diff options
author | Andrew Bartlett <abartlet@samba.org> | 2015-07-07 13:52:10 +1200 |
---|---|---|
committer | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2015-07-30 10:52:54 +1200 |
commit | 85082949406c2aa9408666cab9cc51c15b246707 (patch) | |
tree | 535c508d649a96bbc380f91d7e2ab23a47e05874 | |
parent | be63a2914adcbea7d42d56e674ee6edb4883ebaf (diff) |
gssapi: Allow a NULL authenticator
Some non-GSSAPI implementations that instead try to create compatible packets by wrapping krb5_mk_req()
can trigger a NULL authenticator here. Assume this to be equvilent to specifying an all-zero
channel bindings and some reasonable (fixed) flags.
Original patch by Andrew Bartlett, restructured by Douglas Bagnall
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-rw-r--r-- | lib/gssapi/krb5/accept_sec_context.c | 71 |
1 files changed, 35 insertions, 36 deletions
diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index c55e87e1d..ada03f5a5 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -511,13 +511,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, return ret; } - if (authenticator->cksum == NULL) { - krb5_free_authenticator(context, &authenticator); - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { + if (authenticator->cksum != NULL + && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { ret = _gsskrb5_verify_8003_checksum(minor_status, input_chan_bindings, authenticator->cksum, @@ -529,44 +524,48 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, return ret; } } else { - krb5_crypto crypto; - - kret = krb5_crypto_init(context, - ctx->auth_context->keyblock, - 0, &crypto); - if(kret) { + if (authenticator->cksum != NULL) { + krb5_crypto crypto; + + kret = krb5_crypto_init(context, + ctx->auth_context->keyblock, + 0, &crypto); + if(kret) { + krb5_free_authenticator(context, &authenticator); + + ret = GSS_S_FAILURE; + *minor_status = kret; + return ret; + } + + /* + * Windows accepts Samba3's use of a kerberos, rather than + * GSSAPI checksum here + */ + + kret = krb5_verify_checksum(context, + crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0, + authenticator->cksum); krb5_free_authenticator(context, &authenticator); + krb5_crypto_destroy(context, crypto); - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; + if(kret) { + ret = GSS_S_BAD_SIG; + *minor_status = kret; + return ret; + } } /* - * Windows accepts Samba3's use of a kerberos, rather than - * GSSAPI checksum here + * If there is no checksum or a kerberos checksum (which Windows + * and Samba accept), we use the ap_options to guess the mutual + * flag. */ - kret = krb5_verify_checksum(context, - crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0, - authenticator->cksum); - krb5_free_authenticator(context, &authenticator); - krb5_crypto_destroy(context, crypto); - - if(kret) { - ret = GSS_S_BAD_SIG; - *minor_status = kret; - return ret; - } - - /* - * Samba style get some flags (but not DCE-STYLE), use - * ap_options to guess the mutual flag. - */ - ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; + ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; if (ap_options & AP_OPTS_MUTUAL_REQUIRED) ctx->flags |= GSS_C_MUTUAL_FLAG; - } + } } if(ctx->flags & GSS_C_MUTUAL_FLAG) { |