oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

(spnego_reply): use _gss_spnego_require_mechlist_mic to figure out if

Browse Source 
we need to check MechListMIC; From: Luke Howard <lukeh@padl.com>


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13694 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2004-04-07 14:24:58 +00:00
parent 7055cb55cc
commit 88562c0362
2 changed files with 48 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
lib/gssapi/init_sec_context.c
View File

@@ -372,19 +372,7 @@ init_auth
if (ret) if (ret)
goto failure; goto failure;
#if 1
enctype = (*context_handle)->auth_context->keyblock->keytype; enctype = (*context_handle)->auth_context->keyblock->keytype;
#else
if ((*context_handle)->auth_context->enctype)
enctype = (*context_handle)->auth_context->enctype;
else {
kret = krb5_keytype_to_enctype(gssapi_krb5_context,
(*context_handle)->auth_context->keyblock->keytype,
&enctype);
if (kret)
return kret;
}
#endif
kret = krb5_build_authenticator (gssapi_krb5_context, kret = krb5_build_authenticator (gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
@@ -632,6 +620,7 @@ spnego_reply
ssize_t mech_len; ssize_t mech_len;
const u_char *p; const u_char *p;
size_t len, taglen; size_t len, taglen;
krb5_boolean require_mic;
output_token->length = 0; output_token->length = 0;
output_token->value = NULL; output_token->value = NULL;
@@ -730,23 +719,34 @@ spnego_reply
output_token, output_token,
ret_flags, ret_flags,
time_rec); time_rec);
if (ret || targ.mechListMIC == NULL) { if (ret) {
/* no thing to do */ free_NegTokenTarg(&targ);
} else if (targ.responseToken != NULL && return ret;
targ.mechListMIC->length == targ.responseToken->length && }
memcmp(targ.mechListMIC->data, targ.responseToken->data,
targ.mechListMIC->length) == 0) { /*
/* * Verify the mechListMIC if GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
* We dealing with a broken MS SPNEGO client that send the * was specified or CFX was used; or if local policy dictated so.
* responseToken in both responseToken and mechListMIC, just */
* ignore those. ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle,
*/ &require_mic);
} else { if (ret) {
free_NegTokenTarg(&targ);
return ret;
}
if (require_mic) {
MechTypeList mechlist; MechTypeList mechlist;
MechType m0; MechType m0;
size_t buf_len; size_t buf_len;
gss_buffer_desc mic_buf, mech_buf; gss_buffer_desc mic_buf, mech_buf;
if (targ.mechListMIC == NULL) {
free_NegTokenTarg(&targ);
*minor_status = 0;
return GSS_S_BAD_MIC;
}
mechlist.len = 1; mechlist.len = 1;
mechlist.val = &m0; mechlist.val = &m0;

48
lib/gssapi/krb5/init_sec_context.c
View File

@@ -372,19 +372,7 @@ init_auth
if (ret) if (ret)
goto failure; goto failure;
#if 1
enctype = (*context_handle)->auth_context->keyblock->keytype; enctype = (*context_handle)->auth_context->keyblock->keytype;
#else
if ((*context_handle)->auth_context->enctype)
enctype = (*context_handle)->auth_context->enctype;
else {
kret = krb5_keytype_to_enctype(gssapi_krb5_context,
(*context_handle)->auth_context->keyblock->keytype,
&enctype);
if (kret)
return kret;
}
#endif
kret = krb5_build_authenticator (gssapi_krb5_context, kret = krb5_build_authenticator (gssapi_krb5_context,
(*context_handle)->auth_context, (*context_handle)->auth_context,
@@ -632,6 +620,7 @@ spnego_reply
ssize_t mech_len; ssize_t mech_len;
const u_char *p; const u_char *p;
size_t len, taglen; size_t len, taglen;
krb5_boolean require_mic;
output_token->length = 0; output_token->length = 0;
output_token->value = NULL; output_token->value = NULL;
@@ -730,23 +719,34 @@ spnego_reply
output_token, output_token,
ret_flags, ret_flags,
time_rec); time_rec);
if (ret || targ.mechListMIC == NULL) { if (ret) {
/* no thing to do */ free_NegTokenTarg(&targ);
} else if (targ.responseToken != NULL && return ret;
targ.mechListMIC->length == targ.responseToken->length && }
memcmp(targ.mechListMIC->data, targ.responseToken->data,
targ.mechListMIC->length) == 0) { /*
/* * Verify the mechListMIC if GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
* We dealing with a broken MS SPNEGO client that send the * was specified or CFX was used; or if local policy dictated so.
* responseToken in both responseToken and mechListMIC, just */
* ignore those. ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle,
*/ &require_mic);
} else { if (ret) {
free_NegTokenTarg(&targ);
return ret;
}
if (require_mic) {
MechTypeList mechlist; MechTypeList mechlist;
MechType m0; MechType m0;
size_t buf_len; size_t buf_len;
gss_buffer_desc mic_buf, mech_buf; gss_buffer_desc mic_buf, mech_buf;
if (targ.mechListMIC == NULL) {
free_NegTokenTarg(&targ);
*minor_status = 0;
return GSS_S_BAD_MIC;
}
mechlist.len = 1; mechlist.len = 1;
mechlist.val = &m0; mechlist.val = &m0;