summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-07-29 21:32:36 +0000
committerJeremy Allison <jra@samba.org>2003-07-29 21:32:36 +0000
commit1b89b58475b492b3b60c0cf4f4c8b1d879a80d40 (patch)
treebeffd960b6a1ccaea8ade48ed77e9e21ef55e540
parentedabf75a54424053dbed0b36f1977755f1a633f6 (diff)
downloadsamba-1b89b58475b492b3b60c0cf4f4c8b1d879a80d40.tar.gz
samba-1b89b58475b492b3b60c0cf4f4c8b1d879a80d40.tar.bz2
samba-1b89b58475b492b3b60c0cf4f4c8b1d879a80d40.zip
Put mutex around access of replay cache for krb5 tickets. krb5 replay cache
is not multi-process safe. Jeremy. (This used to be commit 9e0534a1b69bbd4f21b4925337cbab127d060fc6)
-rw-r--r--source3/libads/kerberos_verify.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 601e9d0ecd..48b61cd1f2 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -109,9 +109,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
}
/*
- * JRA. We must set the rcache and the allowed addresses in the auth_context
- * here. This will prevent replay attacks and ensure the client has got a key from
- * the correct IP address.
+ * JRA. We must set the rcache here. This will prevent replay attacks.
*/
ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache);
@@ -142,7 +140,16 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
goto out;
}
- /* we need to setup a auth context with each possible encoding type in turn */
+ /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5
+ * code surrounding the replay cache... */
+
+ if (!grab_server_mutex("replay cache mutex")) {
+ DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n"));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ /* We need to setup a auth context with each possible encoding type in turn. */
for (i=0;enctypes[i];i++) {
if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
continue;
@@ -167,6 +174,8 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
(unsigned int)enctypes[i], error_message(ret)));
}
+ release_server_mutex();
+
if (!auth_ok) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
error_message(ret)));