diff options
| -rw-r--r-- | src/lib/gssapi/krb5/ChangeLog | 7 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 19 |
2 files changed, 11 insertions, 15 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index e4b2f720da..6f5ff00e65 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,10 @@ +2004-06-09 Sam Hartman <hartmans@mit.edu> + + * accept_sec_context.c (krb5_gss_accept_sec_context): If the + server provides channel bindings, these channel bindings must be + matched. Thus clients can only provide null channel bindings if + the server provides no channel bindings. + 2004-06-08 Sam Hartman <hartmans@mit.edu> * set_allowable_enctypes.c lucid_context.c: new file diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 731cc47602..42a86de6d2 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright 2000 by the Massachusetts Institute of Technology. + * Copyright 2000, 2004 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -481,10 +481,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, GSS_C_NO_CHANNEL_BINDINGS then we skip the check. If the server does provide channel bindings then we compute a checksum and compare against those provided by the - client. If the check fails we test the clients checksum - to see whether the client specified GSS_C_NO_CHANNEL_BINDINGS. - If either test succeeds we continue without error. - */ + client. */ if ((code = kg_checksum_channel_bindings(context, input_chan_bindings, @@ -500,17 +497,9 @@ krb5_gss_accept_sec_context(minor_status, context_handle, if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) { xfree(reqcksum.contents); reqcksum.contents = 0; - if ((code = kg_checksum_channel_bindings(context, - GSS_C_NO_CHANNEL_BINDINGS, - &reqcksum, bigend))) { - major_status = GSS_S_BAD_BINDINGS; - goto fail; - } - if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) { - code = 0; - major_status = GSS_S_BAD_BINDINGS; + code = 0; + major_status = GSS_S_BAD_BINDINGS; goto fail; - } } } |