If channel bindings are supplied to server require them to be matched

Based on discussion on kerberos@mit.edu, the decision to allow null
channel bindings from a client to match even when server channel
bindings are supplied is flawed.  This decision assumes that we cannot
get server implementations to change even though we are able to deploy
a new Kerberos implementation on the server.  In practice the server
implementations in question have actually changed and so the only part
of revision 1.54 of accept_sec_context.c we actually need is the code
to ignore channel bindings if null channel bindings are passed into
the server.  Thus the change to allow null channel bindings from the
client to match against any channel bindings on the server is backed
out.

Ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16427 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index e4b2f720da6fcd02373d52df1e3714719ea86b58..6f5ff00e65db79ab74b5b37375c5437ba54842c5 100644 (file)
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,10 @@
+2004-06-09  Sam Hartman  <hartmans@mit.edu>
+
+       * accept_sec_context.c (krb5_gss_accept_sec_context): If the
+       server provides channel bindings, these channel bindings must be
+       matched.  Thus clients can only provide null channel bindings if
+       the server provides no channel bindings. 
+
 2004-06-08  Sam Hartman  <hartmans@mit.edu>
 
        * set_allowable_enctypes.c lucid_context.c:  new file

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 731cc476021a770c0dbe283dda19fee2ec84454d..42a86de6d2512ba3101ac55ae0a82971c3528555 100644 (file)
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2004  by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -481,10 +481,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
           GSS_C_NO_CHANNEL_BINDINGS then we skip the check.  If
           the server does provide channel bindings then we compute
           a checksum and compare against those provided by the
-          client.  If the check fails we test the clients checksum
-          to see whether the client specified GSS_C_NO_CHANNEL_BINDINGS.
-          If either test succeeds we continue without error.
-       */
+          client.         */
 
        if ((code = kg_checksum_channel_bindings(context, 
                                                input_chan_bindings,
@@ -500,17 +497,9 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
            if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
                xfree(reqcksum.contents);
                reqcksum.contents = 0;
-               if ((code = kg_checksum_channel_bindings(context, 
-                                                  GSS_C_NO_CHANNEL_BINDINGS,
-                                                  &reqcksum, bigend))) {
-                   major_status = GSS_S_BAD_BINDINGS;
-                   goto fail;
-               }
-               if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
-                   code = 0;
-                   major_status = GSS_S_BAD_BINDINGS;
+              code = 0;
+              major_status = GSS_S_BAD_BINDINGS;
                    goto fail;
-               }
            }
            
        }