From 1b89b58475b492b3b60c0cf4f4c8b1d879a80d40 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 29 Jul 2003 21:32:36 +0000 Subject: Put mutex around access of replay cache for krb5 tickets. krb5 replay cache is not multi-process safe. Jeremy. (This used to be commit 9e0534a1b69bbd4f21b4925337cbab127d060fc6) --- source3/libads/kerberos_verify.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'source3/libads/kerberos_verify.c') diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 601e9d0ecd..48b61cd1f2 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -109,9 +109,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, } /* - * JRA. We must set the rcache and the allowed addresses in the auth_context - * here. This will prevent replay attacks and ensure the client has got a key from - * the correct IP address. + * JRA. We must set the rcache here. This will prevent replay attacks. */ ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache); @@ -142,7 +140,16 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, goto out; } - /* we need to setup a auth context with each possible encoding type in turn */ + /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5 + * code surrounding the replay cache... */ + + if (!grab_server_mutex("replay cache mutex")) { + DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n")); + sret = NT_STATUS_LOGON_FAILURE; + goto out; + } + + /* We need to setup a auth context with each possible encoding type in turn. */ for (i=0;enctypes[i];i++) { if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) { continue; @@ -167,6 +174,8 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, (unsigned int)enctypes[i], error_message(ret))); } + release_server_mutex(); + if (!auth_ok) { DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", error_message(ret))); -- cgit