From 161f846d7629b05e2a5cdbeb9dd7008df5b511ff Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Tue, 14 Jan 2020 13:06:51 +1100 Subject: [PATCH] gss: harmonize negState with RFC 4178 RFC 4178 4.2.2 uses the field name negState rather than negResult in NegTokenResp, to denote the negotiation state. Harmonize with this, also replacing the underscores in accept-completed and accepet-incomplete to match the RFC. --- lib/gssapi/Makefile.am | 2 +- lib/gssapi/spnego/accept_sec_context.c | 30 +++++++++++------------ lib/gssapi/spnego/init_sec_context.c | 34 +++++++++++++------------- lib/gssapi/spnego/spnego.asn1 | 10 ++++---- 4 files changed, 38 insertions(+), 38 deletions(-) diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index 58470397f..ee59266f6 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -275,7 +275,7 @@ spnego_files = \ asn1_NegTokenInit.x \ asn1_NegTokenInit2.x \ asn1_NegTokenResp.x \ - asn1_NegResultEnum.x + asn1_NegStateEnum.x BUILTHEADERS = \ $(srcdir)/krb5/gsskrb5-private.h \ diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c index 53e1e2972..4bad7d905 100644 --- a/lib/gssapi/spnego/accept_sec_context.c +++ b/lib/gssapi/spnego/accept_sec_context.c @@ -42,12 +42,12 @@ send_reject (OM_uint32 *minor_status, nt.element = choice_NegotiationToken_negTokenResp; - ALLOC(nt.u.negTokenResp.negResult, 1); - if (nt.u.negTokenResp.negResult == NULL) { + ALLOC(nt.u.negTokenResp.negState, 1); + if (nt.u.negTokenResp.negState == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } - *(nt.u.negTokenResp.negResult) = reject; + *(nt.u.negTokenResp.negState) = reject; nt.u.negTokenResp.supportedMech = NULL; nt.u.negTokenResp.responseToken = NULL; nt.u.negTokenResp.mechListMIC = NULL; @@ -199,8 +199,8 @@ send_accept (OM_uint32 *minor_status, nt.element = choice_NegotiationToken_negTokenResp; - ALLOC(nt.u.negTokenResp.negResult, 1); - if (nt.u.negTokenResp.negResult == NULL) { + ALLOC(nt.u.negTokenResp.negState, 1); + if (nt.u.negTokenResp.negState == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } @@ -209,14 +209,14 @@ send_accept (OM_uint32 *minor_status, if (mech_token != GSS_C_NO_BUFFER && mech_token->length != 0 && mech_buf != GSS_C_NO_BUFFER) - *(nt.u.negTokenResp.negResult) = accept_incomplete; + *(nt.u.negTokenResp.negState) = accept_incomplete; else - *(nt.u.negTokenResp.negResult) = accept_completed; + *(nt.u.negTokenResp.negState) = accept_completed; } else { if (initial_response && !optimistic_mech_ok) - *(nt.u.negTokenResp.negResult) = request_mic; + *(nt.u.negTokenResp.negState) = request_mic; else - *(nt.u.negTokenResp.negResult) = accept_incomplete; + *(nt.u.negTokenResp.negState) = accept_incomplete; } if (initial_response) { @@ -299,7 +299,7 @@ send_accept (OM_uint32 *minor_status, * specifies encapsulation for all _Kerberos_ tokens). */ - if (*(nt.u.negTokenResp.negResult) == accept_completed) + if (*(nt.u.negTokenResp.negState) == accept_completed) ret = GSS_S_COMPLETE; else ret = GSS_S_CONTINUE_NEEDED; @@ -834,7 +834,7 @@ acceptor_continue NegotiationToken nt; size_t nt_len; NegTokenResp *na; - unsigned int negResult = accept_incomplete; + unsigned int negState = accept_incomplete; gss_buffer_t mech_input_token = GSS_C_NO_BUFFER; gss_buffer_t mech_output_token = GSS_C_NO_BUFFER; gssspnego_ctx ctx; @@ -859,8 +859,8 @@ acceptor_continue } na = &nt.u.negTokenResp; - if (na->negResult != NULL) { - negResult = *(na->negResult); + if (na->negState != NULL) { + negState = *(na->negState); } HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); @@ -912,7 +912,7 @@ acceptor_continue output_token); if (ctx->mech_flags & GSS_C_DCE_STYLE) - require_response = (negResult != accept_completed); + require_response = (negState != accept_completed); else require_response = 0; @@ -922,7 +922,7 @@ acceptor_continue */ if ((mech_output_token != GSS_C_NO_BUFFER && mech_output_token->length != 0) - || (ctx->flags.open && negResult == accept_incomplete) + || (ctx->flags.open && negState == accept_incomplete) || require_response || get_mic) { ret2 = send_accept (minor_status, diff --git a/lib/gssapi/spnego/init_sec_context.c b/lib/gssapi/spnego/init_sec_context.c index 6cef4c87f..07a08caa0 100644 --- a/lib/gssapi/spnego/init_sec_context.c +++ b/lib/gssapi/spnego/init_sec_context.c @@ -133,13 +133,13 @@ make_reply(OM_uint32 *minor_status, gss_buffer_desc mic_buf; OM_uint32 ret, minor; size_t size; - NegResultEnum result; + NegStateEnum state; memset(&nt, 0, sizeof(nt)); nt.element = choice_NegotiationToken_negTokenResp; - nt.u.negTokenResp.negResult = NULL; + nt.u.negTokenResp.negState = NULL; nt.u.negTokenResp.supportedMech = NULL; output_token->length = 0; @@ -149,11 +149,11 @@ make_reply(OM_uint32 *minor_status, if (ctx->flags.open) { if (ctx->flags.verified_mic == 1 || ctx->flags.require_mic == 0) - result = accept_completed; + state = accept_completed; else - result = accept_incomplete; + state = accept_incomplete; } else { - result = accept_incomplete; + state = accept_incomplete; } if (mech_token->length == 0) { @@ -212,13 +212,13 @@ make_reply(OM_uint32 *minor_status, nt.u.negTokenResp.mechListMIC = NULL; } - ALLOC(nt.u.negTokenResp.negResult, 1); - if (nt.u.negTokenResp.negResult == NULL) { + ALLOC(nt.u.negTokenResp.negState, 1); + if (nt.u.negTokenResp.negState == NULL) { free_NegotiationToken(&nt); *minor_status = ENOMEM; return GSS_S_FAILURE; } - *nt.u.negTokenResp.negResult = result; + *nt.u.negTokenResp.negState = state; ASN1_MALLOC_ENCODE(NegotiationToken, output_token->value, output_token->length, @@ -229,7 +229,7 @@ make_reply(OM_uint32 *minor_status, return GSS_S_FAILURE; } - if (result != accept_completed) + if (state != accept_completed) return GSS_S_CONTINUE_NEEDED; return GSS_S_COMPLETE; @@ -446,8 +446,8 @@ spnego_reply(OM_uint32 * minor_status, return GSS_S_BAD_MECH; } - if (resp.u.negTokenResp.negResult == NULL - || *(resp.u.negTokenResp.negResult) == reject) + if (resp.u.negTokenResp.negState == NULL + || *(resp.u.negTokenResp.negState) == reject) { free_NegotiationToken(&resp); return GSS_S_BAD_MECH; @@ -577,7 +577,7 @@ spnego_reply(OM_uint32 * minor_status, if (ret == GSS_S_COMPLETE) { ctx->flags.open = 1; } - } else if (*resp.u.negTokenResp.negResult == accept_completed) { + } else if (*resp.u.negTokenResp.negState == accept_completed) { if (ctx->flags.maybe_open) ctx->flags.open = 1; @@ -589,7 +589,7 @@ spnego_reply(OM_uint32 * minor_status, } } - if (*resp.u.negTokenResp.negResult == request_mic) { + if (*resp.u.negTokenResp.negState == request_mic) { ctx->flags.peer_require_mic = 1; } @@ -642,7 +642,7 @@ spnego_reply(OM_uint32 * minor_status, if (ctx->flags.open) { - if (*resp.u.negTokenResp.negResult == accept_completed && ctx->flags.safe_omit) { + if (*resp.u.negTokenResp.negState == accept_completed && ctx->flags.safe_omit) { ctx->initiator_state = step_completed; ret = GSS_S_COMPLETE; } else if (ctx->flags.require_mic != 0 && ctx->flags.verified_mic == 0) { @@ -654,7 +654,7 @@ spnego_reply(OM_uint32 * minor_status, } } - if (*resp.u.negTokenResp.negResult != accept_completed || + if (*resp.u.negTokenResp.negState != accept_completed || ctx->initiator_state != step_completed || mech_output_token.length) { @@ -703,8 +703,8 @@ wait_server_mic(OM_uint32 * minor_status, "Failed to decode NegotiationToken"); if (resp.element != choice_NegotiationToken_negTokenResp - || resp.u.negTokenResp.negResult == NULL - || *resp.u.negTokenResp.negResult != accept_completed) + || resp.u.negTokenResp.negState == NULL + || *resp.u.negTokenResp.negState != accept_completed) { free_NegotiationToken(&resp); return gss_mg_set_error_string(GSS_SPNEGO_MECHANISM, diff --git a/lib/gssapi/spnego/spnego.asn1 b/lib/gssapi/spnego/spnego.asn1 index fc6cd0c1e..bd69a0512 100644 --- a/lib/gssapi/spnego/spnego.asn1 +++ b/lib/gssapi/spnego/spnego.asn1 @@ -37,17 +37,17 @@ NegTokenInit ::= SEQUENCE { ... } -NegResultEnum ::= ENUMERATED { - accept_completed(0), - accept_incomplete(1), +NegStateEnum ::= ENUMERATED { + accept-completed(0), + accept-incomplete(1), reject(2), request-mic(3) } --- NB: negResult is not OPTIONAL in the new SPNEGO spec but +-- NB: negState is not OPTIONAL in the new SPNEGO spec but -- Windows clients do not always send it NegTokenResp ::= SEQUENCE { - negResult [0] NegResultEnum OPTIONAL, + negState [0] NegStateEnum OPTIONAL, supportedMech [1] MechType OPTIONAL, responseToken [2] OCTET STRING OPTIONAL, mechListMIC [3] OCTET STRING OPTIONAL,