Add option to require binding between reply and response.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16196 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -117,6 +117,7 @@ struct krb5_pk_init_ctx_data {
|
|||||||
DH *dh;
|
DH *dh;
|
||||||
krb5_data *clientDHNonce;
|
krb5_data *clientDHNonce;
|
||||||
struct krb5_dh_moduli **m;
|
struct krb5_dh_moduli **m;
|
||||||
|
int require_binding;
|
||||||
};
|
};
|
||||||
|
|
||||||
void KRB5_LIB_FUNCTION
|
void KRB5_LIB_FUNCTION
|
||||||
@@ -783,8 +784,7 @@ _krb5_pk_mk_padata(krb5_context context,
|
|||||||
METHOD_DATA *md)
|
METHOD_DATA *md)
|
||||||
{
|
{
|
||||||
krb5_pk_init_ctx ctx = c;
|
krb5_pk_init_ctx ctx = c;
|
||||||
krb5_error_code ret;
|
int win2k_compat, type;
|
||||||
int win2k_compat;
|
|
||||||
|
|
||||||
win2k_compat = krb5_config_get_bool_default(context, NULL,
|
win2k_compat = krb5_config_get_bool_default(context, NULL,
|
||||||
FALSE,
|
FALSE,
|
||||||
@@ -796,17 +796,18 @@ _krb5_pk_mk_padata(krb5_context context,
|
|||||||
win2k_compat = 1;
|
win2k_compat = 1;
|
||||||
|
|
||||||
if (win2k_compat) {
|
if (win2k_compat) {
|
||||||
ret = pk_mk_padata(context, COMPAT_WIN2K, ctx, req_body, nonce, md);
|
ctx->require_binding =
|
||||||
if (ret)
|
krb5_config_get_bool_default(context, NULL,
|
||||||
goto out;
|
FALSE,
|
||||||
} else {
|
"realms",
|
||||||
ret = pk_mk_padata(context, COMPAT_IETF, ctx, req_body, nonce, md);
|
req_body->realm,
|
||||||
if (ret)
|
"win2k_pkinit_require_binding",
|
||||||
goto out;
|
NULL);
|
||||||
}
|
type = COMPAT_WIN2K;
|
||||||
|
} else
|
||||||
|
type = COMPAT_IETF;
|
||||||
|
|
||||||
out:
|
return pk_mk_padata(context, type, ctx, req_body, nonce, md);
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static krb5_boolean
|
static krb5_boolean
|
||||||
@@ -1507,7 +1508,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
|
|||||||
switch(type) {
|
switch(type) {
|
||||||
case COMPAT_WIN2K:
|
case COMPAT_WIN2K:
|
||||||
ret = get_reply_key(context, &content, req_buffer, key);
|
ret = get_reply_key(context, &content, req_buffer, key);
|
||||||
if (ret != 0)
|
if (ret != 0 && ctx->require_binding == 0)
|
||||||
ret = get_reply_key_win(context, &content, nonce, key);
|
ret = get_reply_key_win(context, &content, nonce, key);
|
||||||
break;
|
break;
|
||||||
case COMPAT_IETF:
|
case COMPAT_IETF:
|
||||||
@@ -2743,6 +2744,8 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
|
|||||||
opt->opt_private->pk_init_ctx->dh = NULL;
|
opt->opt_private->pk_init_ctx->dh = NULL;
|
||||||
opt->opt_private->pk_init_ctx->id = NULL;
|
opt->opt_private->pk_init_ctx->id = NULL;
|
||||||
opt->opt_private->pk_init_ctx->clientDHNonce = NULL;
|
opt->opt_private->pk_init_ctx->clientDHNonce = NULL;
|
||||||
|
opt->opt_private->pk_init_ctx->require_binding = 0;
|
||||||
|
|
||||||
ret = _krb5_pk_load_openssl_id(context,
|
ret = _krb5_pk_load_openssl_id(context,
|
||||||
&opt->opt_private->pk_init_ctx->id,
|
&opt->opt_private->pk_init_ctx->id,
|
||||||
user_id,
|
user_id,
|
||||||
|
|||||||
Reference in New Issue
Block a user