From 353d43da34c4f040a74dbca9c71dea8d5610789c Mon Sep 17 00:00:00 2001 From: Ezra Peisach Date: Fri, 22 Sep 2000 17:42:43 +0000 Subject: [PATCH] * accept_sec_context.c (krb5_gss_accept_sec_context): When GCC_S_NO_CHANNEL_BINDINGS is set by the server, skip over the bindings sent from the client. RFC-1964 indicates that the client's channel bindings are always sent in checksum field and need to be accounted for, evn if the server does not care. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12664 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/ChangeLog | 8 ++++++++ src/lib/gssapi/krb5/accept_sec_context.c | 24 +++++++++++++----------- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 499577e8a..821bf0b1b 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,11 @@ +Fri Sep 22 12:05:31 2000 Ezra Peisach + + * accept_sec_context.c (krb5_gss_accept_sec_context): When + GCC_S_NO_CHANNEL_BINDINGS is set by the server, skip over the + bindings sent from the client. RFC-1964 indicates that the + client's channel bindings are always sent in checksum field and + need to be accounted for, evn if the server does not care. + 2000-09-01 Jeffrey Altman * accept_sec_context.c: krb5_gss_accept_sec_context() diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index ca29eaf47..75a6eaeca 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -434,16 +434,17 @@ krb5_gss_accept_sec_context(minor_status, context_handle, If either test succeeds we continue without error. */ + if ((code = kg_checksum_channel_bindings(context, + input_chan_bindings, + &reqcksum, bigend))) { + major_status = GSS_S_BAD_BINDINGS; + goto fail; + } + + /* Always read the clients bindings - eventhough we might ignore them */ + TREAD_STR(ptr, ptr2, reqcksum.length); + if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) { - if ((code = kg_checksum_channel_bindings(context, - input_chan_bindings, - &reqcksum, bigend))) { - major_status = GSS_S_BAD_BINDINGS; - goto fail; - } - - - TREAD_STR(ptr, ptr2, reqcksum.length); if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) { xfree(reqcksum.contents); reqcksum.contents = 0; @@ -460,10 +461,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle, } } - xfree(reqcksum.contents); - reqcksum.contents = 0; } + xfree(reqcksum.contents); + reqcksum.contents = 0; + TREAD_INT(ptr, gss_flags, bigend); gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if there's a delegation, we'll set -- 2.26.2