From f2f123f7fc81c6167d9601d352aeb0f1512c5092 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 13 Feb 1998 01:55:32 +0000 Subject: [PATCH] * accept_sec_context.c (krb5_gss_accept_sec_context): Add lots of explicit assignments to major_status to ensure that we actually return an error when we mean to. This was previously preventing gssrpc authentication with the old ovsec_kadm interface from working because the gssrpc server side functions were failing to loop over a set of supplied credentials. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10428 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/ChangeLog | 7 +++++ src/lib/gssapi/krb5/accept_sec_context.c | 40 +++++++++++++++--------- 2 files changed, 32 insertions(+), 15 deletions(-) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 58bd008f0..676300f52 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,5 +1,12 @@ Thu Feb 12 16:38:14 1998 Tom Yu + * accept_sec_context.c (krb5_gss_accept_sec_context): Add lots of + explicit assignments to major_status to ensure that we actually + return an error when we mean to. This was previously preventing + gssrpc authentication with the old ovsec_kadm interface from + working because the gssrpc server side functions were failing to + loop over a set of supplied credentials. + * init_sec_context.c: KLUDGE!! Add global variable krb5_gss_dbg_client_expcreds to allow the client library to send expired credentials for testing and debugging purposes. diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index ef5d7ebc5..5fd4df5a1 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -313,8 +313,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle, return(GSS_S_FAILURE); } if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ, - cred->keytab, NULL, &ticket))) - goto fail; + cred->keytab, NULL, &ticket))) { + major_status = GSS_S_FAILURE; + goto fail; + } krb5_auth_con_getauthenticator(context, auth_context, &authdat); @@ -359,22 +361,25 @@ krb5_gss_accept_sec_context(minor_status, context_handle, TREAD_INT(ptr, tmp, bigend); if (tmp != krb5_checksum_size(context, CKSUMTYPE_RSA_MD5)) { - ptr = (unsigned char *) authdat->checksum->contents; - bigend = 1; + ptr = (unsigned char *) authdat->checksum->contents; + bigend = 1; - TREAD_INT(ptr, tmp, bigend); + TREAD_INT(ptr, tmp, bigend); - if (tmp != krb5_checksum_size(context, CKSUMTYPE_RSA_MD5)) { - code = KG_BAD_LENGTH; - goto fail; - } + if (tmp != krb5_checksum_size(context, CKSUMTYPE_RSA_MD5)) { + major_status = GSS_S_FAILURE; + code = KG_BAD_LENGTH; + goto fail; + } } /* at this point, bigend is set according to the initiator's byte order */ if ((code = kg_checksum_channel_bindings(context, input_chan_bindings, &md5, - bigend))) - goto fail; + bigend))) { + major_status = GSS_S_BAD_BINDINGS; + goto fail; + } TREAD_STR(ptr, ptr2, md5.length); if (memcmp(ptr2, md5.contents, md5.length) != 0) { @@ -417,8 +422,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle, call to rd_and_store_for_creds() and clear its flags */ if ((code = krb5_auth_con_init(context, - &auth_context_cred))) - goto fail; + &auth_context_cred))) { + major_status = GSS_S_FAILURE; + goto fail; + } krb5_auth_con_setflags(context, auth_context_cred, 0); @@ -448,8 +455,9 @@ krb5_gss_accept_sec_context(minor_status, context_handle, if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) == NULL) { - code = ENOMEM; - goto fail; + major_status = GSS_S_FAILURE; + code = ENOMEM; + goto fail; } memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); @@ -460,6 +468,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, ctx->seed_init = 0; ctx->big_endian = bigend; + major_status = GSS_S_FAILURE; + /* Intern the ctx pointer so that delete_sec_context works */ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { code = G_VALIDATE_FAILED; -- 2.26.2