From b32122b9363c37c3460d5fabd074617030c4107d Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Mon, 5 Jan 2004 21:12:23 +0000 Subject: [PATCH] * init_sec_context.c: Include auth_con.h if CFX_EXERCISE is defined. (make_gss_checksum) [CFX_EXERCISE]: If the key enctype is aes256, insert some stuff after the delegation slot. (new_connection) [CFX_EXERCISE]: Don't send messages with bogus token ids. * accept_sec_context.c (krb5_gss_accept_sec_context): Don't discard the delegation flag; only look for a delegation if the flag is set, and only look for delegation, not other options. Ignore any other data there. ticket: 2079 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15964 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/ChangeLog | 14 +++++++++++++ src/lib/gssapi/krb5/accept_sec_context.c | 24 ++++++++++------------- src/lib/gssapi/krb5/init_sec_context.c | 25 +++++++++++++++++++++++- 3 files changed, 48 insertions(+), 15 deletions(-) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index fefdb9ff4..669fbc25f 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,17 @@ +2004-01-05 Ken Raeburn + + * init_sec_context.c: Include auth_con.h if CFX_EXERCISE is + defined. + (make_gss_checksum) [CFX_EXERCISE]: If the key enctype is aes256, + insert some stuff after the delegation slot. + (new_connection) [CFX_EXERCISE]: Don't send messages with bogus + token ids. + + * accept_sec_context.c (krb5_gss_accept_sec_context): Don't + discard the delegation flag; only look for a delegation if the + flag is set, and only look for delegation, not other options. + Ignore any other data there. + 2003-12-19 Ken Raeburn * util_crypt.c (kg_encrypt, kg_decrypt): Input pointer now points diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index db03d2815..c27d82363 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -515,18 +515,20 @@ krb5_gss_accept_sec_context(minor_status, context_handle, reqcksum.contents = 0; TREAD_INT(ptr, gss_flags, bigend); +#if 0 gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if there's a delegation, we'll set it below */ +#endif decode_req_message = 0; /* if the checksum length > 24, there are options to process */ - if(authdat->checksum->length > 24) { + if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) { i = authdat->checksum->length - 24; - while (i >= 4) { + if (i >= 4) { TREAD_INT16(ptr, option_id, bigend); @@ -548,9 +550,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle, i -= option.length; - switch(option_id) { - - case KRB5_GSS_FOR_CREDS_OPTION: + if (option_id != KRB5_GSS_FOR_CREDS_OPTION) { + major_status = GSS_S_FAILURE; + goto fail; + } /* store the delegated credential */ @@ -562,15 +565,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } - gss_flags |= GSS_C_DELEG_FLAG; /* got a delegation */ - - break; - - /* default: */ - /* unknown options aren't an error */ - - } /* switch */ - } /* while */ + } /* if i >= 4 */ + /* ignore any additional trailing data, for now */ } /* if */ } diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 3c67217c5..20d416fe3 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -142,6 +142,9 @@ struct gss_checksum_data { krb5_data checksum_data; }; +#ifdef CFX_EXERCISE +#include "../../krb5/krb/auth_con.h" +#endif static krb5_error_code KRB5_CALLCONV make_gss_checksum (krb5_context context, krb5_auth_context auth_context, void *cksum_data, krb5_data **out) @@ -151,6 +154,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, unsigned char *ptr; struct gss_checksum_data *data = cksum_data; krb5_data credmsg; + int junk; + data->checksum_data.data = 0; credmsg.data = 0; /* build the checksum field */ @@ -188,6 +193,20 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, } else { data->checksum_data.length = 24; } +#ifdef CFX_EXERCISE + if (data->ctx->auth_context->keyblock->enctype == 18) { + srand(time(0) ^ getpid()); + /* Our ftp client code stupidly assumes a base64-encoded + version of the token will fit in 10K, so don't make this + too big. */ + junk = rand() & 0xff; + } else + junk = 0; +#else + junk = 0; +#endif + + data->checksum_data.length += junk; /* now allocate a buffer to hold the checksum data and (maybe) KRB_CRED msg */ @@ -216,6 +235,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, /* free credmsg data */ krb5_free_data_contents(context, &credmsg); } + if (junk) + memset(ptr, 'i', junk); *out = &data->checksum_data; return 0; } @@ -564,6 +585,7 @@ new_connection( *context_handle = (gss_ctx_id_t) ctx; ctx_free = 0; +#if 0 /* Sigh. We're changing the spec again. */ #ifdef CFX_EXERCISE if (ctx->proto == 1 /* I think the RPC code may be broken. Don't mess around @@ -603,7 +625,8 @@ new_connection( ctx->testing_unknown_tokid = 0; ctx_free = 0; } -#endif +#endif /* CFX_EXERCISE */ +#endif /* 0 */ /* compute time_rec */ if (time_rec) { -- 2.26.2