+2006-03-28 Tom Yu <tlyu@mit.edu>
+
+ * krb5_gss_glue.c: Add krb5_mechanism_wrong.
+
+ * gssapi_krb5.c: Add GSS_MECH_KRB5_WRONG_OID; update pointers and
+ oidsets.
+
+ * gssapiP_krb5.h (GSS_MECH_KRB5_WRONG_OID)
+ (GSS_MECH_KRB5_WRONG_OID_LENGTH): New OID; incorrect krb5 mech OID
+ emitted by MS.
+
2006-03-26 Tom Yu <tlyu@mit.edu>
* gssapiP_krb5.h (GSS_MECH_KRB5_OLD_OID):
#define GSS_MECH_KRB5_OLD_OID_LENGTH 5
#define GSS_MECH_KRB5_OLD_OID "\053\005\001\005\002"
+/* Incorrect krb5 mech OID emitted by MS. */
+#define GSS_MECH_KRB5_WRONG_OID_LENGTH 9
+#define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002"
+
+
#define CKSUMTYPE_KG_CB 0x8003
#define KG_TOK_CTX_AP_REQ 0x0100
const gss_OID_desc krb5_gss_oid_array[] = {
/* this is the official, rfc-specified OID */
{GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID},
- /* this is the unofficial, wrong OID */
+ /* this pre-RFC mech OID */
{GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID},
+ /* this is the unofficial, incorrect mech OID emitted by MS */
+ {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID},
/* this is the v2 assigned OID */
{9, "\052\206\110\206\367\022\001\002\003"},
/* these two are name type OID's */
const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0;
const gss_OID_desc * const gss_mech_krb5_old = krb5_gss_oid_array+1;
-const gss_OID_desc * const gss_nt_krb5_name = krb5_gss_oid_array+3;
-const gss_OID_desc * const gss_nt_krb5_principal = krb5_gss_oid_array+4;
-const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+3;
+const gss_OID_desc * const gss_mech_krb5_wrong = krb5_gss_oid_array+2;
+const gss_OID_desc * const gss_nt_krb5_name = krb5_gss_oid_array+4;
+const gss_OID_desc * const gss_nt_krb5_principal = krb5_gss_oid_array+5;
+const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+4;
static const gss_OID_set_desc oidsets[] = {
{1, (gss_OID) krb5_gss_oid_array+0},
{1, (gss_OID) krb5_gss_oid_array+1},
- {2, (gss_OID) krb5_gss_oid_array+0},
+ {3, (gss_OID) krb5_gss_oid_array+0},
{1, (gss_OID) krb5_gss_oid_array+2},
{3, (gss_OID) krb5_gss_oid_array+0},
};
KRB5_GSS_CONFIG_INIT
};
+struct gss_config krb5_mechanism_wrong = {
+ { GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID },
+ KRB5_GSS_CONFIG_INIT
+};
+
#ifdef KRB5_MECH_MODULE
gss_mechanism
gss_mech_initialize(const gss_OID oid)
+2006-03-28 Tom Yu <tlyu@mit.edu>
+
+ * g_initialize.c (build_mechSet): Actually return a value on success.
+ (init_hardcoded): Add krb5_mechanism_wrong.
+
2006-03-27 Tom Yu <tlyu@mit.edu>
* g_initialize.c (init_hardcoded): Re-order to put SPNEGO first
#endif
(void) k5_mutex_unlock(&g_mechSetLock);
(void) k5_mutex_unlock(&g_mechListLock);
+
+ return GSS_S_COMPLETE;
}
{
extern struct gss_config krb5_mechanism;
extern struct gss_config krb5_mechanism_old;
+ extern struct gss_config krb5_mechanism_wrong;
extern struct gss_config spnego_mechanism;
static int inited;
gss_mech_info cf;
return;
memset(cf, 0, sizeof(*cf));
cf->uLibName = strdup("<hardcoded internal>");
- cf->mechNameStr = "kerberos_v5 (old)";
+ cf->mechNameStr = "kerberos_v5 (pre-RFC OID)";
cf->mech_type = &krb5_mechanism_old.mech_type;
cf->mech = &krb5_mechanism_old;
cf->next = NULL;
g_mechListTail->next = cf;
g_mechListTail = cf;
+ cf = malloc(sizeof(*cf));
+ if (cf == NULL)
+ return;
+ memset(cf, 0, sizeof(*cf));
+ cf->uLibName = strdup("<hardcoded internal>");
+ cf->mechNameStr = "kerberos_v5 (wrong OID)";
+ cf->mech_type = &krb5_mechanism_wrong.mech_type;
+ cf->mech = &krb5_mechanism_wrong;
+ cf->next = NULL;
+ g_mechListTail->next = cf;
+ g_mechListTail = cf;
+
inited = 1;
}
+2006-03-28 Tom Yu <tlyu@.mit.edu>
+
+ * spnego_mech.c (check_spnego_options, create_spnego_ctx): Force
+ to 1 for testing purposes.
+ (spnego_gss_init_sec_context): Don't check for mechListMIC if
+ MS_Interop is true.
+ (make_spnego_tokenTarg_msg): Never send duplicate AP-REP as
+ mechListMIC; omit mechListMIC instead.
+
2006-03-26 Tom Yu <tlyu@mit.edu>
* spnego_mech.c: s/uchar_t/unsigned char/g. Bash cast to
strstr(spnego_ctx->optionStr, "msinterop")) {
spnego_ctx->MS_Interop = 1;
} else {
- spnego_ctx->MS_Interop = 0;
+ spnego_ctx->MS_Interop = 1;
}
}
spnego_ctx->internal_mech = NULL;
spnego_ctx->optionStr = NULL;
spnego_ctx->optimistic = 0;
- spnego_ctx->MS_Interop = 0;
+ spnego_ctx->MS_Interop = 1;
spnego_ctx->DER_mechTypes.length = NULL;
spnego_ctx->DER_mechTypes.value = GSS_C_NO_BUFFER;
}
/* create mic/check mic */
- if ((i_output_token->length == 0) &&
- (status == GSS_S_COMPLETE) &&
- (local_ret_flags & GSS_C_INTEG_FLAG)) {
- if (*ptr == (CONTEXT | 0x03) &&
+ if (status == GSS_S_COMPLETE) {
+ if ((i_output_token->length == 0) &&
+ (local_ret_flags & GSS_C_INTEG_FLAG) &&
+ !spnego_ctx->MS_Interop) {
+ if ((ptr - (unsigned char *)input_token->value) < input_token->length &&
+ *ptr == (CONTEXT | 0x03) &&
g_get_tag_and_length(&ptr,
- (CONTEXT | 0x03),
- input_token->length -
- (ptr - (unsigned char *)input_token->value),
- &len) < 0) {
+ (CONTEXT | 0x03),
+ input_token->length -
+ (ptr - (unsigned char *)input_token->value),
+ &len) < 0) {
ret = GSS_S_DEFECTIVE_TOKEN;
} else {
ret = GSS_S_COMPLETE;
if (mechListMIC == NULL)
ret = GSS_S_DEFECTIVE_TOKEN;
else if (!spnego_ctx->MS_Interop &&
- spnego_ctx->DER_mechTypes.length > 0) {
+ spnego_ctx->DER_mechTypes.length > 0) {
status = gss_verify_mic(minor_status,
- spnego_ctx->ctx_handle,
- &spnego_ctx->DER_mechTypes,
- mechListMIC,
- qop_state);
+ spnego_ctx->ctx_handle,
+ &spnego_ctx->DER_mechTypes,
+ mechListMIC,
+ qop_state);
}
}
+ } else {
+ ret = GSS_S_COMPLETE;
+ }
}
}
/* Length of the outer token */
dataLen += 1 + gssint_der_length_size(micTokenSize);
- } else if (data != NULL && data->length > 0 && MS_Flag) {
+ }
+#if 0
+ else if (data != NULL && data->length > 0 && MS_Flag) {
dataLen += rspTokenSize;
dataLen += 1 + gssint_der_length_size(rspTokenSize);
}
-
+#endif
/*
* Add size of DER encoded:
* NegTokenTarg [ SEQUENCE ] of
ret = GSS_S_DEFECTIVE_TOKEN;
goto errout;
}
- } else if (data != NULL && data->length > 0 && MS_Flag) {
+ }
+#if 0
+ else if (data != NULL && data->length > 0 && MS_Flag) {
*ptr++ = CONTEXT | 0x03;
if ((ret = gssint_put_der_length(rspTokenSize, &ptr,
tlen - (int)(ptr - t)))) {
ret = GSS_S_DEFECTIVE_TOKEN;
}
}
+#endif
errout:
if (ret != 0) {
if (t)