oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Move client referral checking to _krb5_extract_ticket().

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22749 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-03-24 12:08:09 +00:00
parent d3d7661043
commit fb540c9646
1 changed files with 2 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
lib/krb5/init_creds_pw.c
View File

@@ -1349,10 +1349,11 @@ init_cred_loop(krb5_context context,
if (ctx->flags.request_anonymous) if (ctx->flags.request_anonymous)
flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
if (ctx->flags.canonicalize) { if (ctx->flags.canonicalize) {
flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
flags |= EXTRACT_TICKET_MATCH_REALM; flags |= EXTRACT_TICKET_MATCH_REALM;
} }
if (ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK)
flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
ret = process_pa_data_to_key(context, ctx, creds, ret = process_pa_data_to_key(context, ctx, creds,
&ctx->as_req, &rep, hi, &key); &ctx->as_req, &rep, hi, &key);
@@ -1372,60 +1373,6 @@ init_cred_loop(krb5_context context,
NULL); NULL);
krb5_free_keyblock(context, key); krb5_free_keyblock(context, key);
} }
/*
* Verify referral data
*/
if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) &&
(ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK) == 0)
{
PA_ClientCanonicalized canon;
krb5_crypto crypto;
krb5_data data;
PA_DATA *pa;
size_t len;
pa = find_pa_data(rep.kdc_rep.padata, KRB5_PADATA_CLIENT_CANONICALIZED);
if (pa == NULL) {
ret = EINVAL;
krb5_set_error_string(context, "Client canonicalizion not signed");
goto out;
}
ret = decode_PA_ClientCanonicalized(pa->padata_value.data,
pa->padata_value.length,
&canon, &len);
if (ret) {
krb5_set_error_string(context, "Failed to decode "
"PA_ClientCanonicalized");
goto out;
}
ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
&canon.names, &len, ret);
if (ret)
goto out;
if (data.length != len)
krb5_abortx(context, "internal asn.1 error");
ret = krb5_crypto_init(context, &creds->session, 0, &crypto);
if (ret) {
free(data.data);
free_PA_ClientCanonicalized(&canon);
goto out;
}
ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES,
data.data, data.length,
&canon.canon_checksum);
krb5_crypto_destroy(context, crypto);
free(data.data);
free_PA_ClientCanonicalized(&canon);
if (ret) {
krb5_set_error_string(context, "Failed to verify "
"client canonicalized data");
goto out;
}
}
out: out:
if (stctx) if (stctx)
krb5_sendto_ctx_free(context, stctx); krb5_sendto_ctx_free(context, stctx);