[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gss branch, master, updated. gss-0-1-2-4-gcd1eee3
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gss branch, master, updated. gss-0-1-2-4-gcd1eee3 |
|
Date: |
Wed, 10 Mar 2010 22:04:34 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gss".
http://git.savannah.gnu.org/cgit/gss.git/commit/?id=cd1eee3e14c2a976bb349c15efe224554927fb21
The branch, master has been updated
via cd1eee3e14c2a976bb349c15efe224554927fb21 (commit)
via a70dc5202c57537565708a2cf93425193550fa9f (commit)
via 20f2fa3949081d70b81afe10241c2a94a5fa3188 (commit)
via 02d18b1e321cab6768a75ce842aa30aa742e8eae (commit)
from 2a37efbc7a032d21dcfea6e4ecdc8990dc7e5977 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cd1eee3e14c2a976bb349c15efe224554927fb21
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 23:04:31 2010 +0100
KRB5: Add support for channel bindings.
commit a70dc5202c57537565708a2cf93425193550fa9f
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 22:13:05 2010 +0100
Fix gcc warning.
commit 20f2fa3949081d70b81afe10241c2a94a5fa3188
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 15:32:11 2010 +0100
Input parameter sanization.
commit 02d18b1e321cab6768a75ce842aa30aa742e8eae
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 14:31:04 2010 +0100
Bump version.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 14 ++++++
configure.ac | 4 +-
lib/asn1.c | 15 ++++++-
lib/krb5/checksum.c | 129 +++++++++++++++++++++++++++++++++++++++++++++++++--
lib/krb5/checksum.h | 8 +++-
lib/krb5/context.c | 20 +++-----
src/gss.c | 10 ++++
7 files changed, 178 insertions(+), 22 deletions(-)
diff --git a/NEWS b/NEWS
index c572113..8f6671d 100644
--- a/NEWS
+++ b/NEWS
@@ -2,12 +2,26 @@ GSS NEWS -- History of user-visible changes.
-*- outline -*-
Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon Josefsson
See the end for copying conditions.
+* Version 0.1.3 (unreleased)
+
+** KRB5: Add support for channel bindings.
+
+** Build fixes and code cleanups.
+
+** i18n: Added Finnish translation, thanks to Jorma Karvonen.
+
+** API and ABI modifications.
+No changes since last version.
+
* Version 0.1.2 (released 2010-01-19)
** Build fixes and code cleanups.
** i18n: Added Finnish translation, thanks to Jorma Karvonen.
+** API and ABI modifications.
+No changes since last version.
+
* Version 0.1.1 (released 2009-04-03)
** libgss: Fix memory leak in gss_release_oid_set.
diff --git a/configure.ac b/configure.ac
index 5812117..528e416 100644
--- a/configure.ac
+++ b/configure.ac
@@ -20,14 +20,14 @@ dnl Process this file with autoconf to produce a configure
script.
# Boston, MA 02110-1301, USA.
AC_PREREQ(2.61)
-AC_INIT([GNU Generic Security Service], [0.1.2], address@hidden, [gss])
+AC_INIT([GNU Generic Security Service], [0.1.3], address@hidden, [gss])
# Library code modified: REVISION++
# Interfaces changed/added/removed: CURRENT++ REVISION=0
# Interfaces added: AGE++
# Interfaces removed: AGE=0
AC_SUBST(LT_CURRENT, 1)
-AC_SUBST(LT_REVISION, 2)
+AC_SUBST(LT_REVISION, 3)
AC_SUBST(LT_AGE, 0)
# Used when creating libgss-XX.def.
diff --git a/lib/asn1.c b/lib/asn1.c
index 560475f..c668099 100644
--- a/lib/asn1.c
+++ b/lib/asn1.c
@@ -1,5 +1,5 @@
/* asn1.c --- Wrapper around pseudo-ASN.1 token format.
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Simon Josefsson
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon
Josefsson
*
* This file is part of the Generic Security Service (GSS).
*
@@ -139,6 +139,12 @@ int
gss_encapsulate_token (const gss_buffer_t input_message,
gss_OID token_oid, gss_buffer_t output_message)
{
+ if (!input_message)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+ if (!token_oid)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+ if (!output_message)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
return _gss_encapsulate_token (token_oid->elements,
token_oid->length,
input_message->value,
@@ -236,6 +242,13 @@ gss_decapsulate_token (const gss_buffer_t input_message,
size_t oidlen;
int rc;
+ if (!input_message)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+ if (!token_oid)
+ return GSS_S_CALL_INACCESSIBLE_READ;
+ if (!dataptr || !datalen)
+ return GSS_S_CALL_INACCESSIBLE_WRITE;
+
rc = _gss_decapsulate_token (input_message->value,
input_message->length,
&oid, &oidlen, dataptr, datalen);
diff --git a/lib/krb5/checksum.c b/lib/krb5/checksum.c
index 0dd3f33..06aa639 100644
--- a/lib/krb5/checksum.c
+++ b/lib/krb5/checksum.c
@@ -26,10 +26,57 @@
/* Get specification. */
#include "checksum.h"
+static int
+hash_cb (OM_uint32 *minor_status,
+ gss_ctx_id_t * context_handle,
+ const gss_channel_bindings_t input_chan_bindings,
+ char **out)
+{
+ gss_ctx_id_t ctx = *context_handle;
+ _gss_krb5_ctx_t k5 = ctx->krb5;
+ char *buf;
+ size_t len;
+ int res;
+
+ /* We don't support addresses. */
+ if (input_chan_bindings->initiator_addrtype != 0 ||
+ input_chan_bindings->initiator_address.length != 0 ||
+ input_chan_bindings->initiator_address.value != NULL ||
+ input_chan_bindings->acceptor_addrtype != 0 ||
+ input_chan_bindings->acceptor_address.length != 0 ||
+ input_chan_bindings->acceptor_address.value != NULL)
+ return GSS_S_FAILURE;
+
+ /* We need to hash the four OM_uint32 values, for the
+ initiator_addrtype, initiator_address.length, accept_addrtype,
+ and accept_address.length. */
+
+ len = 4 * 4 + input_chan_bindings->application_data.length;
+ buf = malloc (len);
+ if (!buf)
+ {
+ if (minor_status)
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ memset (buf, 0, 4 * 4);
+ memcpy (buf, input_chan_bindings->application_data.value,
+ input_chan_bindings->application_data.length);
+
+ res = shishi_md5 (k5->sh, buf, len, out);
+ free (buf);
+ if (res != SHISHI_OK)
+ return GSS_S_FAILURE;
+
+ return GSS_S_COMPLETE;
+}
+
/* Create the checksum value field from input parameters. */
OM_uint32
_gss_krb5_checksum_pack (OM_uint32 *minor_status,
const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 req_flags, char **data, size_t * datalen)
{
@@ -85,14 +132,24 @@ _gss_krb5_checksum_pack (OM_uint32 *minor_status,
*
*/
- /* XXX We only support GSS_C_NO_CHANNEL_BINDINGS. */
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS)
{
- free (p);
- return GSS_S_BAD_BINDINGS;
- }
+ char *md5hash;
+ int res;
- memset (&p[4], 0, 16);
+ res = hash_cb (minor_status, context_handle,
+ input_chan_bindings, &md5hash);
+ if (res != GSS_S_COMPLETE)
+ {
+ free (p);
+ return res;
+ }
+
+ memcpy (&p[4], md5hash, 16);
+ free (md5hash);
+ }
+ else
+ memset (&p[4], 0, 16);
/*
* 20..23 Flags Bit vector of context-establishment flags,
@@ -140,3 +197,65 @@ _gss_krb5_checksum_pack (OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
+
+OM_uint32
+_gss_krb5_checksum_parse (OM_uint32 *minor_status,
+ gss_ctx_id_t * context_handle,
+ const gss_channel_bindings_t input_chan_bindings)
+{
+ gss_ctx_id_t ctx = *context_handle;
+ _gss_krb5_ctx_t k5 = ctx->krb5;
+ char *out = NULL;
+ size_t len = 0;
+ int rc;
+ char *md5hash;
+
+ if (shishi_ap_authenticator_cksumtype (k5->ap) != 0x8003)
+ {
+ if (minor_status)
+ *minor_status = GSS_KRB5_S_G_VALIDATE_FAILED;
+ return GSS_S_FAILURE;
+ }
+
+ rc = shishi_ap_authenticator_cksumdata (k5->ap, out, &len);
+ if (rc != SHISHI_TOO_SMALL_BUFFER)
+ return GSS_S_FAILURE;
+
+ out = malloc (len);
+ if (!out)
+ {
+ if (minor_status)
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ rc = shishi_ap_authenticator_cksumdata (k5->ap, out, &len);
+ if (rc != SHISHI_OK)
+ {
+ free (out);
+ return GSS_S_FAILURE;
+ }
+
+ if (memcmp (out, "\x10\x00\x00\x00", 4) != 0)
+ {
+ free (out);
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ rc = hash_cb (minor_status, context_handle, input_chan_bindings, &md5hash);
+ if (rc != GSS_S_COMPLETE)
+ {
+ free (out);
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ rc = memcmp (&out[4], md5hash, 16);
+
+ free (md5hash);
+ free (out);
+
+ if (rc != 0)
+ return GSS_S_DEFECTIVE_TOKEN;
+
+ return GSS_S_COMPLETE;
+}
diff --git a/lib/krb5/checksum.h b/lib/krb5/checksum.h
index 8c0962b..11bcdd7 100644
--- a/lib/krb5/checksum.h
+++ b/lib/krb5/checksum.h
@@ -1,5 +1,5 @@
/* krb5/checksum.h --- (Un)pack checksum fields in Krb5 GSS contexts.
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009 Simon Josefsson
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009, 2010 Simon Josefsson
*
* This file is part of the Generic Security Service (GSS).
*
@@ -23,5 +23,11 @@
OM_uint32
_gss_krb5_checksum_pack (OM_uint32 *minor_status,
const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 req_flags, char **data, size_t * datalen);
+
+OM_uint32
+_gss_krb5_checksum_parse (OM_uint32 *minor_status,
+ gss_ctx_id_t * context_handle,
+ const gss_channel_bindings_t input_chan_bindings);
diff --git a/lib/krb5/context.c b/lib/krb5/context.c
index d7db790..e84dbe7 100644
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -1,5 +1,5 @@
/* krb5/context.c --- Implementation of Kerberos 5 GSS Context functions.
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Simon Josefsson
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon
Josefsson
*
* This file is part of the Generic Security Service (GSS).
*
@@ -76,6 +76,7 @@ init_request (OM_uint32 * minor_status,
/* Create Authenticator checksum field. */
maj_stat = _gss_krb5_checksum_pack (minor_status, initiator_cred_handle,
+ context_handle,
input_chan_bindings, req_flags,
&cksum, &cksumlen);
if (GSS_ERROR (maj_stat))
@@ -312,10 +313,6 @@ gss_krb5_accept_sec_context (OM_uint32 * minor_status,
/* XXX support GSS_C_NO_CREDENTIAL: acquire_cred() default server */
return GSS_S_NO_CRED;
- if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS)
- /* XXX support channel bindings */
- return GSS_S_BAD_BINDINGS;
-
if (*context_handle)
return GSS_S_FAILURE;
@@ -379,14 +376,11 @@ gss_krb5_accept_sec_context (OM_uint32 * minor_status,
if (rc != SHISHI_OK)
return GSS_S_FAILURE;
- if (shishi_ap_authenticator_cksumtype (cxk5->ap) != 0x8003)
- {
- if (minor_status)
- *minor_status = GSS_KRB5_S_G_VALIDATE_FAILED;
- return GSS_S_FAILURE;
- }
-
- /* XXX Parse authenticator.checksum data. */
+ rc = _gss_krb5_checksum_parse (minor_status,
+ context_handle,
+ input_chan_bindings);
+ if (rc != GSS_S_COMPLETE)
+ return GSS_S_FAILURE;
cxk5->tkt = shishi_ap_tkt (cxk5->ap);
cxk5->key = shishi_ap_key (cxk5->ap);
diff --git a/src/gss.c b/src/gss.c
index 90e1fcd..8904d25 100644
--- a/src/gss.c
+++ b/src/gss.c
@@ -47,6 +47,16 @@ const char version_etc_copyright[] =
year. */
"Copyright %s %d Simon Josefsson.";
+/* This feature is available in gcc versions 2.5 and later. */
+#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+# define GSS_ATTR_NO_RETRUN
+#else
+# define GSS_ATTR_NO_RETRUN __attribute__ ((__noreturn__))
+#endif
+
+static void
+usage (int status) GSS_ATTR_NO_RETRUN;
+
static void
usage (int status)
{
hooks/post-receive
--
GNU gss
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gss branch, master, updated. gss-0-1-2-4-gcd1eee3,
Simon Josefsson <=