diff options
author | Simo Sorce <simo@redhat.com> | 2013-07-21 01:43:54 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2013-07-28 13:17:51 -0400 |
commit | bb3affefc2b8f4c9613a43f7a497ca2d2af34462 (patch) | |
tree | 0d045d6fc48f63cc958517d076900c6dff6cbc80 | |
parent | ba8c09800ef820e4b348c2e034fb9aa602463ff3 (diff) | |
download | gss-ntlmssp-bb3affefc2b8f4c9613a43f7a497ca2d2af34462.tar.gz gss-ntlmssp-bb3affefc2b8f4c9613a43f7a497ca2d2af34462.tar.xz gss-ntlmssp-bb3affefc2b8f4c9613a43f7a497ca2d2af34462.zip |
Add expiration time checks
Check Maxlife for challenge response messages.
Also add a Maximum lifetime for the context itself based on the
same challene/response maximum life.
According to MS-NLMP MaxLifetime is 36h on modern Windows OSs, use
the same for now.
-rw-r--r-- | src/gss_ntlmssp.h | 4 | ||||
-rw-r--r-- | src/gss_sec_ctx.c | 12 |
2 files changed, 16 insertions, 0 deletions
diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h index 334351a..5eb8bf6 100644 --- a/src/gss_ntlmssp.h +++ b/src/gss_ntlmssp.h @@ -21,6 +21,8 @@ #include "ntlm.h" #include "crypto.h" +#define MAX_CHALRESP_LIFETIME 36 * 60 * 60 /* 36 hours in seconds */ + #define SEC_LEVEL_MIN 0 #define SEC_LEVEL_MAX 5 @@ -125,6 +127,8 @@ struct gssntlm_ctx { struct ntlm_key exported_session_key; struct gssntlm_signseal send; struct gssntlm_signseal recv; + + time_t expiration_time; }; uint8_t gssntlm_required_security(int security_level, diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index 65cf091..01e28a1 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -18,6 +18,7 @@ #include <errno.h> #include <stdlib.h> #include <string.h> +#include <time.h> #include <gssapi/gssapi.h> #include <gssapi/gssapi_ext.h> @@ -336,6 +337,14 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, /* the server did not send the timestamp, use current time */ if (srv_time == 0) { srv_time = ntlm_timestamp_now(); + } else { + long int tdiff; + tdiff = ntlm_timestamp_now() - srv_time; + if ((tdiff / 10000000) > MAX_CHALRESP_LIFETIME) { + retmin = EINVAL; + retmaj = GSS_S_CONTEXT_EXPIRED; + goto done; + } } /* Random client challenge */ @@ -509,6 +518,9 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, memcpy(output_token->value, ctx->auth_msg.data, ctx->auth_msg.length); output_token->length = ctx->auth_msg.length; + /* For now use the same as the challenge/response lifetime (36h) */ + ctx->expiration_time = time(NULL) + MAX_CHALRESP_LIFETIME; + retmaj = GSS_S_COMPLETE; } |