GENC should always export composite names

RFC 6680 requires that gss_export_name_composite begin the output
token with 04 02.  So we must produce a composite token even if the
name has no authdata, and be able to consume a composite token with no
authdata attributes.

[ghudson@mit.edu: expanded commit message]

ticket: 7400 (new)

diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
index ebc2a7bbea4bd27054b772468f2b675b2c0444fc..394aca4fe5f13a96102292815a1ba8671c217f09 100644 (file)
--- a/src/lib/gssapi/krb5/import_name.c
+++ b/src/lib/gssapi/krb5/import_name.c
@@ -57,6 +57,9 @@ import_name_composite(krb5_context context,
     krb5_error_code code;
     krb5_data data;
 
+    if (enc_length == 0)
+        return 0;
+
     code = krb5_authdata_context_init(context, &ad_context);
     if (code != 0)
         return code;
@@ -133,7 +136,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
 #ifndef NO_PASSWORD
     struct passwd *pw;
 #endif
-    int has_ad = 0;
+    int is_composite = 0;
     krb5_authdata_context ad_context = NULL;
     OM_uint32 status = GSS_S_FAILURE;
     krb5_gss_name_t name;
@@ -232,7 +235,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
             case 0x01:
                 break;
             case 0x02:
-                has_ad++; /* is composite name */
+                is_composite++;
                 break;
             default:
                 goto fail_name;
@@ -272,7 +275,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
             stringrep = tmp2;
             cp += length;
 
-            if (has_ad) {
+            if (is_composite) {
                 BOUNDS_CHECK(cp, end, 4);
                 length = *cp++;
                 length = (length << 8) | *cp++;

diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c
index f48b1cbbf05b3608701329735f5a5bb8ae1ddab0..535311eb97542fb12cbe41b3f7f69c4a7a11e9cd 100644 (file)
--- a/src/lib/gssapi/krb5/naming_exts.c
+++ b/src/lib/gssapi/krb5/naming_exts.c
@@ -673,8 +673,9 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
     /* 04 02 OID Name AuthData */
 
     exp_composite_name->length = 10 + gss_mech_krb5->length + princlen;
+    exp_composite_name->length += 4; /* length of encoded attributes */
     if (attrs != NULL)
-        exp_composite_name->length += 4 + attrs->length;
+        exp_composite_name->length += attrs->length;
     exp_composite_name->value = malloc(exp_composite_name->length);
     if (exp_composite_name->value == NULL) {
         code = ENOMEM;
@@ -685,10 +686,7 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
 
     /* Note: we assume the OID will be less than 128 bytes... */
     *cp++ = 0x04;
-    if (attrs != NULL)
-        *cp++ = 0x02;
-    else
-        *cp++ = 0x01;
+    *cp++ = 0x02;
 
     store_16_be(gss_mech_krb5->length + 2, cp);
     cp += 2;
@@ -702,9 +700,10 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
     memcpy(cp, princstr, princlen);
     cp += princlen;
 
+    store_32_be(attrs != NULL ? attrs->length : 0, cp);
+    cp += 4;
+
     if (attrs != NULL) {
-        store_32_be(attrs->length, cp);
-        cp += 4;
         memcpy(cp, attrs->data, attrs->length);
         cp += attrs->length;
     }