* accept_sec_context.c (krb5_gss_accept_sec_context): When

        GCC_S_NO_CHANNEL_BINDINGS is set by the server, skip over the
        bindings sent from the client. RFC-1964 indicates that the
        client's channel bindings are always sent in checksum field and
        need to be accounted for, evn if the server does not care.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12664 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 499577e8a9b746188ddc4dfb7a4eb1678dac5dbc..821bf0b1b39b28991b6ec8b58f3f3fc82b17d523 100644 (file)
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,11 @@
+Fri Sep 22 12:05:31 2000  Ezra Peisach  <epeisach@mit.edu>
+
+       * accept_sec_context.c (krb5_gss_accept_sec_context): When
+       GCC_S_NO_CHANNEL_BINDINGS is set by the server, skip over the
+       bindings sent from the client. RFC-1964 indicates that the
+       client's channel bindings are always sent in checksum field and
+       need to be accounted for, evn if the server does not care.
+
 2000-09-01  Jeffrey Altman <jaltman@columbia.edu>
 
         * accept_sec_context.c: krb5_gss_accept_sec_context()

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index ca29eaf4763897c6b5ae070484ece063451622ef..75a6eaecac74c2227b1a8dd26052ec7c3b447edb 100644 (file)
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -434,16 +434,17 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
           If either test succeeds we continue without error.
        */
 
+       if ((code = kg_checksum_channel_bindings(context, 
+                                               input_chan_bindings,
+                                               &reqcksum, bigend))) {
+        major_status = GSS_S_BAD_BINDINGS;
+        goto fail;
+       }
+
+       /* Always read the clients bindings - eventhough we might ignore them */
+       TREAD_STR(ptr, ptr2, reqcksum.length);
+
        if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
-           if ((code = kg_checksum_channel_bindings(context, 
-                                                    input_chan_bindings,
-                                                   &reqcksum, bigend))) {
-                  major_status = GSS_S_BAD_BINDINGS;
-                  goto fail;
-           }
-           
-           
-           TREAD_STR(ptr, ptr2, reqcksum.length);
            if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
                xfree(reqcksum.contents);
                reqcksum.contents = 0;
@@ -460,10 +461,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
                }
            }
            
-           xfree(reqcksum.contents);
-           reqcksum.contents = 0;
        }
 
+       xfree(reqcksum.contents);
+       reqcksum.contents = 0;
+
        TREAD_INT(ptr, gss_flags, bigend);
        gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
                                          there's a delegation, we'll set