2000-09-01 Jeffrey Altman <jaltman@columbia.edu>

        * accept_sec_context.c: krb5_gss_accept_sec_context()
        It has been determined by Martin Rex that Windows 2000 is incapable
        of supporting channel bindings.   This caused us to examine the
        various RFCs affecting FTP GSSAPI to determine whether or not
        channel bindings were a MUST for implementation of the FTP GSSAPI
        protocol.  It was determined that the channel binding facility as
        described in RFC2743 is optional.  Therefore, we cannot assume
        that all clients or servers will support it.  The code was updated
        to allow GSS_C_NO_CHANNEL_BINDINGS when specified by either the
        client or server to indicate that channel bindings will not be
        used.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12645 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 6f764457ee92ffe806ed154dd15a30bb37a177bb..499577e8a9b746188ddc4dfb7a4eb1678dac5dbc 100644 (file)
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,17 @@
+2000-09-01  Jeffrey Altman <jaltman@columbia.edu>
+
+        * accept_sec_context.c: krb5_gss_accept_sec_context()
+        It has been determined by Martin Rex that Windows 2000 is incapable
+        of supporting channel bindings.   This caused us to examine the
+        various RFCs affecting FTP GSSAPI to determine whether or not
+        channel bindings were a MUST for implementation of the FTP GSSAPI
+        protocol.  It was determined that the channel binding facility as
+        described in RFC2743 is optional.  Therefore, we cannot assume
+        that all clients or servers will support it.  The code was updated
+        to allow GSS_C_NO_CHANNEL_BINDINGS when specified by either the
+        client or server to indicate that channel bindings will not be
+        used.
+
 2000-06-27  Tom Yu  <tlyu@mit.edu>
 
        * init_sec_context.c (get_credentials): Add initial iteration of

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 0d2aaa5eade3a35c187600b9924961fa432b7b85..ca29eaf4763897c6b5ae070484ece063451622ef 100644 (file)
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -417,21 +417,52 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        /* at this point, bigend is set according to the initiator's
          byte order */
 
-       if ((code = kg_checksum_channel_bindings(context, input_chan_bindings,
-                                               &reqcksum, bigend))) {
-          major_status = GSS_S_BAD_BINDINGS;
-          goto fail;
-       }
 
-       TREAD_STR(ptr, ptr2, reqcksum.length);
-       if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
-          code = 0;
-          major_status = GSS_S_BAD_BINDINGS;
-          goto fail;
-       }
+       /* 
+          The following section of code attempts to implement the
+          optional channel binding facility as described in RFC2743.
 
-       xfree(reqcksum.contents);
-       reqcksum.contents = 0;
+          Since this facility is optional channel binding may or may
+          not have been provided by either the client or the server.
+
+          If the server has specified input_chan_bindings equal to
+          GSS_C_NO_CHANNEL_BINDINGS then we skip the check.  If
+          the server does provide channel bindings then we compute
+          a checksum and compare against those provided by the
+          client.  If the check fails we test the clients checksum
+          to see whether the client specified GSS_C_NO_CHANNEL_BINDINGS.
+          If either test succeeds we continue without error.
+       */
+
+       if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
+           if ((code = kg_checksum_channel_bindings(context, 
+                                                    input_chan_bindings,
+                                                   &reqcksum, bigend))) {
+                  major_status = GSS_S_BAD_BINDINGS;
+                  goto fail;
+           }
+           
+           
+           TREAD_STR(ptr, ptr2, reqcksum.length);
+           if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+               xfree(reqcksum.contents);
+               reqcksum.contents = 0;
+               if ((code = kg_checksum_channel_bindings(context, 
+                                                  GSS_C_NO_CHANNEL_BINDINGS,
+                                                  &reqcksum, bigend))) {
+                   major_status = GSS_S_BAD_BINDINGS;
+                   goto fail;
+               }
+               if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+                   code = 0;
+                   major_status = GSS_S_BAD_BINDINGS;
+                   goto fail;
+               }
+           }
+           
+           xfree(reqcksum.contents);
+           reqcksum.contents = 0;
+       }
 
        TREAD_INT(ptr, gss_flags, bigend);
        gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if