krb5 commit: Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result
Greg Hudson
ghudson at MIT.EDU
Sat Aug 9 12:35:47 EDT 2014
https://github.com/krb5/krb5/commit/d899084e24555dc8fd091eb08187ca2a45a08324
commit d899084e24555dc8fd091eb08187ca2a45a08324
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Aug 8 16:50:38 2014 -0400
Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result
The krb5 gss_accept_sec_context could erroneously return
GSS_C_DELEG_FLAG in ret_flags if either:
* The token included the GSS_C_DELEG_FLAG but did not include at least
28 bytes in the authenticator checksum.
* The initial token included the GSS_C_DELEG_FLAG but a DCE-style
exchange was performed.
Fix both of these cases.
ticket: 7987 (new)
target_version: 1.13
tags: pullup
src/lib/gssapi/krb5/accept_sec_context.c | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index b808650..45e1841 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -360,10 +360,10 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
if (time_rec)
*time_rec = ctx->krb_times.endtime - now;
+ /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
+ * delegation yet. */
if (ret_flags)
- *ret_flags = ctx->gss_flags;
-
- /* XXX no support for delegated credentials yet */
+ *ret_flags = (ctx->gss_flags & ~GSS_C_DELEG_FLAG);
*minor_status = 0;
@@ -467,6 +467,7 @@ kg_accept_krb5(minor_status, context_handle,
krb5int_access kaccess;
int cred_rcache = 0;
int no_encap = 0;
+ int token_deleg_flag = 0;
krb5_flags ap_req_options = 0;
krb5_enctype negotiated_etype;
krb5_authdata_context ad_context = NULL;
@@ -776,17 +777,16 @@ kg_accept_krb5(minor_status, context_handle,
xfree(reqcksum.contents);
reqcksum.contents = 0;
+ /* Read the token flags. Remember if GSS_C_DELEG_FLAG was set, but
+ * mask it out until we actually read a delegated credential. */
TREAD_INT(ptr, gss_flags, 0);
-#if 0
- gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
- there's a delegation, we'll set
- it below */
-#endif
+ token_deleg_flag = (gss_flags & GSS_C_DELEG_FLAG);
+ gss_flags &= ~GSS_C_DELEG_FLAG;
/* if the checksum length > 24, there are options to process */
i = authdat->checksum->length - 24;
- if (i && (gss_flags & GSS_C_DELEG_FLAG)) {
+ if (i && token_deleg_flag) {
if (i >= 4) {
TREAD_INT16(ptr, option_id, 0);
TREAD_INT16(ptr, option.length, 0);
@@ -821,6 +821,7 @@ kg_accept_krb5(minor_status, context_handle,
goto fail;
}
+ gss_flags |= GSS_C_DELEG_FLAG;
} /* if i >= 4 */
/* ignore any additional trailing data, for now */
}
More information about the cvs-krb5
mailing list