diff options
| author | Luke Howard <lukeh@padl.com> | 2009-11-15 22:17:01 +0000 |
|---|---|---|
| committer | Luke Howard <lukeh@padl.com> | 2009-11-15 22:17:01 +0000 |
| commit | 55541799bcf1a27ea03973451b1282635bc3ea9f (patch) | |
| tree | ef28abaa659cf22fcb1055d3b355b62d18d31eae | |
| parent | 5b3191c89fb6ed18c8dcb1c5c6bd52df900d9b6b (diff) | |
| download | krb5-55541799bcf1a27ea03973451b1282635bc3ea9f.zip krb5-55541799bcf1a27ea03973451b1282635bc3ea9f.tar.gz krb5-55541799bcf1a27ea03973451b1282635bc3ea9f.tar.bz2 | |
ensure IAKERB signature is present
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/iakerb@23220 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 19 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 5 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/iakerb.c | 4 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 16 |
4 files changed, 32 insertions, 12 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 677c537..2335019 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -393,15 +393,19 @@ kg_process_extension(krb5_context context, { krb5_error_code code = 0; + assert(exts != NULL); + switch (ext_type) { case KRB5_GSS_EXTS_IAKERB_FINISHED: - if (exts == NULL || exts->iakerb_conv == NULL) { + if (exts->iakerb.conv == NULL) { code = KRB5KRB_AP_ERR_MSG_TYPE; /* XXX */ } else { code = iakerb_verify_finished(context, auth_context->recv_subkey, - exts->iakerb_conv, + exts->iakerb.conv, ext_data); + if (code == 0) + exts->iakerb.verified = 1; } break; default: @@ -840,6 +844,11 @@ kg_accept_krb5(minor_status, context_handle, } } + if (exts->iakerb.conv && !exts->iakerb.verified) { + major_status = GSS_S_BAD_SIG; + goto fail; + } + /* only DCE_STYLE clients are allowed to send raw AP-REQs */ if (no_encap != ((gss_flags & GSS_C_DCE_STYLE) != 0)) { major_status = GSS_S_DEFECTIVE_TOKEN; @@ -1349,6 +1358,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle, OM_uint32 *time_rec; gss_cred_id_t *delegated_cred_handle; { + krb5_gss_ctx_ext_rec exts; + + memset(&exts, 0, sizeof(exts)); + return krb5_gss_accept_sec_context_ext(minor_status, context_handle, verifier_cred_handle, @@ -1360,6 +1373,6 @@ krb5_gss_accept_sec_context(minor_status, context_handle, ret_flags, time_rec, delegated_cred_handle, - NULL); + &exts); } diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index d8425dd..618daa7 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -188,7 +188,10 @@ typedef struct _krb5_gss_cred_id_rec { } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t; typedef struct _krb5_gss_ctx_ext_rec { - krb5_data *iakerb_conv; + struct { + krb5_data *conv; + int verified; + } iakerb; } krb5_gss_ctx_ext_rec, *krb5_gss_ctx_ext_t; typedef struct _krb5_gss_ctx_id_rec { diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index 5bb690b..4acdd58 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -717,7 +717,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, krb5_gss_ctx_ext_rec exts; memset(&exts, 0, sizeof(exts)); - exts.iakerb_conv = &ctx->conv; + exts.iakerb.conv = &ctx->conv; major_status = krb5_gss_accept_sec_context_ext(&code, &ctx->gssc, @@ -862,7 +862,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, memset(&exts, 0, sizeof(exts)); - exts.iakerb_conv = &ctx->conv; + exts.iakerb.conv = &ctx->conv; k5_mutex_unlock(&kcred->lock); credLocked = 0; diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 051e92e..9248c27 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -303,12 +303,13 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, junk = 0; #endif - if (data->exts && - data->exts->iakerb_conv && data->exts->iakerb_conv->length) { + assert(data->exts != NULL); + + if (data->exts->iakerb.conv && data->exts->iakerb.conv->length) { assert(auth_context->send_subkey != NULL); code = iakerb_make_finished(context, auth_context->send_subkey, - data->exts->iakerb_conv, &finished); + data->exts->iakerb.conv, &finished); if (code != 0) goto cleanup; @@ -340,8 +341,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, TWRITE_INT16(ptr, credmsg.length, 0); TWRITE_STR(ptr, credmsg.data, credmsg.length); } - if (data->exts && - data->exts->iakerb_conv && data->exts->iakerb_conv->length) { + if (data->exts->iakerb.conv && data->exts->iakerb.conv->length) { TWRITE_INT(ptr, KRB5_GSS_EXTS_IAKERB_FINISHED, 1); TWRITE_INT(ptr, finished->length, 1); TWRITE_STR(ptr, finished->data, finished->length); @@ -1132,6 +1132,10 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, OM_uint32 *ret_flags; OM_uint32 *time_rec; { + krb5_gss_ctx_ext_rec exts; + + memset(&exts, 0, sizeof(exts)); + return krb5_gss_init_sec_context_ext(minor_status, claimant_cred_handle, context_handle, @@ -1145,6 +1149,6 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, output_token, ret_flags, time_rec, - NULL); + &exts); } |