[krbdev.mit.edu #1352] kg_seal should check GSS_C_PROT_READY_FLAG value

The RT System itself via RT rt-comment at krbdev.mit.edu
Fri Feb 14 15:23:29 EST 2003 

>From wyllys at eagle.wki.test.net  Fri Feb 14 15:23:24 2003
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP
	id PAA02783; Fri, 14 Feb 2003 15:23:24 -0500 (EST)
Received: from nwkea-mail-2.sun.com (nwkea-mail-2.sun.com [192.18.42.14])
	by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id PAA21583
	for <krb5-bugs at mit.edu>; Fri, 14 Feb 2003 15:23:21 -0500 (EST)
Received: from engmail2sun.Eng.Sun.COM ([129.144.134.19])
	by nwkea-mail-2.sun.com (8.9.3+Sun/8.9.3) with ESMTP id MAA23140
	for <krb5-bugs at mit.edu>; Fri, 14 Feb 2003 12:23:20 -0800 (PST)
Received: from eagle.wki.test.net (vpn-129-150-16-120.SFBay.Sun.COM [129.150.16.120])
	by engmail2sun.Eng.Sun.COM (8.12.2+Sun/8.12.2/ENSMAIL,v2.2) with ESMTP id h1EKNJVL013453
	for <krb5-bugs at mit.edu>; Fri, 14 Feb 2003 12:23:20 -0800 (PST)
Received: from eagle.wki.test.net (localhost [127.0.0.1])
	by eagle.wki.test.net (8.12.7+Sun/8.12.7) with ESMTP id h1EKNHE1015257
	for <krb5-bugs at mit.edu>; Fri, 14 Feb 2003 15:23:17 -0500 (EST)
Received: (from wyllys at localhost)
	by eagle.wki.test.net (8.12.7+Sun/8.12.7/Submit) id h1EKNGBL015256;
	Fri, 14 Feb 2003 15:23:16 -0500 (EST)
Date: Fri, 14 Feb 2003 15:23:16 -0500 (EST)
Message-Id: <200302142023.h1EKNGBL015256 at eagle.wki.test.net>
To: krb5-bugs at mit.edu
From: wyllys.ingersoll at sun.com
Reply-To: wyllys.ingersoll at sun.com
X-send-pr-version: 3.99


>Submitter-Id:	net
>Originator:	Wyllys Ingersoll	
>Organization:  Sun Microsystems, Inc
	
>Confidential:	no
>Synopsis:	kg_seal should check GSS_C_PROT_READY_FLAG value
>Severity:	serious
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	krb5-1.2.7
>Environment:
System: SunOS eagle.wki.test.net 5.10 s10_27 sun4u sparc SUNW,Sun-Blade-100
Architecture: sun4

>Description:  The kg_seal function should not fail if the "established" 
	flag is not set, but rather should check for the presense of a
	subkey AND the GSS_C_PROT_READY_FLAG.   This will cause problems
	for SPNEGO negotiation later (generating MechListMIC) because
	SPNEGO needs the KRB5 mechanism to create a MIC before the 
	context is fully established.

>How-To-Repeat:
	
>Fix:
[wyllys at eagle 15:20:56 ]gdiff -bw -U 5  k5seal.c k5seal.new
--- k5seal.c	Wed May 31 13:17:38 2000
+++ k5seal.new	Fri Feb 14 15:20:30 2003
@@ -408,11 +408,11 @@
 	return(GSS_S_NO_CONTEXT);
     }
 
     ctx = (krb5_gss_ctx_id_rec *) context_handle;
 
-    if (! ctx->established) {
+    if (ctx->subkey == NULL || !(ctx->gss_flags & GSS_C_PROT_READY_FLAG)) {
 	*minor_status = KG_CTX_INCOMPLETE;
 	return(GSS_S_NO_CONTEXT);
     }
 
     if ((code = krb5_timeofday(context, &now))) {

More information about the krb5-bugs mailing list