(make_gss_checksum) [CFX_EXERCISE]: If the key enctype is aes256, insert some
stuff after the delegation slot.
(new_connection) [CFX_EXERCISE]: Don't send messages with bogus token ids.
* accept_sec_context.c (krb5_gss_accept_sec_context): Don't discard the
delegation flag; only look for a delegation if the flag is set, and only look
for delegation, not other options. Ignore any other data there.
ticket: 2079
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15964
dc483132-0cff-0310-8789-
dd5450dbe970
+2004-01-05 Ken Raeburn <raeburn@mit.edu>
+
+ * init_sec_context.c: Include auth_con.h if CFX_EXERCISE is
+ defined.
+ (make_gss_checksum) [CFX_EXERCISE]: If the key enctype is aes256,
+ insert some stuff after the delegation slot.
+ (new_connection) [CFX_EXERCISE]: Don't send messages with bogus
+ token ids.
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Don't
+ discard the delegation flag; only look for a delegation if the
+ flag is set, and only look for delegation, not other options.
+ Ignore any other data there.
+
2003-12-19 Ken Raeburn <raeburn@mit.edu>
* util_crypt.c (kg_encrypt, kg_decrypt): Input pointer now points
reqcksum.contents = 0;
TREAD_INT(ptr, gss_flags, bigend);
+#if 0
gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
there's a delegation, we'll set
it below */
+#endif
decode_req_message = 0;
/* if the checksum length > 24, there are options to process */
- if(authdat->checksum->length > 24) {
+ if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) {
i = authdat->checksum->length - 24;
- while (i >= 4) {
+ if (i >= 4) {
TREAD_INT16(ptr, option_id, bigend);
i -= option.length;
- switch(option_id) {
-
- case KRB5_GSS_FOR_CREDS_OPTION:
+ if (option_id != KRB5_GSS_FOR_CREDS_OPTION) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
/* store the delegated credential */
goto fail;
}
- gss_flags |= GSS_C_DELEG_FLAG; /* got a delegation */
-
- break;
-
- /* default: */
- /* unknown options aren't an error */
-
- } /* switch */
- } /* while */
+ } /* if i >= 4 */
+ /* ignore any additional trailing data, for now */
} /* if */
}
krb5_data checksum_data;
};
+#ifdef CFX_EXERCISE
+#include "../../krb5/krb/auth_con.h"
+#endif
static krb5_error_code KRB5_CALLCONV
make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
void *cksum_data, krb5_data **out)
unsigned char *ptr;
struct gss_checksum_data *data = cksum_data;
krb5_data credmsg;
+ int junk;
+
data->checksum_data.data = 0;
credmsg.data = 0;
/* build the checksum field */
} else {
data->checksum_data.length = 24;
}
+#ifdef CFX_EXERCISE
+ if (data->ctx->auth_context->keyblock->enctype == 18) {
+ srand(time(0) ^ getpid());
+ /* Our ftp client code stupidly assumes a base64-encoded
+ version of the token will fit in 10K, so don't make this
+ too big. */
+ junk = rand() & 0xff;
+ } else
+ junk = 0;
+#else
+ junk = 0;
+#endif
+
+ data->checksum_data.length += junk;
/* now allocate a buffer to hold the checksum data and
(maybe) KRB_CRED msg */
/* free credmsg data */
krb5_free_data_contents(context, &credmsg);
}
+ if (junk)
+ memset(ptr, 'i', junk);
*out = &data->checksum_data;
return 0;
}
*context_handle = (gss_ctx_id_t) ctx;
ctx_free = 0;
+#if 0 /* Sigh. We're changing the spec again. */
#ifdef CFX_EXERCISE
if (ctx->proto == 1
/* I think the RPC code may be broken. Don't mess around
ctx->testing_unknown_tokid = 0;
ctx_free = 0;
}
-#endif
+#endif /* CFX_EXERCISE */
+#endif /* 0 */
/* compute time_rec */
if (time_rec) {
projects / krb5.git / commitdiff