oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

= Create a cache for delegated credentials when needed.

Browse Source 
= Return GSS_S_BAD_BINDINGS when appropriate, and otherwise
  tweak the return value handling in gss_accept_sec_context
  to be sure they are set to something reasonable.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@10582 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Jacques A. Vidrine
2001-08-28 18:59:37 +00:00
parent 2639d758e1
commit c14ed9002f
4 changed files with 104 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/gssapi/8003.c
View File

@@ -166,15 +166,15 @@ gssapi_krb5_verify_8003_checksum(
p = cksum->checksum.data;
decode_om_uint32(p, &length);
if(length != sizeof(hash))
return GSS_S_FAILURE;
return GSS_S_BAD_BINDINGS;;
p += 4;
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
return GSS_S_FAILURE;
return GSS_S_BAD_BINDINGS;
if(memcmp(hash, p, sizeof(hash)) != 0)
return GSS_S_FAILURE;
return GSS_S_BAD_BINDINGS;
}
p += sizeof(hash);

78
lib/gssapi/accept_sec_context.c
View File

@@ -86,6 +86,7 @@ gss_accept_sec_context
krb5_data fwd_data;
OM_uint32 minor;
ret = 0;
gssapi_krb5_init ();
krb5_data_zero (&fwd_data);
@@ -114,7 +115,6 @@ gss_accept_sec_context
&(*context_handle)->auth_context);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -144,7 +144,6 @@ gss_accept_sec_context
(*context_handle)->auth_context->local_port,
&acceptor_addr);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
goto failure;
@@ -156,7 +155,6 @@ gss_accept_sec_context
&initiator_addr);
if (kret) {
krb5_free_address (gssapi_krb5_context, &acceptor_addr);
*minor_status = kret;
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
goto failure;
@@ -177,7 +175,6 @@ gss_accept_sec_context
#endif
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
goto failure;
@@ -203,8 +200,8 @@ gss_accept_sec_context
&indata,
"\x01\x00");
if (ret) {
kret = *minor_status;
goto failure;
kret = *minor_status;
goto failure;
}
if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
@@ -225,7 +222,6 @@ gss_accept_sec_context
&ticket);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -235,7 +231,6 @@ gss_accept_sec_context
&(*context_handle)->source);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -245,7 +240,6 @@ gss_accept_sec_context
&(*context_handle)->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -256,7 +250,6 @@ gss_accept_sec_context
src_name);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -270,21 +263,18 @@ gss_accept_sec_context
&authenticator);
if(kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
authenticator->cksum,
&flags,
&fwd_data);
ret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
authenticator->cksum,
&flags,
&fwd_data);
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
if (ret) {
kret = 0;
goto failure;
}
}
@@ -292,18 +282,49 @@ gss_accept_sec_context
krb5_ccache ccache;
if (delegated_cred_handle == NULL || *delegated_cred_handle == NULL)
if (delegated_cred_handle == NULL)
/* XXX Create a new delegated_cred_handle? */
kret = krb5_cc_default (gssapi_krb5_context, &ccache);
else {
if ((*delegated_cred_handle)->ccache == NULL)
else if (*delegated_cred_handle == NULL) {
if ((*delegated_cred_handle =
calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
ret = GSS_S_FAILURE;
kret = ENOMEM;
krb5_set_error_string(gssapi_krb5_context, "out of memory");
gssapi_krb5_set_error_string();
goto failure;
}
if ((kret = gss_duplicate_name(minor_status, ticket->client,
&(*delegated_cred_handle)->principal)) != 0) {
flags &= ~GSS_C_DELEG_FLAG;
free(*delegated_cred_handle);
*delegated_cred_handle = NULL;
goto end_fwd;
}
}
if (delegated_cred_handle != NULL &&
(*delegated_cred_handle)->ccache == NULL) {
kret = krb5_cc_gen_new (gssapi_krb5_context,
&krb5_mcc_ops,
&(*delegated_cred_handle)->ccache);
ccache = (*delegated_cred_handle)->ccache;
}
if (delegated_cred_handle != NULL &&
(*delegated_cred_handle)->mechanisms == NULL) {
ret = gss_create_empty_oid_set(minor_status,
&(*delegated_cred_handle)->mechanisms);
if (ret) {
kret = *minor_status;
goto failure;
}
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&(*delegated_cred_handle)->mechanisms);
if (ret) {
kret = *minor_status;
goto failure;
}
}
if (kret) {
flags &= ~GSS_C_DELEG_FLAG;
goto end_fwd;
@@ -352,7 +373,6 @@ end_fwd:
&outbuf);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -362,8 +382,8 @@ end_fwd:
"\x02\x00");
krb5_data_free (&outbuf);
if (ret) {
kret = *minor_status;
goto failure;
kret = *minor_status;
goto failure;
}
} else {
output_token->length = 0;
@@ -398,5 +418,5 @@ failure:
}
*context_handle = GSS_C_NO_CONTEXT;
*minor_status = kret;
return GSS_S_FAILURE;
return ret;
}

6
lib/gssapi/krb5/8003.c
View File

@@ -166,15 +166,15 @@ gssapi_krb5_verify_8003_checksum(
p = cksum->checksum.data;
decode_om_uint32(p, &length);
if(length != sizeof(hash))
return GSS_S_FAILURE;
return GSS_S_BAD_BINDINGS;;
p += 4;
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
return GSS_S_FAILURE;
return GSS_S_BAD_BINDINGS;
if(memcmp(hash, p, sizeof(hash)) != 0)
return GSS_S_FAILURE;
return GSS_S_BAD_BINDINGS;
}
p += sizeof(hash);

78
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -86,6 +86,7 @@ gss_accept_sec_context
krb5_data fwd_data;
OM_uint32 minor;
ret = 0;
gssapi_krb5_init ();
krb5_data_zero (&fwd_data);
@@ -114,7 +115,6 @@ gss_accept_sec_context
&(*context_handle)->auth_context);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -144,7 +144,6 @@ gss_accept_sec_context
(*context_handle)->auth_context->local_port,
&acceptor_addr);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
goto failure;
@@ -156,7 +155,6 @@ gss_accept_sec_context
&initiator_addr);
if (kret) {
krb5_free_address (gssapi_krb5_context, &acceptor_addr);
*minor_status = kret;
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
goto failure;
@@ -177,7 +175,6 @@ gss_accept_sec_context
#endif
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
goto failure;
@@ -203,8 +200,8 @@ gss_accept_sec_context
&indata,
"\x01\x00");
if (ret) {
kret = *minor_status;
goto failure;
kret = *minor_status;
goto failure;
}
if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
@@ -225,7 +222,6 @@ gss_accept_sec_context
&ticket);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -235,7 +231,6 @@ gss_accept_sec_context
&(*context_handle)->source);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -245,7 +240,6 @@ gss_accept_sec_context
&(*context_handle)->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -256,7 +250,6 @@ gss_accept_sec_context
src_name);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -270,21 +263,18 @@ gss_accept_sec_context
&authenticator);
if(kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
authenticator->cksum,
&flags,
&fwd_data);
ret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
authenticator->cksum,
&flags,
&fwd_data);
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
if (ret) {
kret = 0;
goto failure;
}
}
@@ -292,18 +282,49 @@ gss_accept_sec_context
krb5_ccache ccache;
if (delegated_cred_handle == NULL || *delegated_cred_handle == NULL)
if (delegated_cred_handle == NULL)
/* XXX Create a new delegated_cred_handle? */
kret = krb5_cc_default (gssapi_krb5_context, &ccache);
else {
if ((*delegated_cred_handle)->ccache == NULL)
else if (*delegated_cred_handle == NULL) {
if ((*delegated_cred_handle =
calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
ret = GSS_S_FAILURE;
kret = ENOMEM;
krb5_set_error_string(gssapi_krb5_context, "out of memory");
gssapi_krb5_set_error_string();
goto failure;
}
if ((kret = gss_duplicate_name(minor_status, ticket->client,
&(*delegated_cred_handle)->principal)) != 0) {
flags &= ~GSS_C_DELEG_FLAG;
free(*delegated_cred_handle);
*delegated_cred_handle = NULL;
goto end_fwd;
}
}
if (delegated_cred_handle != NULL &&
(*delegated_cred_handle)->ccache == NULL) {
kret = krb5_cc_gen_new (gssapi_krb5_context,
&krb5_mcc_ops,
&(*delegated_cred_handle)->ccache);
ccache = (*delegated_cred_handle)->ccache;
}
if (delegated_cred_handle != NULL &&
(*delegated_cred_handle)->mechanisms == NULL) {
ret = gss_create_empty_oid_set(minor_status,
&(*delegated_cred_handle)->mechanisms);
if (ret) {
kret = *minor_status;
goto failure;
}
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&(*delegated_cred_handle)->mechanisms);
if (ret) {
kret = *minor_status;
goto failure;
}
}
if (kret) {
flags &= ~GSS_C_DELEG_FLAG;
goto end_fwd;
@@ -352,7 +373,6 @@ end_fwd:
&outbuf);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -362,8 +382,8 @@ end_fwd:
"\x02\x00");
krb5_data_free (&outbuf);
if (ret) {
kret = *minor_status;
goto failure;
kret = *minor_status;
goto failure;
}
} else {
output_token->length = 0;
@@ -398,5 +418,5 @@ failure:
}
*context_handle = GSS_C_NO_CONTEXT;
*minor_status = kret;
return GSS_S_FAILURE;
return ret;
}