diff options
author | Jeremy Allison <jra@samba.org> | 2003-07-29 21:32:36 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2003-07-29 21:32:36 +0000 |
commit | 1b89b58475b492b3b60c0cf4f4c8b1d879a80d40 (patch) | |
tree | beffd960b6a1ccaea8ade48ed77e9e21ef55e540 | |
parent | edabf75a54424053dbed0b36f1977755f1a633f6 (diff) | |
download | samba-1b89b58475b492b3b60c0cf4f4c8b1d879a80d40.tar.gz samba-1b89b58475b492b3b60c0cf4f4c8b1d879a80d40.tar.bz2 samba-1b89b58475b492b3b60c0cf4f4c8b1d879a80d40.zip |
Put mutex around access of replay cache for krb5 tickets. krb5 replay cache
is not multi-process safe.
Jeremy.
(This used to be commit 9e0534a1b69bbd4f21b4925337cbab127d060fc6)
-rw-r--r-- | source3/libads/kerberos_verify.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 601e9d0ecd..48b61cd1f2 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -109,9 +109,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, } /* - * JRA. We must set the rcache and the allowed addresses in the auth_context - * here. This will prevent replay attacks and ensure the client has got a key from - * the correct IP address. + * JRA. We must set the rcache here. This will prevent replay attacks. */ ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache); @@ -142,7 +140,16 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, goto out; } - /* we need to setup a auth context with each possible encoding type in turn */ + /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5 + * code surrounding the replay cache... */ + + if (!grab_server_mutex("replay cache mutex")) { + DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n")); + sret = NT_STATUS_LOGON_FAILURE; + goto out; + } + + /* We need to setup a auth context with each possible encoding type in turn. */ for (i=0;enctypes[i];i++) { if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) { continue; @@ -167,6 +174,8 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, (unsigned int)enctypes[i], error_message(ret))); } + release_server_mutex(); + if (!auth_ok) { DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", error_message(ret))); |