oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gssapi/krb5/{export,import}_sec_context: fix for init_sec_ctx

Browse Source 
When using these functions with gss_init_sec_context(), we noticed
that some things were missing and some needed to be made optional.
ctx->order may be NULL, ctx->ac->authenticator needs to be filled
out, and ctx->state needs be stored.

Note: SPNEGO still needs a little more work.
This commit is contained in:
Roland C. Dowdeswell
2021-08-02 22:55:33 +01:00
committed by Luke Howard
parent 81a8b5069e
commit a2cfd2a25c
3 changed files with 54 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
lib/gssapi/krb5/export_sec_context.c
View File

@@ -82,10 +82,14 @@ _gsskrb5_export_sec_context(
flags |= SC_LOCAL_SUBKEY;
if (ac->remote_subkey)
flags |= SC_REMOTE_SUBKEY;
if (ac->authenticator)
flags |= SC_AUTHENTICATOR;
if (ctx->source)
flags |= SC_SOURCE_NAME;
if (ctx->target)
flags |= SC_TARGET_NAME;
if (ctx->order)
flags |= SC_ORDER;
kret = krb5_store_int32 (sp, flags);
if (kret) {
@@ -155,6 +159,18 @@ _gsskrb5_export_sec_context(
*minor_status = kret;
goto failure;
}
if (ac->authenticator) {
kret = krb5_store_int64(sp, ac->authenticator->ctime);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32(sp, ac->authenticator->cusec);
if (kret) {
*minor_status = kret;
goto failure;
}
}
kret = krb5_store_int32 (sp, ac->keytype);
if (kret) {
@@ -212,6 +228,11 @@ _gsskrb5_export_sec_context(
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, ctx->state);
if (kret) {
*minor_status = kret;
goto failure;
}
/*
* XXX We should put a 64-bit int here, but we don't have a
* krb5_store_int64() yet.
@@ -221,10 +242,12 @@ _gsskrb5_export_sec_context(
*minor_status = kret;
goto failure;
}
kret = _gssapi_msg_order_export(sp, ctx->order);
if (kret ) {
*minor_status = kret;
goto failure;
if (ctx->order) {
kret = _gssapi_msg_order_export(sp, ctx->order);
if (kret) {
*minor_status = kret;
goto failure;
}
}
kret = krb5_storage_to_data (sp, &data);

16
lib/gssapi/krb5/gsskrb5_locl.h
View File

@@ -135,12 +135,14 @@ extern HEIMDAL_MUTEX gssapi_keytab_mutex;
/* sec_context flags */
#define SC_LOCAL_ADDRESS 0x01
#define SC_REMOTE_ADDRESS 0x02
#define SC_KEYBLOCK 0x04
#define SC_LOCAL_SUBKEY 0x08
#define SC_REMOTE_SUBKEY 0x10
#define SC_SOURCE_NAME 0x20
#define SC_TARGET_NAME 0x40
#define SC_LOCAL_ADDRESS 0x0001
#define SC_REMOTE_ADDRESS 0x0002
#define SC_KEYBLOCK 0x0004
#define SC_LOCAL_SUBKEY 0x0008
#define SC_REMOTE_SUBKEY 0x0010
#define SC_SOURCE_NAME 0x0020
#define SC_TARGET_NAME 0x0040
#define SC_ORDER 0x0080
#define SC_AUTHENTICATOR 0x0100
#endif

21
lib/gssapi/krb5/import_sec_context.c
View File

@@ -51,6 +51,7 @@ _gsskrb5_import_sec_context (
gss_buffer_desc buffer;
krb5_keyblock keyblock;
int32_t flags, tmp;
int64_t tmp64;
gsskrb5_ctx ctx;
gss_name_t name;
@@ -141,6 +142,15 @@ _gsskrb5_import_sec_context (
if (krb5_ret_uint32 (sp, &ac->remote_seqnumber))
goto failure;
if (flags & SC_AUTHENTICATOR) {
if (krb5_ret_int64(sp, &tmp64))
goto failure;
ac->authenticator->ctime = tmp64;
if (krb5_ret_int32(sp, &tmp))
goto failure;
ac->authenticator->cusec = tmp;
}
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->keytype = tmp;
@@ -195,6 +205,9 @@ _gsskrb5_import_sec_context (
if (krb5_ret_int32 (sp, &tmp))
goto failure;
ctx->more_flags = tmp;
if (krb5_ret_int32 (sp, &tmp))
goto failure;
ctx->state = tmp;
/*
* XXX endtime should be a 64-bit int, but we don't have
* krb5_ret_int64() yet.
@@ -203,9 +216,11 @@ _gsskrb5_import_sec_context (
goto failure;
ctx->endtime = tmp;
ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order);
if (ret)
goto failure;
if (flags & SC_ORDER) {
ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order);
if (ret)
goto failure;
}
krb5_storage_free (sp);