From: Tom Yu Date: Wed, 29 Mar 2006 03:25:32 +0000 (+0000) Subject: Interim commit containing SPNEGO changes resulting from interop X-Git-Tag: ms-bug-test-20060525~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=097533406b21958606aa5087f63e7f98aaf310fd;p=thirdparty%2Fkrb5.git Interim commit containing SPNEGO changes resulting from interop testing with MS. Handle SPNEGO optimistic OID vs mech token OID mismatches which result from "wrong" MS krb5 OID, at least somewhat, and don't be as aggressive about mechListMIC. git-svn-id: svn://anonsvn.mit.edu/krb5/users/tlyu/branches/mechglue@17795 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 790c8a1195..5f6b858187 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,14 @@ +2006-03-28 Tom Yu + + * krb5_gss_glue.c: Add krb5_mechanism_wrong. + + * gssapi_krb5.c: Add GSS_MECH_KRB5_WRONG_OID; update pointers and + oidsets. + + * gssapiP_krb5.h (GSS_MECH_KRB5_WRONG_OID) + (GSS_MECH_KRB5_WRONG_OID_LENGTH): New OID; incorrect krb5 mech OID + emitted by MS. + 2006-03-26 Tom Yu * gssapiP_krb5.h (GSS_MECH_KRB5_OLD_OID): diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index cd2e43c8c4..7bccc06a81 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -80,6 +80,11 @@ #define GSS_MECH_KRB5_OLD_OID_LENGTH 5 #define GSS_MECH_KRB5_OLD_OID "\053\005\001\005\002" +/* Incorrect krb5 mech OID emitted by MS. */ +#define GSS_MECH_KRB5_WRONG_OID_LENGTH 9 +#define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002" + + #define CKSUMTYPE_KG_CB 0x8003 #define KG_TOK_CTX_AP_REQ 0x0100 diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index cbdd15c036..7963bb59ac 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -88,8 +88,10 @@ const gss_OID_desc krb5_gss_oid_array[] = { /* this is the official, rfc-specified OID */ {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID}, - /* this is the unofficial, wrong OID */ + /* this pre-RFC mech OID */ {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID}, + /* this is the unofficial, incorrect mech OID emitted by MS */ + {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID}, /* this is the v2 assigned OID */ {9, "\052\206\110\206\367\022\001\002\003"}, /* these two are name type OID's */ @@ -108,14 +110,15 @@ const gss_OID_desc krb5_gss_oid_array[] = { const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0; const gss_OID_desc * const gss_mech_krb5_old = krb5_gss_oid_array+1; -const gss_OID_desc * const gss_nt_krb5_name = krb5_gss_oid_array+3; -const gss_OID_desc * const gss_nt_krb5_principal = krb5_gss_oid_array+4; -const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+3; +const gss_OID_desc * const gss_mech_krb5_wrong = krb5_gss_oid_array+2; +const gss_OID_desc * const gss_nt_krb5_name = krb5_gss_oid_array+4; +const gss_OID_desc * const gss_nt_krb5_principal = krb5_gss_oid_array+5; +const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+4; static const gss_OID_set_desc oidsets[] = { {1, (gss_OID) krb5_gss_oid_array+0}, {1, (gss_OID) krb5_gss_oid_array+1}, - {2, (gss_OID) krb5_gss_oid_array+0}, + {3, (gss_OID) krb5_gss_oid_array+0}, {1, (gss_OID) krb5_gss_oid_array+2}, {3, (gss_OID) krb5_gss_oid_array+0}, }; diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c index db0aaf95dd..6a3b6de2af 100644 --- a/src/lib/gssapi/krb5/krb5_gss_glue.c +++ b/src/lib/gssapi/krb5/krb5_gss_glue.c @@ -381,6 +381,11 @@ struct gss_config krb5_mechanism_old = { KRB5_GSS_CONFIG_INIT }; +struct gss_config krb5_mechanism_wrong = { + { GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID }, + KRB5_GSS_CONFIG_INIT +}; + #ifdef KRB5_MECH_MODULE gss_mechanism gss_mech_initialize(const gss_OID oid) diff --git a/src/lib/gssapi/mechglue/ChangeLog b/src/lib/gssapi/mechglue/ChangeLog index c2d28d3e4f..0097ef484c 100644 --- a/src/lib/gssapi/mechglue/ChangeLog +++ b/src/lib/gssapi/mechglue/ChangeLog @@ -1,3 +1,8 @@ +2006-03-28 Tom Yu + + * g_initialize.c (build_mechSet): Actually return a value on success. + (init_hardcoded): Add krb5_mechanism_wrong. + 2006-03-27 Tom Yu * g_initialize.c (init_hardcoded): Re-order to put SPNEGO first diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c index cb12d2e17a..bb012f955c 100644 --- a/src/lib/gssapi/mechglue/g_initialize.c +++ b/src/lib/gssapi/mechglue/g_initialize.c @@ -347,6 +347,8 @@ build_mechSet(void) #endif (void) k5_mutex_unlock(&g_mechSetLock); (void) k5_mutex_unlock(&g_mechListLock); + + return GSS_S_COMPLETE; } @@ -513,6 +515,7 @@ init_hardcoded(void) { extern struct gss_config krb5_mechanism; extern struct gss_config krb5_mechanism_old; + extern struct gss_config krb5_mechanism_wrong; extern struct gss_config spnego_mechanism; static int inited; gss_mech_info cf; @@ -549,13 +552,25 @@ init_hardcoded(void) return; memset(cf, 0, sizeof(*cf)); cf->uLibName = strdup(""); - cf->mechNameStr = "kerberos_v5 (old)"; + cf->mechNameStr = "kerberos_v5 (pre-RFC OID)"; cf->mech_type = &krb5_mechanism_old.mech_type; cf->mech = &krb5_mechanism_old; cf->next = NULL; g_mechListTail->next = cf; g_mechListTail = cf; + cf = malloc(sizeof(*cf)); + if (cf == NULL) + return; + memset(cf, 0, sizeof(*cf)); + cf->uLibName = strdup(""); + cf->mechNameStr = "kerberos_v5 (wrong OID)"; + cf->mech_type = &krb5_mechanism_wrong.mech_type; + cf->mech = &krb5_mechanism_wrong; + cf->next = NULL; + g_mechListTail->next = cf; + g_mechListTail = cf; + inited = 1; } diff --git a/src/lib/gssapi/spnego/ChangeLog b/src/lib/gssapi/spnego/ChangeLog index 343a845446..4fa963c700 100644 --- a/src/lib/gssapi/spnego/ChangeLog +++ b/src/lib/gssapi/spnego/ChangeLog @@ -1,3 +1,12 @@ +2006-03-28 Tom Yu + + * spnego_mech.c (check_spnego_options, create_spnego_ctx): Force + to 1 for testing purposes. + (spnego_gss_init_sec_context): Don't check for mechListMIC if + MS_Interop is true. + (make_spnego_tokenTarg_msg): Never send duplicate AP-REP as + mechListMIC; omit mechListMIC instead. + 2006-03-26 Tom Yu * spnego_mech.c: s/uchar_t/unsigned char/g. Bash cast to diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index d1ab46587f..821292ddeb 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -206,7 +206,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx) strstr(spnego_ctx->optionStr, "msinterop")) { spnego_ctx->MS_Interop = 1; } else { - spnego_ctx->MS_Interop = 0; + spnego_ctx->MS_Interop = 1; } } @@ -226,7 +226,7 @@ create_spnego_ctx(void) spnego_ctx->internal_mech = NULL; spnego_ctx->optionStr = NULL; spnego_ctx->optimistic = 0; - spnego_ctx->MS_Interop = 0; + spnego_ctx->MS_Interop = 1; spnego_ctx->DER_mechTypes.length = NULL; spnego_ctx->DER_mechTypes.value = GSS_C_NO_BUFFER; @@ -561,15 +561,17 @@ spnego_gss_init_sec_context(void *ct, } /* create mic/check mic */ - if ((i_output_token->length == 0) && - (status == GSS_S_COMPLETE) && - (local_ret_flags & GSS_C_INTEG_FLAG)) { - if (*ptr == (CONTEXT | 0x03) && + if (status == GSS_S_COMPLETE) { + if ((i_output_token->length == 0) && + (local_ret_flags & GSS_C_INTEG_FLAG) && + !spnego_ctx->MS_Interop) { + if ((ptr - (unsigned char *)input_token->value) < input_token->length && + *ptr == (CONTEXT | 0x03) && g_get_tag_and_length(&ptr, - (CONTEXT | 0x03), - input_token->length - - (ptr - (unsigned char *)input_token->value), - &len) < 0) { + (CONTEXT | 0x03), + input_token->length - + (ptr - (unsigned char *)input_token->value), + &len) < 0) { ret = GSS_S_DEFECTIVE_TOKEN; } else { ret = GSS_S_COMPLETE; @@ -577,14 +579,17 @@ spnego_gss_init_sec_context(void *ct, if (mechListMIC == NULL) ret = GSS_S_DEFECTIVE_TOKEN; else if (!spnego_ctx->MS_Interop && - spnego_ctx->DER_mechTypes.length > 0) { + spnego_ctx->DER_mechTypes.length > 0) { status = gss_verify_mic(minor_status, - spnego_ctx->ctx_handle, - &spnego_ctx->DER_mechTypes, - mechListMIC, - qop_state); + spnego_ctx->ctx_handle, + &spnego_ctx->DER_mechTypes, + mechListMIC, + qop_state); } } + } else { + ret = GSS_S_COMPLETE; + } } } @@ -2291,11 +2296,13 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted, /* Length of the outer token */ dataLen += 1 + gssint_der_length_size(micTokenSize); - } else if (data != NULL && data->length > 0 && MS_Flag) { + } +#if 0 + else if (data != NULL && data->length > 0 && MS_Flag) { dataLen += rspTokenSize; dataLen += 1 + gssint_der_length_size(rspTokenSize); } - +#endif /* * Add size of DER encoded: * NegTokenTarg [ SEQUENCE ] of @@ -2409,7 +2416,9 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted, ret = GSS_S_DEFECTIVE_TOKEN; goto errout; } - } else if (data != NULL && data->length > 0 && MS_Flag) { + } +#if 0 + else if (data != NULL && data->length > 0 && MS_Flag) { *ptr++ = CONTEXT | 0x03; if ((ret = gssint_put_der_length(rspTokenSize, &ptr, tlen - (int)(ptr - t)))) { @@ -2421,6 +2430,7 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted, ret = GSS_S_DEFECTIVE_TOKEN; } } +#endif errout: if (ret != 0) { if (t)