Interim commit containing SPNEGO changes resulting from interop
authorTom Yu <tlyu@mit.edu>
Wed, 29 Mar 2006 03:25:32 +0000 (03:25 +0000)
committerTom Yu <tlyu@mit.edu>
Wed, 29 Mar 2006 03:25:32 +0000 (03:25 +0000)
testing with MS.  Handle SPNEGO optimistic OID vs mech token OID
mismatches which result from "wrong" MS krb5 OID, at least somewhat,
and don't be as aggressive about mechListMIC.

git-svn-id: svn://anonsvn.mit.edu/krb5/users/tlyu/branches/mechglue@17795 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/gssapi/krb5/ChangeLog
src/lib/gssapi/krb5/gssapiP_krb5.h
src/lib/gssapi/krb5/gssapi_krb5.c
src/lib/gssapi/krb5/krb5_gss_glue.c
src/lib/gssapi/mechglue/ChangeLog
src/lib/gssapi/mechglue/g_initialize.c
src/lib/gssapi/spnego/ChangeLog
src/lib/gssapi/spnego/spnego_mech.c

index 790c8a1195a17ff65017a39e4bd7c01ff160eb67..5f6b85818738f58674088d2ed653472f12e0975b 100644 (file)
@@ -1,3 +1,14 @@
+2006-03-28  Tom Yu  <tlyu@mit.edu>
+
+       * krb5_gss_glue.c: Add krb5_mechanism_wrong.
+
+       * gssapi_krb5.c: Add GSS_MECH_KRB5_WRONG_OID; update pointers and
+       oidsets.
+
+       * gssapiP_krb5.h (GSS_MECH_KRB5_WRONG_OID) 
+       (GSS_MECH_KRB5_WRONG_OID_LENGTH): New OID; incorrect krb5 mech OID
+       emitted by MS.
+
 2006-03-26  Tom Yu  <tlyu@mit.edu>
 
        * gssapiP_krb5.h (GSS_MECH_KRB5_OLD_OID):
index cd2e43c8c437d15179e65a2fff32bb46e99fc235..7bccc06a8185c928621c626442a4600f65faee80 100644 (file)
 #define GSS_MECH_KRB5_OLD_OID_LENGTH 5
 #define GSS_MECH_KRB5_OLD_OID "\053\005\001\005\002"
 
+/* Incorrect krb5 mech OID emitted by MS. */
+#define GSS_MECH_KRB5_WRONG_OID_LENGTH 9
+#define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002"
+
+
 #define CKSUMTYPE_KG_CB                0x8003
 
 #define KG_TOK_CTX_AP_REQ      0x0100
index cbdd15c03694fc1eb0cce05db029cb50a68ee301..7963bb59acc5e4bf7a3363df50b6c359cc1e3674 100644 (file)
 const gss_OID_desc krb5_gss_oid_array[] = {
    /* this is the official, rfc-specified OID */
    {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID},
-   /* this is the unofficial, wrong OID */
+   /* this pre-RFC mech OID */
    {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID},
+   /* this is the unofficial, incorrect mech OID emitted by MS */
+   {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID},
    /* this is the v2 assigned OID */
    {9, "\052\206\110\206\367\022\001\002\003"},
    /* these two are name type OID's */
@@ -108,14 +110,15 @@ const gss_OID_desc krb5_gss_oid_array[] = {
 
 const gss_OID_desc * const gss_mech_krb5              = krb5_gss_oid_array+0;
 const gss_OID_desc * const gss_mech_krb5_old          = krb5_gss_oid_array+1;
-const gss_OID_desc * const gss_nt_krb5_name           = krb5_gss_oid_array+3;
-const gss_OID_desc * const gss_nt_krb5_principal      = krb5_gss_oid_array+4;
-const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+3;
+const gss_OID_desc * const gss_mech_krb5_wrong        = krb5_gss_oid_array+2;
+const gss_OID_desc * const gss_nt_krb5_name           = krb5_gss_oid_array+4;
+const gss_OID_desc * const gss_nt_krb5_principal      = krb5_gss_oid_array+5;
+const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+4;
 
 static const gss_OID_set_desc oidsets[] = {
    {1, (gss_OID) krb5_gss_oid_array+0},
    {1, (gss_OID) krb5_gss_oid_array+1},
-   {2, (gss_OID) krb5_gss_oid_array+0},
+   {3, (gss_OID) krb5_gss_oid_array+0},
    {1, (gss_OID) krb5_gss_oid_array+2},
    {3, (gss_OID) krb5_gss_oid_array+0},
 };
index db0aaf95ddf27123f6a3a1fe6fed9820414dfc89..6a3b6de2af8ae51ef07b7ece7e34935fc4065343 100644 (file)
@@ -381,6 +381,11 @@ struct gss_config krb5_mechanism_old = {
     KRB5_GSS_CONFIG_INIT
 };
 
+struct gss_config krb5_mechanism_wrong = {
+    { GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID },
+    KRB5_GSS_CONFIG_INIT
+};
+
 #ifdef KRB5_MECH_MODULE
 gss_mechanism
 gss_mech_initialize(const gss_OID oid)
index c2d28d3e4ffe2d1a2012886c4b3e822a551f4c0a..0097ef484cffa8d68c85069810a36798c5464c72 100644 (file)
@@ -1,3 +1,8 @@
+2006-03-28  Tom Yu  <tlyu@mit.edu>
+
+       * g_initialize.c (build_mechSet): Actually return a value on success.
+       (init_hardcoded): Add krb5_mechanism_wrong.
+
 2006-03-27  Tom Yu  <tlyu@mit.edu>
 
        * g_initialize.c (init_hardcoded): Re-order to put SPNEGO first
index cb12d2e17a1b216f7e9f834d8bcb0eb5ecd1f828..bb012f955c1282c03ff97bb40606403a350199c8 100644 (file)
@@ -347,6 +347,8 @@ build_mechSet(void)
 #endif
        (void) k5_mutex_unlock(&g_mechSetLock);
        (void) k5_mutex_unlock(&g_mechListLock);
+
+       return GSS_S_COMPLETE;
 }
 
 
@@ -513,6 +515,7 @@ init_hardcoded(void)
 {
        extern struct gss_config krb5_mechanism;
        extern struct gss_config krb5_mechanism_old;
+       extern struct gss_config krb5_mechanism_wrong;
        extern struct gss_config spnego_mechanism;
        static int inited;
        gss_mech_info cf;
@@ -549,13 +552,25 @@ init_hardcoded(void)
                return;
        memset(cf, 0, sizeof(*cf));
        cf->uLibName = strdup("<hardcoded internal>");
-       cf->mechNameStr = "kerberos_v5 (old)";
+       cf->mechNameStr = "kerberos_v5 (pre-RFC OID)";
        cf->mech_type = &krb5_mechanism_old.mech_type;
        cf->mech = &krb5_mechanism_old;
        cf->next = NULL;
        g_mechListTail->next = cf;
        g_mechListTail = cf;
 
+       cf = malloc(sizeof(*cf));
+       if (cf == NULL)
+               return;
+       memset(cf, 0, sizeof(*cf));
+       cf->uLibName = strdup("<hardcoded internal>");
+       cf->mechNameStr = "kerberos_v5 (wrong OID)";
+       cf->mech_type = &krb5_mechanism_wrong.mech_type;
+       cf->mech = &krb5_mechanism_wrong;
+       cf->next = NULL;
+       g_mechListTail->next = cf;
+       g_mechListTail = cf;
+
        inited = 1;
 }
 
index 343a8454469dc5f4f37e202beb2f72a252d5d743..4fa963c7002413fba80f09b31a536ac09609fcc3 100644 (file)
@@ -1,3 +1,12 @@
+2006-03-28  Tom Yu  <tlyu@.mit.edu>
+
+       * spnego_mech.c (check_spnego_options, create_spnego_ctx): Force
+       to 1 for testing purposes.
+       (spnego_gss_init_sec_context): Don't check for mechListMIC if
+       MS_Interop is true.
+       (make_spnego_tokenTarg_msg): Never send duplicate AP-REP as
+       mechListMIC; omit mechListMIC instead.
+
 2006-03-26  Tom Yu  <tlyu@mit.edu>
 
        * spnego_mech.c: s/uchar_t/unsigned char/g.  Bash cast to
index d1ab46587f90cb19800b54c56d68cad3a702952e..821292ddeb7abd6421f4fc35ed3e757a11c9b9b0 100644 (file)
@@ -206,7 +206,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
                strstr(spnego_ctx->optionStr, "msinterop")) {
                        spnego_ctx->MS_Interop = 1;
        } else {
-               spnego_ctx->MS_Interop = 0;
+               spnego_ctx->MS_Interop = 1;
        }
 }
 
@@ -226,7 +226,7 @@ create_spnego_ctx(void)
        spnego_ctx->internal_mech = NULL;
        spnego_ctx->optionStr = NULL;
        spnego_ctx->optimistic = 0;
-       spnego_ctx->MS_Interop = 0;
+       spnego_ctx->MS_Interop = 1;
        spnego_ctx->DER_mechTypes.length = NULL;
        spnego_ctx->DER_mechTypes.value = GSS_C_NO_BUFFER;
 
@@ -561,15 +561,17 @@ spnego_gss_init_sec_context(void *ct,
                }
 
                /* create mic/check mic */
-               if ((i_output_token->length == 0) &&
-                   (status == GSS_S_COMPLETE) &&
-                   (local_ret_flags & GSS_C_INTEG_FLAG)) {
-                       if (*ptr == (CONTEXT | 0x03) &&
+               if (status == GSS_S_COMPLETE) {
+                   if ((i_output_token->length == 0) &&
+                       (local_ret_flags & GSS_C_INTEG_FLAG) &&
+                       !spnego_ctx->MS_Interop) {
+                       if ((ptr - (unsigned char *)input_token->value) < input_token->length &&
+                           *ptr == (CONTEXT | 0x03) &&
                            g_get_tag_and_length(&ptr,
-                                       (CONTEXT | 0x03),
-                                       input_token->length -
-                                       (ptr - (unsigned char *)input_token->value),
-                                       &len) < 0) {
+                                                (CONTEXT | 0x03),
+                                                input_token->length -
+                                                (ptr - (unsigned char *)input_token->value),
+                                                &len) < 0) {
                            ret = GSS_S_DEFECTIVE_TOKEN;
                        } else {
                            ret = GSS_S_COMPLETE;
@@ -577,14 +579,17 @@ spnego_gss_init_sec_context(void *ct,
                            if (mechListMIC == NULL)
                                ret = GSS_S_DEFECTIVE_TOKEN;
                            else if (!spnego_ctx->MS_Interop &&
-                               spnego_ctx->DER_mechTypes.length > 0) {
+                                    spnego_ctx->DER_mechTypes.length > 0) {
                                status = gss_verify_mic(minor_status,
-                                           spnego_ctx->ctx_handle,
-                                           &spnego_ctx->DER_mechTypes,
-                                           mechListMIC,
-                                           qop_state);
+                                                       spnego_ctx->ctx_handle,
+                                                       &spnego_ctx->DER_mechTypes,
+                                                       mechListMIC,
+                                                       qop_state);
                            }
                        }
+                   } else {
+                       ret = GSS_S_COMPLETE;
+                   }
                }
        }
 
@@ -2291,11 +2296,13 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted,
 
                /* Length of the outer token */
                dataLen += 1 + gssint_der_length_size(micTokenSize);
-       } else if (data != NULL && data->length > 0 && MS_Flag) {
+       }
+#if 0
+       else if (data != NULL && data->length > 0 && MS_Flag) {
                dataLen += rspTokenSize;
                dataLen += 1 + gssint_der_length_size(rspTokenSize);
        }
-
+#endif
        /*
         * Add size of DER encoded:
         * NegTokenTarg [ SEQUENCE ] of
@@ -2409,7 +2416,9 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted,
                        ret = GSS_S_DEFECTIVE_TOKEN;
                        goto errout;
                }
-       } else if (data != NULL && data->length > 0 && MS_Flag) {
+       }
+#if 0
+       else if (data != NULL && data->length > 0 && MS_Flag) {
                *ptr++ = CONTEXT | 0x03;
                if ((ret = gssint_put_der_length(rspTokenSize, &ptr,
                            tlen - (int)(ptr - t)))) {
@@ -2421,6 +2430,7 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted,
                        ret = GSS_S_DEFECTIVE_TOKEN;
                }
        }
+#endif
 errout:
        if (ret != 0) {
                if (t)