2000-09-01 Jeffrey Altman <jaltman@columbia.edu>

* accept_sec_context.c: krb5_gss_accept_sec_context() It has been determined by Martin Rex that Windows 2000 is incapable of supporting channel bindings. This caused us to examine the various RFCs affecting FTP GSSAPI to determine whether or not channel bindings were a MUST for implementation of the FTP GSSAPI protocol. It was determined that the channel binding facility as described in RFC2743 is optional. Therefore, we cannot assume that all clients or servers will support it. The code was updated to allow GSS_C_NO_CHANNEL_BINDINGS when specified by either the client or server to indicate that channel bindings will not be used. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12645 dc483132-0cff-0310-8789-dd5450dbe970
author: Jeffrey Altman <jaltman@secure-endpoints.com> 2000-09-02 06:00:58 +0000
committer: Jeffrey Altman <jaltman@secure-endpoints.com> 2000-09-02 06:00:58 +0000
commit: f121e2fbb58aeb1c9f113c5756bccf369c22e277 (patch)
tree: 64485ee0df78b3736a338704315e9807ea8bf05a /src/lib
parent: 034fd19c0fa7f4dcaf43abce0f41e340b7898cc3 (diff)
2 files changed, 58 insertions, 13 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 6f764457e..499577e8a 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,17 @@
+2000-09-01  Jeffrey Altman <jaltman@columbia.edu>
+
+        * accept_sec_context.c: krb5_gss_accept_sec_context()
+        It has been determined by Martin Rex that Windows 2000 is incapable
+        of supporting channel bindings.   This caused us to examine the
+        various RFCs affecting FTP GSSAPI to determine whether or not
+        channel bindings were a MUST for implementation of the FTP GSSAPI
+        protocol.  It was determined that the channel binding facility as
+        described in RFC2743 is optional.  Therefore, we cannot assume
+        that all clients or servers will support it.  The code was updated
+        to allow GSS_C_NO_CHANNEL_BINDINGS when specified by either the
+        client or server to indicate that channel bindings will not be
+        used.
+
 2000-06-27  Tom Yu  <tlyu@mit.edu>
 
 	* init_sec_context.c (get_credentials): Add initial iteration of
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 0d2aaa5ea..ca29eaf47 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -417,21 +417,52 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        /* at this point, bigend is set according to the initiator's
 	  byte order */
 
-       if ((code = kg_checksum_channel_bindings(context, input_chan_bindings,
-						&reqcksum, bigend))) {
-	   major_status = GSS_S_BAD_BINDINGS;
-	   goto fail;
-       }
 
-       TREAD_STR(ptr, ptr2, reqcksum.length);
-       if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
-	   code = 0;
-	   major_status = GSS_S_BAD_BINDINGS;
-	   goto fail;
-       }
+       /* 
+          The following section of code attempts to implement the
+          optional channel binding facility as described in RFC2743.
 
-       xfree(reqcksum.contents);
-       reqcksum.contents = 0;
+          Since this facility is optional channel binding may or may
+          not have been provided by either the client or the server.
+
+          If the server has specified input_chan_bindings equal to
+          GSS_C_NO_CHANNEL_BINDINGS then we skip the check.  If
+          the server does provide channel bindings then we compute
+          a checksum and compare against those provided by the
+          client.  If the check fails we test the clients checksum
+          to see whether the client specified GSS_C_NO_CHANNEL_BINDINGS.
+          If either test succeeds we continue without error.
+       */
+
+       if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
+           if ((code = kg_checksum_channel_bindings(context, 
+                                                    input_chan_bindings,
+           					    &reqcksum, bigend))) {
+           	   major_status = GSS_S_BAD_BINDINGS;
+           	   goto fail;
+           }
+           
+           
+           TREAD_STR(ptr, ptr2, reqcksum.length);
+           if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+               xfree(reqcksum.contents);
+               reqcksum.contents = 0;
+               if ((code = kg_checksum_channel_bindings(context, 
+                                                  GSS_C_NO_CHANNEL_BINDINGS,
+                                                  &reqcksum, bigend))) {
+                   major_status = GSS_S_BAD_BINDINGS;
+                   goto fail;
+               }
+               if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+                   code = 0;
+                   major_status = GSS_S_BAD_BINDINGS;
+                   goto fail;
+               }
+           }
+           
+           xfree(reqcksum.contents);
+           reqcksum.contents = 0;
+       }
 
        TREAD_INT(ptr, gss_flags, bigend);
        gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
author	Jeffrey Altman <jaltman@secure-endpoints.com>	2000-09-02 06:00:58 +0000
committer	Jeffrey Altman <jaltman@secure-endpoints.com>	2000-09-02 06:00:58 +0000
commit	f121e2fbb58aeb1c9f113c5756bccf369c22e277 (patch)
tree	64485ee0df78b3736a338704315e9807ea8bf05a /src/lib
parent	034fd19c0fa7f4dcaf43abce0f41e340b7898cc3 (diff)