From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sat, 2 Sep 2000 06:00:58 +0000 (+0000)
Subject: 2000-09-01  Jeffrey Altman <jaltman@columbia.edu>
X-Git-Tag: krb5-1.3-alpha1~1895
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f121e2fbb58aeb1c9f113c5756bccf369c22e277;p=krb5.git

2000-09-01  Jeffrey Altman <jaltman@columbia.edu>

        * accept_sec_context.c: krb5_gss_accept_sec_context()
        It has been determined by Martin Rex that Windows 2000 is incapable
        of supporting channel bindings.   This caused us to examine the
        various RFCs affecting FTP GSSAPI to determine whether or not
        channel bindings were a MUST for implementation of the FTP GSSAPI
        protocol.  It was determined that the channel binding facility as
        described in RFC2743 is optional.  Therefore, we cannot assume
        that all clients or servers will support it.  The code was updated
        to allow GSS_C_NO_CHANNEL_BINDINGS when specified by either the
        client or server to indicate that channel bindings will not be
        used.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12645 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 6f764457e..499577e8a 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,17 @@
+2000-09-01  Jeffrey Altman <jaltman@columbia.edu>
+
+        * accept_sec_context.c: krb5_gss_accept_sec_context()
+        It has been determined by Martin Rex that Windows 2000 is incapable
+        of supporting channel bindings.   This caused us to examine the
+        various RFCs affecting FTP GSSAPI to determine whether or not
+        channel bindings were a MUST for implementation of the FTP GSSAPI
+        protocol.  It was determined that the channel binding facility as
+        described in RFC2743 is optional.  Therefore, we cannot assume
+        that all clients or servers will support it.  The code was updated
+        to allow GSS_C_NO_CHANNEL_BINDINGS when specified by either the
+        client or server to indicate that channel bindings will not be
+        used.
+
 2000-06-27  Tom Yu  <tlyu@mit.edu>
 
 	* init_sec_context.c (get_credentials): Add initial iteration of
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 0d2aaa5ea..ca29eaf47 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -417,21 +417,52 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        /* at this point, bigend is set according to the initiator's
 	  byte order */
 
-       if ((code = kg_checksum_channel_bindings(context, input_chan_bindings,
-						&reqcksum, bigend))) {
-	   major_status = GSS_S_BAD_BINDINGS;
-	   goto fail;
-       }
 
-       TREAD_STR(ptr, ptr2, reqcksum.length);
-       if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
-	   code = 0;
-	   major_status = GSS_S_BAD_BINDINGS;
-	   goto fail;
-       }
+       /* 
+          The following section of code attempts to implement the
+          optional channel binding facility as described in RFC2743.
 
-       xfree(reqcksum.contents);
-       reqcksum.contents = 0;
+          Since this facility is optional channel binding may or may
+          not have been provided by either the client or the server.
+
+          If the server has specified input_chan_bindings equal to
+          GSS_C_NO_CHANNEL_BINDINGS then we skip the check.  If
+          the server does provide channel bindings then we compute
+          a checksum and compare against those provided by the
+          client.  If the check fails we test the clients checksum
+          to see whether the client specified GSS_C_NO_CHANNEL_BINDINGS.
+          If either test succeeds we continue without error.
+       */
+
+       if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
+           if ((code = kg_checksum_channel_bindings(context, 
+                                                    input_chan_bindings,
+           					    &reqcksum, bigend))) {
+           	   major_status = GSS_S_BAD_BINDINGS;
+           	   goto fail;
+           }
+           
+           
+           TREAD_STR(ptr, ptr2, reqcksum.length);
+           if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+               xfree(reqcksum.contents);
+               reqcksum.contents = 0;
+               if ((code = kg_checksum_channel_bindings(context, 
+                                                  GSS_C_NO_CHANNEL_BINDINGS,
+                                                  &reqcksum, bigend))) {
+                   major_status = GSS_S_BAD_BINDINGS;
+                   goto fail;
+               }
+               if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+                   code = 0;
+                   major_status = GSS_S_BAD_BINDINGS;
+                   goto fail;
+               }
+           }
+           
+           xfree(reqcksum.contents);
+           reqcksum.contents = 0;
+       }
 
        TREAD_INT(ptr, gss_flags, bigend);
        gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if