diff options
| author | Luke Howard <lukeh@padl.com> | 2012-09-01 11:08:27 +1000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-10-03 12:47:02 -0400 |
| commit | 123ff4cb9bdd2e13aa6b636c98a7fc3f9ee06f85 (patch) | |
| tree | 8dd7ded3bffca21da6fa240db5b2137e95c2a1a4 /src | |
| parent | a71abbaf9a6757d4728fe01dae23289765790df6 (diff) | |
| download | krb5-123ff4cb9bdd2e13aa6b636c98a7fc3f9ee06f85.tar.gz krb5-123ff4cb9bdd2e13aa6b636c98a7fc3f9ee06f85.tar.xz krb5-123ff4cb9bdd2e13aa6b636c98a7fc3f9ee06f85.zip | |
GENC should always export composite names
RFC 6680 requires that gss_export_name_composite begin the output
token with 04 02. So we must produce a composite token even if the
name has no authdata, and be able to consume a composite token with no
authdata attributes.
[ghudson@mit.edu: expanded commit message]
ticket: 7400 (new)
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/gssapi/krb5/import_name.c | 9 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/naming_exts.c | 13 |
2 files changed, 12 insertions, 10 deletions
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index ebc2a7bbe..394aca4fe 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -57,6 +57,9 @@ import_name_composite(krb5_context context, krb5_error_code code; krb5_data data; + if (enc_length == 0) + return 0; + code = krb5_authdata_context_init(context, &ad_context); if (code != 0) return code; @@ -133,7 +136,7 @@ krb5_gss_import_name(minor_status, input_name_buffer, #ifndef NO_PASSWORD struct passwd *pw; #endif - int has_ad = 0; + int is_composite = 0; krb5_authdata_context ad_context = NULL; OM_uint32 status = GSS_S_FAILURE; krb5_gss_name_t name; @@ -232,7 +235,7 @@ krb5_gss_import_name(minor_status, input_name_buffer, case 0x01: break; case 0x02: - has_ad++; /* is composite name */ + is_composite++; break; default: goto fail_name; @@ -272,7 +275,7 @@ krb5_gss_import_name(minor_status, input_name_buffer, stringrep = tmp2; cp += length; - if (has_ad) { + if (is_composite) { BOUNDS_CHECK(cp, end, 4); length = *cp++; length = (length << 8) | *cp++; diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c index f48b1cbbf..535311eb9 100644 --- a/src/lib/gssapi/krb5/naming_exts.c +++ b/src/lib/gssapi/krb5/naming_exts.c @@ -673,8 +673,9 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status, /* 04 02 OID Name AuthData */ exp_composite_name->length = 10 + gss_mech_krb5->length + princlen; + exp_composite_name->length += 4; /* length of encoded attributes */ if (attrs != NULL) - exp_composite_name->length += 4 + attrs->length; + exp_composite_name->length += attrs->length; exp_composite_name->value = malloc(exp_composite_name->length); if (exp_composite_name->value == NULL) { code = ENOMEM; @@ -685,10 +686,7 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status, /* Note: we assume the OID will be less than 128 bytes... */ *cp++ = 0x04; - if (attrs != NULL) - *cp++ = 0x02; - else - *cp++ = 0x01; + *cp++ = 0x02; store_16_be(gss_mech_krb5->length + 2, cp); cp += 2; @@ -702,9 +700,10 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status, memcpy(cp, princstr, princlen); cp += princlen; + store_32_be(attrs != NULL ? attrs->length : 0, cp); + cp += 4; + if (attrs != NULL) { - store_32_be(attrs->length, cp); - cp += 4; memcpy(cp, attrs->data, attrs->length); cp += attrs->length; } |