krb5.git/src/lib/gssapi/spnego, branch master MIT Kerberos patches Include autoconf.h before system headers 2014-07-08T23:19:24+00:00 Greg Hudson ghudson@mit.edu 2014-07-05T15:50:58+00:00 02a1123cf44381690c28f18ab2c4ba8036200539 Include autoconf.h (either directly or via proxy) before system headers, so that feature test macros defined there can affect the system namespace. Where include order was changed, eliminate some redundant or unnecessary includes. ticket: 7961 
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace.  Where include order was changed, eliminate some
redundant or unnecessary includes.

ticket: 7961
Allow GSS mechs to force mechlistMIC in SPNEGO 2014-05-08T19:19:10+00:00 Simo Sorce simo@redhat.com 2014-05-05T21:59:08+00:00 bff6bbf52401f9464df365d76f0987fbf8101c5e During a SPNEGO negotiation, if the NTLMSSP mechanism is used and a MIC is produced within the final initiator mechanism token, Microsoft servers require a mechlistMIC even if NTLMSSP was the most preferred mechanism. In spnego_mech.c, add a helper function mech_requires_mechlistMIC which queries the mechanism to determine whether we might need to produce a mechlistMIC for interoperability. Call it after each call to the mechanism's gss_init_sec_context and set sc->mic_reqd if it returns true. Although only the second call to NTLMSSP will actually ever return true, the first call makes the mechanism aware that the SPNEGO implementation supports this feature. [ghudson@mit.edu: clarified commit message and code] ticket: 7907 (new) 
During a SPNEGO negotiation, if the NTLMSSP mechanism is used and a
MIC is produced within the final initiator mechanism token, Microsoft
servers require a mechlistMIC even if NTLMSSP was the most preferred
mechanism.

In spnego_mech.c, add a helper function mech_requires_mechlistMIC
which queries the mechanism to determine whether we might need to
produce a mechlistMIC for interoperability.  Call it after each call
to the mechanism's gss_init_sec_context and set sc->mic_reqd if it
returns true.  Although only the second call to NTLMSSP will actually
ever return true, the first call makes the mechanism aware that the
SPNEGO implementation supports this feature.

[ghudson@mit.edu: clarified commit message and code]

ticket: 7907 (new)
Properly reflect MS krb5 mech in SPNEGO acceptor 2014-02-05T05:40:20+00:00 Greg Hudson ghudson@mit.edu 2014-02-04T02:11:34+00:00 8255613476d4c1583a5e810b50444f188fde871f r25590 changed negotiate_mech() to return an alias into the acceptor's mech set, with the unfortunate side effect of transforming the erroneous Microsoft krb5 mech OID into the correct krb5 mech OID, meaning that we answer with a different OID than the requested one. Return an alias into the initiator's mech set instead, and store that in mech_set field the SPNEGO context. The acceptor code only uses mech_set to hold the allocated storage pointed into by internal_mech, so this change is safe. ticket: 7858 target_version: 1.12.2 tags: pullup 
r25590 changed negotiate_mech() to return an alias into the acceptor's
mech set, with the unfortunate side effect of transforming the
erroneous Microsoft krb5 mech OID into the correct krb5 mech OID,
meaning that we answer with a different OID than the requested one.
Return an alias into the initiator's mech set instead, and store that
in mech_set field the SPNEGO context.  The acceptor code only uses
mech_set to hold the allocated storage pointed into by internal_mech,
so this change is safe.

ticket: 7858
target_version: 1.12.2
tags: pullup
Let SPNEGO display mechanism errors 2013-12-18T20:58:55+00:00 Simo Sorce simo@redhat.com 2013-12-17T21:15:14+00:00 d160bc733a3dbeb6d84f4e175234ff18738d9f66 To avoid potential recursion we use a thread local variable that tells us whether the ancestor was called via spnego_gss_display_name(). If we detect recursion, we assume that we returned a com_err code like ENOMEM and call error_message(); in the worst case that will result in an "Unknown error" message. [ghudson@mit.edu: Edited comments and commit message; removed an unneeded line of code.] ticket: 7045 target_version: 1.12.1 tags: pullup 
To avoid potential recursion we use a thread local variable that tells
us whether the ancestor was called via spnego_gss_display_name().  If
we detect recursion, we assume that we returned a com_err code like
ENOMEM and call error_message(); in the worst case that will result in
an "Unknown error" message.

[ghudson@mit.edu: Edited comments and commit message; removed an
unneeded line of code.]

ticket: 7045
target_version: 1.12.1
tags: pullup
Fix memory leak in SPNEGO initiator 2013-12-16T16:39:41+00:00 Simo Sorce simo@redhat.com 2013-12-13T17:00:41+00:00 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a If we eliminate a mechanism from the initiator list because gss_init_sec_context fails, free the memory for that mech OID before removing it from the list. [ghudson@mit.edu: clarified commit message] ticket: 7803 (new) target_version: 1.12.1 tags: pullup 
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.

[ghudson@mit.edu: clarified commit message]

ticket: 7803 (new)
target_version: 1.12.1
tags: pullup
Remove unneeded check in SPNEGO initiator 2013-12-16T16:35:52+00:00 Greg Hudson ghudson@mit.edu 2013-12-16T16:35:42+00:00 1249c75810e3d5c33ba723c65a904ee914ca8048 In init_ctx_cont, if the response token contains no fields, we set a return value but don't actually quit out of the function. We do not need this check (we will fail later on if a piece of required information isn't present), so just remove it. Reported by simo@redhat.com. 
In init_ctx_cont, if the response token contains no fields, we set a
return value but don't actually quit out of the function.  We do not
need this check (we will fail later on if a piece of required
information isn't present), so just remove it.  Reported by
simo@redhat.com.
Fix SPNEGO one-hop interop against old IIS 2013-12-12T15:51:34+00:00 Greg Hudson ghudson@mit.edu 2013-12-10T17:04:18+00:00 37af638b742dbd642eb70092e4f7781c3f69d86d IIS 6.0 and similar return a zero length reponse buffer in the last SPNEGO packet when context initiation is performed without mutual authentication. In this case the underlying Kerberos mechanism has already completed successfully on the first invocation, and SPNEGO does not expect a mech response token in the answer. If we get an empty mech response token when the mech is complete during negotiation, ignore it. [ghudson@mit.edu: small code style and commit message changes] ticket: 7797 (new) target_version: 1.12.1 tags: pullup 
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication.  In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer.  If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.

[ghudson@mit.edu: small code style and commit message changes]

ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
Avoid malloc(0) in SPNEGO get_input_token 2013-12-07T02:06:26+00:00 Greg Hudson ghudson@mit.edu 2013-12-06T23:56:56+00:00 13fd26e1863c79f616653f6a10a58c01f65fceff If we read a zero-length token in spnego_mech.c's get_input_token(), set the value pointer to NULL instead of calling malloc(0). ticket: 7794 (new) 
If we read a zero-length token in spnego_mech.c's get_input_token(),
set the value pointer to NULL instead of calling malloc(0).

ticket: 7794 (new)
Add GSSAPI IOV MIC functions 2013-09-18T22:22:16+00:00 Greg Hudson ghudson@mit.edu 2013-09-08T01:13:48+00:00 d750ef3130b76dd079e863ed395eb3620a37386b Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov functions, which work similarly to the corresponding IOV wrap functions. Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for the destination buffer. Most of the internal code for this was already present, and just needed to be fixed up and adjusted to use the new buffer type for the MIC token. ticket: 7705 (new) 
Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov
functions, which work similarly to the corresponding IOV wrap
functions.  Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for
the destination buffer.

Most of the internal code for this was already present, and just
needed to be fixed up and adjusted to use the new buffer type for the
MIC token.

ticket: 7705 (new)
Fix various warnings 2013-06-07T19:19:37+00:00 Greg Hudson ghudson@mit.edu 2013-06-07T19:17:31+00:00 e51c089b745161dd6e1d64998e99d065fc22377e