svn commit: samba r11477 - in
branches/SAMBA_4_0/source/heimdal/lib/gssapi: .
abartlet at samba.org
abartlet at samba.org
Wed Nov 2 09:51:32 GMT 2005
Author: abartlet
Date: 2005-11-02 09:51:32 +0000 (Wed, 02 Nov 2005)
New Revision: 11477
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11477
Log:
This seems really nasty, but as I understand it an attacker cannot
change this checksum, as it is inside the encrypted packets.
Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue. We can't rid the world of all Samba3 and similar clients...
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/heimdal/lib/gssapi/8003.c
Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/8003.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/8003.c 2005-11-02 07:27:06 UTC (rev 11476)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/8003.c 2005-11-02 09:51:32 UTC (rev 11477)
@@ -182,9 +182,18 @@
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
-
+
+ /* This is the case where Samba3 has built GSSAPI out of
+ * krb5 the 'dodgy' way. We have to accept the non-GSSAPI
+ * checksum because windows does */
+
+ if(cksum->cksumtype != CKSUMTYPE_GSSAPI) {
+ *flags = 0;
+ return GSS_S_COMPLETE;
+ }
+
/* XXX should handle checksums > 24 bytes */
- if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) {
+ if(cksum->checksum.length < 24) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
More information about the samba-cvs
mailing list