003_checksum (
|
|||||||
memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
|
memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
|
||||||
|
|
||||||
p += fwd_data->length;
|
p += fwd_data->length;
|
||||||
|
|
||||||
if (p - (u_char *)result->checksum.data != result->checksum.length)
|
|
||||||
abort();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return GSS_S_COMPLETE;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_error_code
|
/*
|
||||||
|
* verify the checksum in `cksum' over `input_chan_bindings'
|
||||||
|
* returning `flags' and `fwd_data'
|
||||||
|
*/
|
||||||
|
|
||||||
|
OM_uint32
|
||||||
gssapi_krb5_verify_8003_checksum(
|
gssapi_krb5_verify_8003_checksum(
|
||||||
|
OM_uint32 *minor_status,
|
||||||
const gss_channel_bindings_t input_chan_bindings,
|
const gss_channel_bindings_t input_chan_bindings,
|
||||||
Checksum *cksum,
|
const Checksum *cksum,
|
||||||
OM_uint32 *flags,
|
OM_uint32 *flags,
|
||||||
krb5_data *fwd_data)
|
krb5_data *fwd_data)
|
||||||
{
|
{
|
||||||
@@ -160,21 +171,29 @@ gssapi_krb5_verify_8003_checksum(
|
|||||||
int DlgOpt;
|
int DlgOpt;
|
||||||
|
|
||||||
/* XXX should handle checksums > 24 bytes */
|
/* XXX should handle checksums > 24 bytes */
|
||||||
if(cksum->cksumtype != 0x8003)
|
if(cksum->cksumtype != 0x8003) {
|
||||||
|
*minor_status = 0;
|
||||||
return GSS_S_BAD_BINDINGS;
|
return GSS_S_BAD_BINDINGS;
|
||||||
|
}
|
||||||
|
|
||||||
p = cksum->checksum.data;
|
p = cksum->checksum.data;
|
||||||
decode_om_uint32(p, &length);
|
decode_om_uint32(p, &length);
|
||||||
if(length != sizeof(hash))
|
if(length != sizeof(hash)) {
|
||||||
return GSS_S_BAD_BINDINGS;;
|
*minor_status = 0;
|
||||||
|
return GSS_S_BAD_BINDINGS;
|
||||||
|
}
|
||||||
|
|
||||||
p += 4;
|
p += 4;
|
||||||
|
|
||||||
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
|
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
|
||||||
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
|
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) {
|
||||||
|
*minor_status = 0;
|
||||||
return GSS_S_BAD_BINDINGS;
|
return GSS_S_BAD_BINDINGS;
|
||||||
if(memcmp(hash, p, sizeof(hash)) != 0)
|
}
|
||||||
|
if(memcmp(hash, p, sizeof(hash)) != 0) {
|
||||||
|
*minor_status = 0;
|
||||||
return GSS_S_BAD_BINDINGS;
|
return GSS_S_BAD_BINDINGS;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
p += sizeof(hash);
|
p += sizeof(hash);
|
||||||
@@ -186,18 +205,22 @@ gssapi_krb5_verify_8003_checksum(
|
|||||||
p += 4;
|
p += 4;
|
||||||
|
|
||||||
DlgOpt = (p[0] << 0) | (p[1] << 8 );
|
DlgOpt = (p[0] << 0) | (p[1] << 8 );
|
||||||
if (DlgOpt != 1)
|
if (DlgOpt != 1) {
|
||||||
return GSS_S_BAD_BINDINGS;
|
*minor_status = 0;
|
||||||
|
return GSS_S_BAD_BINDINGS;
|
||||||
|
}
|
||||||
|
|
||||||
p += 2;
|
p += 2;
|
||||||
fwd_data->length = (p[0] << 0) | (p[1] << 8);
|
fwd_data->length = (p[0] << 0) | (p[1] << 8);
|
||||||
fwd_data->data = malloc(fwd_data->length);
|
fwd_data->data = malloc(fwd_data->length);
|
||||||
if (fwd_data->data == NULL)
|
if (fwd_data->data == NULL) {
|
||||||
return ENOMEM;
|
*minor_status = ENOMEM;
|
||||||
|
return GSS_S_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
p += 2;
|
p += 2;
|
||||||
memcpy(fwd_data->data, p, fwd_data->length);
|
memcpy(fwd_data->data, p, fwd_data->length);
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return GSS_S_COMPLETE;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -115,6 +115,7 @@ gss_accept_sec_context
|
|||||||
&(*context_handle)->auth_context);
|
&(*context_handle)->auth_context);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -146,6 +147,7 @@ gss_accept_sec_context
|
|||||||
if (kret) {
|
if (kret) {
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
ret = GSS_S_BAD_BINDINGS;
|
ret = GSS_S_BAD_BINDINGS;
|
||||||
|
*minor_status = kret;
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -157,6 +159,7 @@ gss_accept_sec_context
|
|||||||
krb5_free_address (gssapi_krb5_context, &acceptor_addr);
|
krb5_free_address (gssapi_krb5_context, &acceptor_addr);
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
ret = GSS_S_BAD_BINDINGS;
|
ret = GSS_S_BAD_BINDINGS;
|
||||||
|
*minor_status = kret;
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -177,6 +180,7 @@ gss_accept_sec_context
|
|||||||
if (kret) {
|
if (kret) {
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
ret = GSS_S_BAD_BINDINGS;
|
ret = GSS_S_BAD_BINDINGS;
|
||||||
|
*minor_status = kret;
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -199,10 +203,8 @@ gss_accept_sec_context
|
|||||||
input_token_buffer,
|
input_token_buffer,
|
||||||
&indata,
|
&indata,
|
||||||
"\x01\x00");
|
"\x01\x00");
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = *minor_status;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
|
|
||||||
if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
|
if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
|
||||||
if (gssapi_krb5_keytab != NULL) {
|
if (gssapi_krb5_keytab != NULL) {
|
||||||
@@ -222,6 +224,7 @@ gss_accept_sec_context
|
|||||||
&ticket);
|
&ticket);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -231,6 +234,7 @@ gss_accept_sec_context
|
|||||||
&(*context_handle)->source);
|
&(*context_handle)->source);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -240,6 +244,7 @@ gss_accept_sec_context
|
|||||||
&(*context_handle)->target);
|
&(*context_handle)->target);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -250,6 +255,7 @@ gss_accept_sec_context
|
|||||||
src_name);
|
src_name);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -263,19 +269,19 @@ gss_accept_sec_context
|
|||||||
&authenticator);
|
&authenticator);
|
||||||
if(kret) {
|
if(kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
|
ret = gssapi_krb5_verify_8003_checksum(minor_status,
|
||||||
|
input_chan_bindings,
|
||||||
authenticator->cksum,
|
authenticator->cksum,
|
||||||
&flags,
|
&flags,
|
||||||
&fwd_data);
|
&fwd_data);
|
||||||
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
|
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = 0;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
|
if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
|
||||||
@@ -289,12 +295,12 @@ gss_accept_sec_context
|
|||||||
if ((*delegated_cred_handle =
|
if ((*delegated_cred_handle =
|
||||||
calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
|
calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
kret = ENOMEM;
|
*minor_status = ENOMEM;
|
||||||
krb5_set_error_string(gssapi_krb5_context, "out of memory");
|
krb5_set_error_string(gssapi_krb5_context, "out of memory");
|
||||||
gssapi_krb5_set_error_string();
|
gssapi_krb5_set_error_string();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
if ((kret = gss_duplicate_name(minor_status, ticket->client,
|
if ((ret = gss_duplicate_name(minor_status, ticket->client,
|
||||||
&(*delegated_cred_handle)->principal)) != 0) {
|
&(*delegated_cred_handle)->principal)) != 0) {
|
||||||
flags &= ~GSS_C_DELEG_FLAG;
|
flags &= ~GSS_C_DELEG_FLAG;
|
||||||
free(*delegated_cred_handle);
|
free(*delegated_cred_handle);
|
||||||
@@ -313,16 +319,12 @@ gss_accept_sec_context
|
|||||||
(*delegated_cred_handle)->mechanisms == NULL) {
|
(*delegated_cred_handle)->mechanisms == NULL) {
|
||||||
ret = gss_create_empty_oid_set(minor_status,
|
ret = gss_create_empty_oid_set(minor_status,
|
||||||
&(*delegated_cred_handle)->mechanisms);
|
&(*delegated_cred_handle)->mechanisms);
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = *minor_status;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
|
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
|
||||||
&(*delegated_cred_handle)->mechanisms);
|
&(*delegated_cred_handle)->mechanisms);
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = *minor_status;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (kret) {
|
if (kret) {
|
||||||
@@ -373,6 +375,7 @@ end_fwd:
|
|||||||
&outbuf);
|
&outbuf);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -381,10 +384,8 @@ end_fwd:
|
|||||||
output_token,
|
output_token,
|
||||||
"\x02\x00");
|
"\x02\x00");
|
||||||
krb5_data_free (&outbuf);
|
krb5_data_free (&outbuf);
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = *minor_status;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
output_token->length = 0;
|
output_token->length = 0;
|
||||||
}
|
}
|
||||||
@@ -417,6 +418,5 @@ failure:
|
|||||||
*src_name = NULL;
|
*src_name = NULL;
|
||||||
}
|
}
|
||||||
*context_handle = GSS_C_NO_CONTEXT;
|
*context_handle = GSS_C_NO_CONTEXT;
|
||||||
*minor_status = kret;
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -50,17 +50,19 @@ extern krb5_keytab gssapi_krb5_keytab;
|
|||||||
|
|
||||||
krb5_error_code gssapi_krb5_init (void);
|
krb5_error_code gssapi_krb5_init (void);
|
||||||
|
|
||||||
krb5_error_code
|
OM_uint32
|
||||||
gssapi_krb5_create_8003_checksum (
|
gssapi_krb5_create_8003_checksum (
|
||||||
|
OM_uint32 *minor_status,
|
||||||
const gss_channel_bindings_t input_chan_bindings,
|
const gss_channel_bindings_t input_chan_bindings,
|
||||||
OM_uint32 flags,
|
OM_uint32 flags,
|
||||||
krb5_data *fwd_data,
|
const krb5_data *fwd_data,
|
||||||
Checksum *result);
|
Checksum *result);
|
||||||
|
|
||||||
krb5_error_code
|
OM_uint32
|
||||||
gssapi_krb5_verify_8003_checksum (
|
gssapi_krb5_verify_8003_checksum (
|
||||||
|
OM_uint32 *minor_status,
|
||||||
const gss_channel_bindings_t input_chan_bindings,
|
const gss_channel_bindings_t input_chan_bindings,
|
||||||
Checksum *cksum,
|
const Checksum *cksum,
|
||||||
OM_uint32 *flags,
|
OM_uint32 *flags,
|
||||||
krb5_data *fwd_data);
|
krb5_data *fwd_data);
|
||||||
|
|
||||||
|
|||||||
@@ -344,17 +344,14 @@ init_auth
|
|||||||
(*context_handle)->flags = flags;
|
(*context_handle)->flags = flags;
|
||||||
(*context_handle)->more_flags = LOCAL;
|
(*context_handle)->more_flags = LOCAL;
|
||||||
|
|
||||||
kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
|
ret = gssapi_krb5_create_8003_checksum (minor_status,
|
||||||
flags,
|
input_chan_bindings,
|
||||||
&fwd_data,
|
flags,
|
||||||
&cksum);
|
&fwd_data,
|
||||||
|
&cksum);
|
||||||
krb5_data_free (&fwd_data);
|
krb5_data_free (&fwd_data);
|
||||||
if (kret) {
|
if (ret)
|
||||||
gssapi_krb5_set_error_string ();
|
|
||||||
*minor_status = kret;
|
|
||||||
ret = GSS_S_FAILURE;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
|
|
||||||
#if 1
|
#if 1
|
||||||
enctype = (*context_handle)->auth_context->keyblock->keytype;
|
enctype = (*context_handle)->auth_context->keyblock->keytype;
|
||||||
|
|||||||
@@ -86,27 +86,35 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_error_code
|
/*
|
||||||
|
* create a checksum over the chanel bindings in
|
||||||
|
* `input_chan_bindings', `flags' and `fwd_data' and return it in
|
||||||
|
* `result'
|
||||||
|
*/
|
||||||
|
|
||||||
|
OM_uint32
|
||||||
gssapi_krb5_create_8003_checksum (
|
gssapi_krb5_create_8003_checksum (
|
||||||
|
OM_uint32 *minor_status,
|
||||||
const gss_channel_bindings_t input_chan_bindings,
|
const gss_channel_bindings_t input_chan_bindings,
|
||||||
OM_uint32 flags,
|
OM_uint32 flags,
|
||||||
krb5_data *fwd_data,
|
const krb5_data *fwd_data,
|
||||||
Checksum *result)
|
Checksum *result)
|
||||||
{
|
{
|
||||||
u_char *p;
|
u_char *p;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* see rfc1964 (section 1.1.1 (Initial Token), and the checksum value
|
* see rfc1964 (section 1.1.1 (Initial Token), and the checksum value
|
||||||
* field's format)
|
* field's format) */
|
||||||
*/
|
|
||||||
result->cksumtype = 0x8003;
|
result->cksumtype = 0x8003;
|
||||||
if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
|
if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
|
||||||
result->checksum.length = 24 + 4 + fwd_data->length;
|
result->checksum.length = 24 + 4 + fwd_data->length;
|
||||||
else
|
else
|
||||||
result->checksum.length = 24;
|
result->checksum.length = 24;
|
||||||
result->checksum.data = malloc (result->checksum.length);
|
result->checksum.data = malloc (result->checksum.length);
|
||||||
if (result->checksum.data == NULL)
|
if (result->checksum.data == NULL) {
|
||||||
return ENOMEM;
|
*minor_status = ENOMEM;
|
||||||
|
return GSS_S_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
p = result->checksum.data;
|
p = result->checksum.data;
|
||||||
encode_om_uint32 (16, p);
|
encode_om_uint32 (16, p);
|
||||||
@@ -139,18 +147,21 @@ gssapi_krb5_create_8003_checksum (
|
|||||||
memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
|
memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
|
||||||
|
|
||||||
p += fwd_data->length;
|
p += fwd_data->length;
|
||||||
|
|
||||||
if (p - (u_char *)result->checksum.data != result->checksum.length)
|
|
||||||
abort();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return GSS_S_COMPLETE;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_error_code
|
/*
|
||||||
|
* verify the checksum in `cksum' over `input_chan_bindings'
|
||||||
|
* returning `flags' and `fwd_data'
|
||||||
|
*/
|
||||||
|
|
||||||
|
OM_uint32
|
||||||
gssapi_krb5_verify_8003_checksum(
|
gssapi_krb5_verify_8003_checksum(
|
||||||
|
OM_uint32 *minor_status,
|
||||||
const gss_channel_bindings_t input_chan_bindings,
|
const gss_channel_bindings_t input_chan_bindings,
|
||||||
Checksum *cksum,
|
const Checksum *cksum,
|
||||||
OM_uint32 *flags,
|
OM_uint32 *flags,
|
||||||
krb5_data *fwd_data)
|
krb5_data *fwd_data)
|
||||||
{
|
{
|
||||||
@@ -160,21 +171,29 @@ gssapi_krb5_verify_8003_checksum(
|
|||||||
int DlgOpt;
|
int DlgOpt;
|
||||||
|
|
||||||
/* XXX should handle checksums > 24 bytes */
|
/* XXX should handle checksums > 24 bytes */
|
||||||
if(cksum->cksumtype != 0x8003)
|
if(cksum->cksumtype != 0x8003) {
|
||||||
|
*minor_status = 0;
|
||||||
return GSS_S_BAD_BINDINGS;
|
return GSS_S_BAD_BINDINGS;
|
||||||
|
}
|
||||||
|
|
||||||
p = cksum->checksum.data;
|
p = cksum->checksum.data;
|
||||||
decode_om_uint32(p, &length);
|
decode_om_uint32(p, &length);
|
||||||
if(length != sizeof(hash))
|
if(length != sizeof(hash)) {
|
||||||
return GSS_S_BAD_BINDINGS;;
|
*minor_status = 0;
|
||||||
|
return GSS_S_BAD_BINDINGS;
|
||||||
|
}
|
||||||
|
|
||||||
p += 4;
|
p += 4;
|
||||||
|
|
||||||
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
|
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
|
||||||
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
|
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) {
|
||||||
|
*minor_status = 0;
|
||||||
return GSS_S_BAD_BINDINGS;
|
return GSS_S_BAD_BINDINGS;
|
||||||
if(memcmp(hash, p, sizeof(hash)) != 0)
|
}
|
||||||
|
if(memcmp(hash, p, sizeof(hash)) != 0) {
|
||||||
|
*minor_status = 0;
|
||||||
return GSS_S_BAD_BINDINGS;
|
return GSS_S_BAD_BINDINGS;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
p += sizeof(hash);
|
p += sizeof(hash);
|
||||||
@@ -186,18 +205,22 @@ gssapi_krb5_verify_8003_checksum(
|
|||||||
p += 4;
|
p += 4;
|
||||||
|
|
||||||
DlgOpt = (p[0] << 0) | (p[1] << 8 );
|
DlgOpt = (p[0] << 0) | (p[1] << 8 );
|
||||||
if (DlgOpt != 1)
|
if (DlgOpt != 1) {
|
||||||
return GSS_S_BAD_BINDINGS;
|
*minor_status = 0;
|
||||||
|
return GSS_S_BAD_BINDINGS;
|
||||||
|
}
|
||||||
|
|
||||||
p += 2;
|
p += 2;
|
||||||
fwd_data->length = (p[0] << 0) | (p[1] << 8);
|
fwd_data->length = (p[0] << 0) | (p[1] << 8);
|
||||||
fwd_data->data = malloc(fwd_data->length);
|
fwd_data->data = malloc(fwd_data->length);
|
||||||
if (fwd_data->data == NULL)
|
if (fwd_data->data == NULL) {
|
||||||
return ENOMEM;
|
*minor_status = ENOMEM;
|
||||||
|
return GSS_S_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
p += 2;
|
p += 2;
|
||||||
memcpy(fwd_data->data, p, fwd_data->length);
|
memcpy(fwd_data->data, p, fwd_data->length);
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return GSS_S_COMPLETE;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -115,6 +115,7 @@ gss_accept_sec_context
|
|||||||
&(*context_handle)->auth_context);
|
&(*context_handle)->auth_context);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -146,6 +147,7 @@ gss_accept_sec_context
|
|||||||
if (kret) {
|
if (kret) {
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
ret = GSS_S_BAD_BINDINGS;
|
ret = GSS_S_BAD_BINDINGS;
|
||||||
|
*minor_status = kret;
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -157,6 +159,7 @@ gss_accept_sec_context
|
|||||||
krb5_free_address (gssapi_krb5_context, &acceptor_addr);
|
krb5_free_address (gssapi_krb5_context, &acceptor_addr);
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
ret = GSS_S_BAD_BINDINGS;
|
ret = GSS_S_BAD_BINDINGS;
|
||||||
|
*minor_status = kret;
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -177,6 +180,7 @@ gss_accept_sec_context
|
|||||||
if (kret) {
|
if (kret) {
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
ret = GSS_S_BAD_BINDINGS;
|
ret = GSS_S_BAD_BINDINGS;
|
||||||
|
*minor_status = kret;
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -199,10 +203,8 @@ gss_accept_sec_context
|
|||||||
input_token_buffer,
|
input_token_buffer,
|
||||||
&indata,
|
&indata,
|
||||||
"\x01\x00");
|
"\x01\x00");
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = *minor_status;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
|
|
||||||
if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
|
if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
|
||||||
if (gssapi_krb5_keytab != NULL) {
|
if (gssapi_krb5_keytab != NULL) {
|
||||||
@@ -222,6 +224,7 @@ gss_accept_sec_context
|
|||||||
&ticket);
|
&ticket);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -231,6 +234,7 @@ gss_accept_sec_context
|
|||||||
&(*context_handle)->source);
|
&(*context_handle)->source);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -240,6 +244,7 @@ gss_accept_sec_context
|
|||||||
&(*context_handle)->target);
|
&(*context_handle)->target);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -250,6 +255,7 @@ gss_accept_sec_context
|
|||||||
src_name);
|
src_name);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -263,19 +269,19 @@ gss_accept_sec_context
|
|||||||
&authenticator);
|
&authenticator);
|
||||||
if(kret) {
|
if(kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
|
ret = gssapi_krb5_verify_8003_checksum(minor_status,
|
||||||
|
input_chan_bindings,
|
||||||
authenticator->cksum,
|
authenticator->cksum,
|
||||||
&flags,
|
&flags,
|
||||||
&fwd_data);
|
&fwd_data);
|
||||||
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
|
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = 0;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
|
if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
|
||||||
@@ -289,12 +295,12 @@ gss_accept_sec_context
|
|||||||
if ((*delegated_cred_handle =
|
if ((*delegated_cred_handle =
|
||||||
calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
|
calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
kret = ENOMEM;
|
*minor_status = ENOMEM;
|
||||||
krb5_set_error_string(gssapi_krb5_context, "out of memory");
|
krb5_set_error_string(gssapi_krb5_context, "out of memory");
|
||||||
gssapi_krb5_set_error_string();
|
gssapi_krb5_set_error_string();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
if ((kret = gss_duplicate_name(minor_status, ticket->client,
|
if ((ret = gss_duplicate_name(minor_status, ticket->client,
|
||||||
&(*delegated_cred_handle)->principal)) != 0) {
|
&(*delegated_cred_handle)->principal)) != 0) {
|
||||||
flags &= ~GSS_C_DELEG_FLAG;
|
flags &= ~GSS_C_DELEG_FLAG;
|
||||||
free(*delegated_cred_handle);
|
free(*delegated_cred_handle);
|
||||||
@@ -313,16 +319,12 @@ gss_accept_sec_context
|
|||||||
(*delegated_cred_handle)->mechanisms == NULL) {
|
(*delegated_cred_handle)->mechanisms == NULL) {
|
||||||
ret = gss_create_empty_oid_set(minor_status,
|
ret = gss_create_empty_oid_set(minor_status,
|
||||||
&(*delegated_cred_handle)->mechanisms);
|
&(*delegated_cred_handle)->mechanisms);
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = *minor_status;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
|
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
|
||||||
&(*delegated_cred_handle)->mechanisms);
|
&(*delegated_cred_handle)->mechanisms);
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = *minor_status;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (kret) {
|
if (kret) {
|
||||||
@@ -373,6 +375,7 @@ end_fwd:
|
|||||||
&outbuf);
|
&outbuf);
|
||||||
if (kret) {
|
if (kret) {
|
||||||
ret = GSS_S_FAILURE;
|
ret = GSS_S_FAILURE;
|
||||||
|
*minor_status = kret;
|
||||||
gssapi_krb5_set_error_string ();
|
gssapi_krb5_set_error_string ();
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
@@ -381,10 +384,8 @@ end_fwd:
|
|||||||
output_token,
|
output_token,
|
||||||
"\x02\x00");
|
"\x02\x00");
|
||||||
krb5_data_free (&outbuf);
|
krb5_data_free (&outbuf);
|
||||||
if (ret) {
|
if (ret)
|
||||||
kret = *minor_status;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
output_token->length = 0;
|
output_token->length = 0;
|
||||||
}
|
}
|
||||||
@@ -417,6 +418,5 @@ failure:
|
|||||||
*src_name = NULL;
|
*src_name = NULL;
|
||||||
}
|
}
|
||||||
*context_handle = GSS_C_NO_CONTEXT;
|
*context_handle = GSS_C_NO_CONTEXT;
|
||||||
*minor_status = kret;
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -50,17 +50,19 @@ extern krb5_keytab gssapi_krb5_keytab;
|
|||||||
|
|
||||||
krb5_error_code gssapi_krb5_init (void);
|
krb5_error_code gssapi_krb5_init (void);
|
||||||
|
|
||||||
krb5_error_code
|
OM_uint32
|
||||||
gssapi_krb5_create_8003_checksum (
|
gssapi_krb5_create_8003_checksum (
|
||||||
|
OM_uint32 *minor_status,
|
||||||
const gss_channel_bindings_t input_chan_bindings,
|
const gss_channel_bindings_t input_chan_bindings,
|
||||||
OM_uint32 flags,
|
OM_uint32 flags,
|
||||||
krb5_data *fwd_data,
|
const krb5_data *fwd_data,
|
||||||
Checksum *result);
|
Checksum *result);
|
||||||
|
|
||||||
krb5_error_code
|
OM_uint32
|
||||||
gssapi_krb5_verify_8003_checksum (
|
gssapi_krb5_verify_8003_checksum (
|
||||||
|
OM_uint32 *minor_status,
|
||||||
const gss_channel_bindings_t input_chan_bindings,
|
const gss_channel_bindings_t input_chan_bindings,
|
||||||
Checksum *cksum,
|
const Checksum *cksum,
|
||||||
OM_uint32 *flags,
|
OM_uint32 *flags,
|
||||||
krb5_data *fwd_data);
|
krb5_data *fwd_data);
|
||||||
|
|
||||||
|
|||||||
@@ -344,17 +344,14 @@ init_auth
|
|||||||
(*context_handle)->flags = flags;
|
(*context_handle)->flags = flags;
|
||||||
(*context_handle)->more_flags = LOCAL;
|
(*context_handle)->more_flags = LOCAL;
|
||||||
|
|
||||||
kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
|
ret = gssapi_krb5_create_8003_checksum (minor_status,
|
||||||
flags,
|
input_chan_bindings,
|
||||||
&fwd_data,
|
flags,
|
||||||
&cksum);
|
&fwd_data,
|
||||||
|
&cksum);
|
||||||
krb5_data_free (&fwd_data);
|
krb5_data_free (&fwd_data);
|
||||||
if (kret) {
|
if (ret)
|
||||||
gssapi_krb5_set_error_string ();
|
|
||||||
*minor_status = kret;
|
|
||||||
ret = GSS_S_FAILURE;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
|
||||||
|
|
||||||
#if 1
|
#if 1
|
||||||
enctype = (*context_handle)->auth_context->keyblock->keytype;
|
enctype = (*context_handle)->auth_context->keyblock->keytype;
|
||||||
|
|||||||
Reference in New Issue
Block a user