oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gss: mask out SAnon req_flags after computing session key

Browse Source 
In SAnon, the optional flags send in the initial context token are input into
the key derivation function. Mask out the flags we wish to ignore after (not
before) calling the key derivation function, as the initiator may not know
which flags we wish to ignore.
This commit is contained in:
Luke Howard
2020-04-27 22:32:59 +10:00
parent 69b34d1b8a
commit 815ea80b4f
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/gssapi/sanon/accept_sec_context.c
View File

@@ -107,14 +107,14 @@ _gss_sanon_accept_sec_context(OM_uint32 *minor,
_gss_mg_decode_be_uint32(&p[4], &req_flags);
}
req_flags &= SANON_PROTOCOL_FLAG_MASK; /* do not let initiator set any other flags */
/* compute shared secret */
major = _gss_sanon_curve25519(minor, sc, &initiator_pk, req_flags,
input_chan_bindings, &session_key);
if (major != GSS_S_COMPLETE)
goto out;
req_flags &= SANON_PROTOCOL_FLAG_MASK; /* do not let initiator set any other flags */
req_flags |= GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG | GSS_C_TRANS_FLAG;