From ae3dda499ad8bd9f30d2506434dd3f8c4e72ba24 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 26 Mar 2014 23:31:45 -0400 Subject: Verify Channel Bindings in accept_sec_context --- src/gss_sec_ctx.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index d659900..800d37e 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -766,6 +766,8 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, uint32_t in_flags; uint32_t msg_type; uint32_t av_flags = 0; + struct ntlm_buffer unhashed_cb = { 0 }; + struct ntlm_buffer av_cb = { 0 }; uint8_t sec_req; char *p; @@ -1028,7 +1030,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, retmin = ntlm_decode_target_info(ctx->ntlm, &target_info, NULL, NULL, NULL, NULL, NULL, NULL, &av_flags, - NULL, NULL, NULL); + NULL, NULL, &av_cb); if (retmin) { retmaj = GSS_S_FAILURE; goto done; @@ -1202,6 +1204,27 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, } } + if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) { + if (input_chan_bindings->initiator_addrtype != 0 || + input_chan_bindings->initiator_address.length != 0 || + input_chan_bindings->acceptor_addrtype != 0 || + input_chan_bindings->acceptor_address.length != 0 || + input_chan_bindings->application_data.length == 0) { + retmin = EINVAL; + retmaj = GSS_S_BAD_BINDINGS; + goto done; + } + unhashed_cb.length = input_chan_bindings->application_data.length; + unhashed_cb.data = input_chan_bindings->application_data.value; + + /* TODO: optionally allow to ignore CBT if av_cb is null ? */ + retmin = ntlm_verify_channel_bindings(&unhashed_cb, &av_cb); + if (retmin) { + retmaj = GSS_S_DEFECTIVE_TOKEN; + goto done; + } + } + if (ctx->neg_flags & (NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL)) { retmin = ntlm_signseal_keys(ctx->neg_flags, false, -- cgit