sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code

r11477: This seems really nasty, but as I understand it an attacker cannot

Browse Source 
change this checksum, as it is inside the encrypted packets.

Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue.  We can't rid the world of all Samba3 and similar clients...

Andrew Bartlett
(This used to be commit e60cdb63fb)
This commit is contained in:
Andrew Bartlett 2005-11-02 09:51:32 +00:00 committed by Gerald (Jerry) Carter
parent d59807eba4
commit 1ab27b7fdf
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
source4/heimdal/lib/gssapi/8003.c
View File

@ -182,9 +182,18 @@ gssapi_krb5_verify_8003_checksum(
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
/* This is the case where Samba3 has built GSSAPI out of
* krb5 the 'dodgy' way. We have to accept the non-GSSAPI
* checksum because windows does */
if(cksum->cksumtype != CKSUMTYPE_GSSAPI) {
*flags = 0;
return GSS_S_COMPLETE;
}
/* XXX should handle checksums > 24 bytes */
if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) {
if(cksum->checksum.length < 24) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}