Changeset 989 for vendor/current/auth
- Timestamp:
- Nov 25, 2016, 8:04:54 PM (9 years ago)
- Location:
- vendor/current/auth
- Files:
-
- 2 edited
-
gensec/spnego.c (modified) (5 diffs)
-
kerberos/gssapi_pac.c (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/auth/gensec/spnego.c
r988 r989 55 55 DATA_BLOB mech_types; 56 56 size_t num_targs; 57 bool downgraded; 57 58 bool mic_requested; 58 59 bool needs_mic_sign; 59 60 bool needs_mic_check; 61 bool may_skip_mic_check; 60 62 bool done_mic_check; 61 63 … … 434 436 * mic. 435 437 */ 438 spnego_state->downgraded = true; 436 439 spnego_state->mic_requested = true; 437 440 break; … … 1078 1081 gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid), 1079 1082 gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech))); 1080 1083 spnego_state->downgraded = true; 1081 1084 spnego_state->no_response_expected = false; 1082 1085 talloc_free(spnego_state->sub_sec_security); … … 1133 1136 spnego_free_data(&spnego); 1134 1137 return NT_STATUS_INVALID_PARAMETER; 1138 } 1139 1140 if (spnego.negTokenTarg.mechListMIC.length == 0 1141 && spnego_state->may_skip_mic_check) { 1142 /* 1143 * In this case we don't require 1144 * a mechListMIC from the server. 1145 * 1146 * This works around bugs in the Azure 1147 * and Apple spnego implementations. 1148 * 1149 * See 1150 * https://bugzilla.samba.org/show_bug.cgi?id=11994 1151 */ 1152 spnego_state->needs_mic_check = false; 1153 nt_status = NT_STATUS_OK; 1154 goto client_response; 1135 1155 } 1136 1156 … … 1190 1210 new_spnego = false; 1191 1211 } 1212 1192 1213 break; 1193 1214 1194 1215 case SPNEGO_ACCEPT_INCOMPLETE: 1216 if (spnego.negTokenTarg.mechListMIC.length > 0) { 1217 new_spnego = true; 1218 break; 1219 } 1220 1221 if (spnego_state->downgraded) { 1222 /* 1223 * A downgrade should be protected if 1224 * supported 1225 */ 1226 break; 1227 } 1228 1229 /* 1230 * The caller may just asked for 1231 * GENSEC_FEATURE_SESSION_KEY, this 1232 * is only reflected in the want_features. 1233 * 1234 * As it will imply 1235 * gensec_have_features(GENSEC_FEATURE_SIGN) 1236 * to return true. 1237 */ 1238 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { 1239 break; 1240 } 1241 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { 1242 break; 1243 } 1244 /* 1245 * Here we're sure our preferred mech was 1246 * selected by the server and our caller doesn't 1247 * need GENSEC_FEATURE_SIGN nor 1248 * GENSEC_FEATURE_SEAL support. 1249 * 1250 * In this case we don't require 1251 * a mechListMIC from the server. 1252 * 1253 * This works around bugs in the Azure 1254 * and Apple spnego implementations. 1255 * 1256 * See 1257 * https://bugzilla.samba.org/show_bug.cgi?id=11994 1258 */ 1259 spnego_state->may_skip_mic_check = true; 1260 break; 1261 1195 1262 case SPNEGO_REQUEST_MIC: 1196 1263 if (spnego.negTokenTarg.mechListMIC.length > 0) { -
vendor/current/auth/kerberos/gssapi_pac.c
r988 r989 247 247 const uint8_t *p; 248 248 249 *keytype = 0; 249 250 if (set->count < 2) { 250 251 … … 257 258 *keytype = KRB5_KEY_TYPE(subkey); 258 259 krb5_free_keyblock(NULL /* should be krb5_context */, subkey); 259 } else260 #else261 {262 *keytype = 0;263 260 } 264 261 #endif … … 271 268 gse_sesskeytype_oid.length) != 0) { 272 269 /* Perhaps a non-krb5 session key */ 273 *keytype = 0;274 270 gss_maj = gss_release_buffer_set(&gss_min, &set); 275 271 return NT_STATUS_OK; … … 281 277 return NT_STATUS_INVALID_PARAMETER; 282 278 } 283 *keytype = 0;284 279 for (i = 0; i < diflen; i++) { 285 280 *keytype = (*keytype << 7) | (p[i] & 0x7f);
Note:
See TracChangeset
for help on using the changeset viewer.
