diff options
author | Simo Sorce <simo@redhat.com> | 2014-05-05 17:59:08 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2014-05-06 13:57:27 -0400 |
commit | da549274458a61e0e0cda20d64b46095d535c5da (patch) | |
tree | ba2ebf9d2f2a585677c2541b2dd1d21b677df666 | |
parent | 939bb6c500aba6359f80bd27ba6269c23168fc16 (diff) | |
download | krb5-spnego.tar.gz krb5-spnego.tar.xz krb5-spnego.zip |
Add way to check if mechlistMIC must be producedspnego
This is an extension that is needed to work around a bug in Micorsoft's
SPNEGO implementation when the mechanism used is NTLMSSP and a MIC is
produced internally by this mechanism when this is the preferred
mechanism for the client.
In such case Microsoft servers require a mechlistMIC to be produced even
if RFC 4178 (c) says it should be optional.
In order to avoid interoperability problems this function checks if a
MIC has been produced internally and if so set sc->mic_reqd to 1 forcing
us to emit a mechlistMIC.
This function is intentioannly called after every gss_init_sec_context()
although only the second call can actually return a meaningful answer. The
first call is used to signal to the mechanism that the SPNEGO layer does
support forcing a mechlistMIC so that the mechanism does not put a MIC in
the Authenticate message at all if forcing a mechlistMIC is not supported.
Signed-off-by: Simo Sorce <simo@redhat.com>
-rw-r--r-- | src/lib/gssapi/spnego/spnego_mech.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 7529c7426..7be8d71be 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -474,6 +474,41 @@ create_spnego_ctx(void) return (spnego_ctx); } + +static const gss_OID_desc spnego_req_mic_oid = + { 11, "\x2b\x06\x01\x04\x01\xb7\x7d\x85\x0f\x01\x02" }; +/* + * Helper function to check with mechanism on whether we need to force + * emission of a mechlistMIC. This is normally used by an NTLMSSP + * mechanism that wants to MIC protect an Authenticate message due to + * a bug i Windows servers that seem to require a mechlistMIC in violation + * of RFC 4178 c which says it should be optional. + */ +static void +check_mic_required(spnego_gss_ctx_id_t sc) +{ + OM_uint32 tmpret, tmpmin; + gss_buffer_set_t data_set; + uint8_t mic_set = 0; + + tmpret = gss_inquire_sec_context_by_oid(&tmpmin, sc->ctx_handle, + &spnego_req_mic_oid, + &data_set); + if (tmpret) return; + + if (data_set && + data_set->count == 1 && + data_set->elements[0].length == sizeof(uint8_t)) { + memcpy(&mic_set, data_set->elements[0].value, sizeof(uint8_t)); + } + + if (mic_set == 1) { + sc->mic_reqd = 1; + } + + gss_release_buffer_set(&tmpmin, &data_set); +} + /* * Both initiator and acceptor call here to verify and/or create mechListMIC, * and to consistency-check the MIC state. handle_mic is invoked only if the @@ -1014,6 +1049,9 @@ spnego_gss_init_sec_context( actual_mech, &mechtok_out, ret_flags, time_rec, &negState, &send_token); + + if (!HARD_ERROR(ret)) + check_mic_required(spnego_ctx); } /* Step 3: process or generate the MIC, if the negotiated mech is |