luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth: do not append zero-terminator to authorisation id in kerberos

Browse Source 
RFC4752 Section 3.1 states "The authorization identity is not terminated
with a zero-valued (%x00) octet". Although a comment in code said it may
be needed anyway, nothing confirms it. In addition, servers may consider
it as part of the identity, causing a failure.

Closes #7008
This commit is contained in:
Patrick Monnerat 2021-08-16 08:35:22 +02:00 committed by Daniel Stenberg
parent 396a2d7fe3
commit 7da2990b19
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 8 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/vauth/krb5_gssapi.c
View File

@ -247,8 +247,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
/* Allocate our message */
messagelen = 4;
if(authzid && *authzid)
messagelen += strlen(authzid) + 1;
if(authzid)
messagelen += strlen(authzid);
message = malloc(messagelen);
if(!message)
return CURLE_OUT_OF_MEMORY;
@ -260,13 +260,10 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
message[2] = (max_size >> 8) & 0xFF;
message[3] = max_size & 0xFF;
/* If given, append the authorization identity including the 0x00 based
terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
identity is not terminated with the zero-valued (%x00) octet." it seems
necessary to include it. */
/* If given, append the authorization identity. */
if(authzid && *authzid)
strcpy((char *) message + 4, authzid);
memcpy(message + 4, authzid, messagelen - 4);
/* Setup the "authentication data" security buffer */
input_token.value = message;

11
lib/vauth/krb5_sspi.c
View File

@ -344,8 +344,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
/* Allocate our message */
messagelen = 4;
if(authzid && *authzid)
messagelen += strlen(authzid) + 1;
if(authzid)
messagelen += strlen(authzid);
message = malloc(messagelen);
if(!message) {
free(trailer);
@ -360,13 +360,10 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data,
message[2] = (max_size >> 8) & 0xFF;
message[3] = max_size & 0xFF;
/* If given, append the authorization identity including the 0x00 based
terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
identity is not terminated with the zero-valued (%x00) octet." it seems
necessary to include it. */
/* If given, append the authorization identity. */
if(authzid && *authzid)
strcpy((char *) message + 4, authzid);
memcpy(message + 4, authzid, messagelen - 4);
/* Allocate the padding */
padding = malloc(sizes.cbBlockSize);