gss_accept_sec_context: support reassembling split tokens.

Microsoft will sometimes split GSS tokens when they exceed a certain size in some protocols. This is specified in [MS-SPNG]: Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Extension https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf sections 3.1.5.4 to 3.1.5.9. We extend gss_accept_sec_context() to recognise partial tokens and to accumulate the fragments until an entire token is available to be processed. If the entire token is not yet available, GSS_S_CONTINUE_NEEDED is returned with a zero length output token. This is specified in RFC2744 page 25-26 to indicate that no reply need be sent. We include updates to the test framework to test split tokens when using SPNEGO.
2021-08-02 22:55:47 +01:00
parent 80f3194a76
commit 3a6229f64a
7 changed files with 543 additions and 213 deletions
--- a/lib/gssapi/mech/gss_delete_sec_context.c
+++ b/lib/gssapi/mech/gss_delete_sec_context.c
@@ -42,18 +42,21 @@ gss_delete_sec_context(OM_uint32 *minor_status,
 	*minor_status = 0;
 	major_status = GSS_S_COMPLETE;

-	if (ctx) {
-		/*
-		 * If we have an implementation ctx, delete it,
-		 * otherwise fake an empty token.
-		 */
-		if (ctx->gc_ctx) {
-			major_status = ctx->gc_mech->gm_delete_sec_context(
-				minor_status, &ctx->gc_ctx, output_token);
-		}
-		free(ctx);
-		*context_handle = GSS_C_NO_CONTEXT;
-	}
+        if (!ctx)
+                return GSS_S_COMPLETE;
+
+        free(ctx->gc_free_this);
+
+        /*
+         * If we have an implementation ctx, delete it,
+         * otherwise fake an empty token.
+         */
+        if (ctx->gc_ctx) {
+                major_status = ctx->gc_mech->gm_delete_sec_context(
+                        minor_status, &ctx->gc_ctx, output_token);
+        }
+        free(ctx);
+        *context_handle = GSS_C_NO_CONTEXT;

 	return major_status;
 }