oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gss: harmonize negState with RFC 4178

Browse Source 
RFC 4178 4.2.2 uses the field name negState rather than negResult in
NegTokenResp, to denote the negotiation state. Harmonize with this, also
replacing the underscores in accept-completed and accepet-incomplete to match
the RFC.
This commit is contained in:
Luke Howard
2020-01-14 13:06:51 +11:00
parent 3e69aacbe2
commit 161f846d76
4 changed files with 38 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/gssapi/Makefile.am
View File

@@ -275,7 +275,7 @@ spnego_files = \
asn1_NegTokenInit.x \ asn1_NegTokenInit.x \
asn1_NegTokenInit2.x \ asn1_NegTokenInit2.x \
asn1_NegTokenResp.x \ asn1_NegTokenResp.x \
asn1_NegResultEnum.x asn1_NegStateEnum.x
BUILTHEADERS = \ BUILTHEADERS = \
$(srcdir)/krb5/gsskrb5-private.h \ $(srcdir)/krb5/gsskrb5-private.h \

30
lib/gssapi/spnego/accept_sec_context.c
View File

@@ -42,12 +42,12 @@ send_reject (OM_uint32 *minor_status,
nt.element = choice_NegotiationToken_negTokenResp; nt.element = choice_NegotiationToken_negTokenResp;
ALLOC(nt.u.negTokenResp.negResult, 1); ALLOC(nt.u.negTokenResp.negState, 1);
if (nt.u.negTokenResp.negResult == NULL) { if (nt.u.negTokenResp.negState == NULL) {
*minor_status = ENOMEM; *minor_status = ENOMEM;
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
*(nt.u.negTokenResp.negResult) = reject; *(nt.u.negTokenResp.negState) = reject;
nt.u.negTokenResp.supportedMech = NULL; nt.u.negTokenResp.supportedMech = NULL;
nt.u.negTokenResp.responseToken = NULL; nt.u.negTokenResp.responseToken = NULL;
nt.u.negTokenResp.mechListMIC = NULL; nt.u.negTokenResp.mechListMIC = NULL;
@@ -199,8 +199,8 @@ send_accept (OM_uint32 *minor_status,
nt.element = choice_NegotiationToken_negTokenResp; nt.element = choice_NegotiationToken_negTokenResp;
ALLOC(nt.u.negTokenResp.negResult, 1); ALLOC(nt.u.negTokenResp.negState, 1);
if (nt.u.negTokenResp.negResult == NULL) { if (nt.u.negTokenResp.negState == NULL) {
*minor_status = ENOMEM; *minor_status = ENOMEM;
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
@@ -209,14 +209,14 @@ send_accept (OM_uint32 *minor_status,
if (mech_token != GSS_C_NO_BUFFER if (mech_token != GSS_C_NO_BUFFER
&& mech_token->length != 0 && mech_token->length != 0
&& mech_buf != GSS_C_NO_BUFFER) && mech_buf != GSS_C_NO_BUFFER)
*(nt.u.negTokenResp.negResult) = accept_incomplete; *(nt.u.negTokenResp.negState) = accept_incomplete;
else else
*(nt.u.negTokenResp.negResult) = accept_completed; *(nt.u.negTokenResp.negState) = accept_completed;
} else { } else {
if (initial_response && !optimistic_mech_ok) if (initial_response && !optimistic_mech_ok)
*(nt.u.negTokenResp.negResult) = request_mic; *(nt.u.negTokenResp.negState) = request_mic;
else else
*(nt.u.negTokenResp.negResult) = accept_incomplete; *(nt.u.negTokenResp.negState) = accept_incomplete;
} }
if (initial_response) { if (initial_response) {
@@ -299,7 +299,7 @@ send_accept (OM_uint32 *minor_status,
* specifies encapsulation for all _Kerberos_ tokens). * specifies encapsulation for all _Kerberos_ tokens).
*/ */
if (*(nt.u.negTokenResp.negResult) == accept_completed) if (*(nt.u.negTokenResp.negState) == accept_completed)
ret = GSS_S_COMPLETE; ret = GSS_S_COMPLETE;
else else
ret = GSS_S_CONTINUE_NEEDED; ret = GSS_S_CONTINUE_NEEDED;
@@ -834,7 +834,7 @@ acceptor_continue
NegotiationToken nt; NegotiationToken nt;
size_t nt_len; size_t nt_len;
NegTokenResp *na; NegTokenResp *na;
unsigned int negResult = accept_incomplete; unsigned int negState = accept_incomplete;
gss_buffer_t mech_input_token = GSS_C_NO_BUFFER; gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
gss_buffer_t mech_output_token = GSS_C_NO_BUFFER; gss_buffer_t mech_output_token = GSS_C_NO_BUFFER;
gssspnego_ctx ctx; gssspnego_ctx ctx;
@@ -859,8 +859,8 @@ acceptor_continue
} }
na = &nt.u.negTokenResp; na = &nt.u.negTokenResp;
if (na->negResult != NULL) { if (na->negState != NULL) {
negResult = *(na->negResult); negState = *(na->negState);
} }
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -912,7 +912,7 @@ acceptor_continue
output_token); output_token);
if (ctx->mech_flags & GSS_C_DCE_STYLE) if (ctx->mech_flags & GSS_C_DCE_STYLE)
require_response = (negResult != accept_completed); require_response = (negState != accept_completed);
else else
require_response = 0; require_response = 0;
@@ -922,7 +922,7 @@ acceptor_continue
*/ */
if ((mech_output_token != GSS_C_NO_BUFFER && if ((mech_output_token != GSS_C_NO_BUFFER &&
mech_output_token->length != 0) mech_output_token->length != 0)
|| (ctx->flags.open && negResult == accept_incomplete) || (ctx->flags.open && negState == accept_incomplete)
|| require_response || require_response
|| get_mic) { || get_mic) {
ret2 = send_accept (minor_status, ret2 = send_accept (minor_status,

34
lib/gssapi/spnego/init_sec_context.c
View File

@@ -133,13 +133,13 @@ make_reply(OM_uint32 *minor_status,
gss_buffer_desc mic_buf; gss_buffer_desc mic_buf;
OM_uint32 ret, minor; OM_uint32 ret, minor;
size_t size; size_t size;
NegResultEnum result; NegStateEnum state;
memset(&nt, 0, sizeof(nt)); memset(&nt, 0, sizeof(nt));
nt.element = choice_NegotiationToken_negTokenResp; nt.element = choice_NegotiationToken_negTokenResp;
nt.u.negTokenResp.negResult = NULL; nt.u.negTokenResp.negState = NULL;
nt.u.negTokenResp.supportedMech = NULL; nt.u.negTokenResp.supportedMech = NULL;
output_token->length = 0; output_token->length = 0;
@@ -149,11 +149,11 @@ make_reply(OM_uint32 *minor_status,
if (ctx->flags.open) { if (ctx->flags.open) {
if (ctx->flags.verified_mic == 1 || ctx->flags.require_mic == 0) if (ctx->flags.verified_mic == 1 || ctx->flags.require_mic == 0)
result = accept_completed; state = accept_completed;
else else
result = accept_incomplete; state = accept_incomplete;
} else { } else {
result = accept_incomplete; state = accept_incomplete;
} }
if (mech_token->length == 0) { if (mech_token->length == 0) {
@@ -212,13 +212,13 @@ make_reply(OM_uint32 *minor_status,
nt.u.negTokenResp.mechListMIC = NULL; nt.u.negTokenResp.mechListMIC = NULL;
} }
ALLOC(nt.u.negTokenResp.negResult, 1); ALLOC(nt.u.negTokenResp.negState, 1);
if (nt.u.negTokenResp.negResult == NULL) { if (nt.u.negTokenResp.negState == NULL) {
free_NegotiationToken(&nt); free_NegotiationToken(&nt);
*minor_status = ENOMEM; *minor_status = ENOMEM;
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
*nt.u.negTokenResp.negResult = result; *nt.u.negTokenResp.negState = state;
ASN1_MALLOC_ENCODE(NegotiationToken, ASN1_MALLOC_ENCODE(NegotiationToken,
output_token->value, output_token->length, output_token->value, output_token->length,
@@ -229,7 +229,7 @@ make_reply(OM_uint32 *minor_status,
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
if (result != accept_completed) if (state != accept_completed)
return GSS_S_CONTINUE_NEEDED; return GSS_S_CONTINUE_NEEDED;
return GSS_S_COMPLETE; return GSS_S_COMPLETE;
@@ -446,8 +446,8 @@ spnego_reply(OM_uint32 * minor_status,
return GSS_S_BAD_MECH; return GSS_S_BAD_MECH;
} }
if (resp.u.negTokenResp.negResult == NULL if (resp.u.negTokenResp.negState == NULL
|| *(resp.u.negTokenResp.negResult) == reject) || *(resp.u.negTokenResp.negState) == reject)
{ {
free_NegotiationToken(&resp); free_NegotiationToken(&resp);
return GSS_S_BAD_MECH; return GSS_S_BAD_MECH;
@@ -577,7 +577,7 @@ spnego_reply(OM_uint32 * minor_status,
if (ret == GSS_S_COMPLETE) { if (ret == GSS_S_COMPLETE) {
ctx->flags.open = 1; ctx->flags.open = 1;
} }
} else if (*resp.u.negTokenResp.negResult == accept_completed) { } else if (*resp.u.negTokenResp.negState == accept_completed) {
if (ctx->flags.maybe_open) if (ctx->flags.maybe_open)
ctx->flags.open = 1; ctx->flags.open = 1;
@@ -589,7 +589,7 @@ spnego_reply(OM_uint32 * minor_status,
} }
} }
if (*resp.u.negTokenResp.negResult == request_mic) { if (*resp.u.negTokenResp.negState == request_mic) {
ctx->flags.peer_require_mic = 1; ctx->flags.peer_require_mic = 1;
} }
@@ -642,7 +642,7 @@ spnego_reply(OM_uint32 * minor_status,
if (ctx->flags.open) { if (ctx->flags.open) {
if (*resp.u.negTokenResp.negResult == accept_completed && ctx->flags.safe_omit) { if (*resp.u.negTokenResp.negState == accept_completed && ctx->flags.safe_omit) {
ctx->initiator_state = step_completed; ctx->initiator_state = step_completed;
ret = GSS_S_COMPLETE; ret = GSS_S_COMPLETE;
} else if (ctx->flags.require_mic != 0 && ctx->flags.verified_mic == 0) { } else if (ctx->flags.require_mic != 0 && ctx->flags.verified_mic == 0) {
@@ -654,7 +654,7 @@ spnego_reply(OM_uint32 * minor_status,
} }
} }
if (*resp.u.negTokenResp.negResult != accept_completed || if (*resp.u.negTokenResp.negState != accept_completed ||
ctx->initiator_state != step_completed || ctx->initiator_state != step_completed ||
mech_output_token.length) mech_output_token.length)
{ {
@@ -703,8 +703,8 @@ wait_server_mic(OM_uint32 * minor_status,
"Failed to decode NegotiationToken"); "Failed to decode NegotiationToken");
if (resp.element != choice_NegotiationToken_negTokenResp if (resp.element != choice_NegotiationToken_negTokenResp
|| resp.u.negTokenResp.negResult == NULL || resp.u.negTokenResp.negState == NULL
|| *resp.u.negTokenResp.negResult != accept_completed) || *resp.u.negTokenResp.negState != accept_completed)
{ {
free_NegotiationToken(&resp); free_NegotiationToken(&resp);
return gss_mg_set_error_string(GSS_SPNEGO_MECHANISM, return gss_mg_set_error_string(GSS_SPNEGO_MECHANISM,

10
lib/gssapi/spnego/spnego.asn1
View File

@@ -37,17 +37,17 @@ NegTokenInit ::= SEQUENCE {
... ...
} }
NegResultEnum ::= ENUMERATED { NegStateEnum ::= ENUMERATED {
accept_completed(0), accept-completed(0),
accept_incomplete(1), accept-incomplete(1),
reject(2), reject(2),
request-mic(3) request-mic(3)
} }
-- NB: negResult is not OPTIONAL in the new SPNEGO spec but -- NB: negState is not OPTIONAL in the new SPNEGO spec but
-- Windows clients do not always send it -- Windows clients do not always send it
NegTokenResp ::= SEQUENCE { NegTokenResp ::= SEQUENCE {
negResult [0] NegResultEnum OPTIONAL, negState [0] NegStateEnum OPTIONAL,
supportedMech [1] MechType OPTIONAL, supportedMech [1] MechType OPTIONAL,
responseToken [2] OCTET STRING OPTIONAL, responseToken [2] OCTET STRING OPTIONAL,
mechListMIC [3] OCTET STRING OPTIONAL, mechListMIC [3] OCTET STRING OPTIONAL,