gss_accept_sec_context: support reassembling split tokens.

Microsoft will sometimes split GSS tokens when they exceed a certain size in some protocols. This is specified in [MS-SPNG]: Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Extension https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf sections 3.1.5.4 to 3.1.5.9. We extend gss_accept_sec_context() to recognise partial tokens and to accumulate the fragments until an entire token is available to be processed. If the entire token is not yet available, GSS_S_CONTINUE_NEEDED is returned with a zero length output token. This is specified in RFC2744 page 25-26 to indicate that no reply need be sent. We include updates to the test framework to test split tokens when using SPNEGO.
2021-08-02 22:55:47 +01:00
parent 80f3194a76
commit 3a6229f64a
7 changed files with 543 additions and 213 deletions
--- a/lib/gssapi/mech/gss_import_sec_context.c
+++ b/lib/gssapi/mech/gss_import_sec_context.c
@@ -33,50 +33,99 @@ gss_import_sec_context(OM_uint32 *minor_status,
    const gss_buffer_t interprocess_token,
    gss_ctx_id_t *context_handle)
 {
-	OM_uint32 major_status;
+        OM_uint32 ret = GSS_S_FAILURE;
+        krb5_storage *sp;
+        krb5_data data;
 	gssapi_mech_interface m;
-	struct _gss_context *ctx;
+        struct _gss_context *ctx = NULL;
 	gss_OID_desc mech_oid;
 	gss_buffer_desc buf;
-	unsigned char *p;
-	size_t len;
+        unsigned char verflags;
+
+        _gss_mg_log(10, "gss-isc called");
+
+        if (!minor_status || !context_handle) {
+            *minor_status = EFAULT;
+            return GSS_S_FAILURE;
+        }

 	*minor_status = 0;
 	*context_handle = GSS_C_NO_CONTEXT;

-	/*
-	 * We added an oid to the front of the token in
-	 * gss_export_sec_context.
-	 */
-	p = interprocess_token->value;
-	len = interprocess_token->length;
-	if (len < 2)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	mech_oid.length = (p[0] << 8) | p[1];
-	if (len < mech_oid.length + 2)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	mech_oid.elements = p + 2;
-	buf.length = len - 2 - mech_oid.length;
-	buf.value = p + 2 + mech_oid.length;
+        sp = krb5_storage_from_mem(interprocess_token->value,
+                                   interprocess_token->length);
+        if (!sp) {
+            *minor_status = ENOMEM;
+            return GSS_S_FAILURE;
+        }
+        krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_PACKED);

-	m = __gss_get_mechanism(&mech_oid);
-	if (!m)
-		return (GSS_S_DEFECTIVE_TOKEN);
+        ctx = calloc(1, sizeof(struct _gss_context));
+        if (!ctx) {
+            *minor_status = ENOMEM;
+            goto failure;
+        }

-	ctx = malloc(sizeof(struct _gss_context));
-	if (!ctx) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	ctx->gc_mech = m;
-	major_status = m->gm_import_sec_context(minor_status,
-	    &buf, &ctx->gc_ctx);
-	if (major_status != GSS_S_COMPLETE) {
-		_gss_mg_error(m, *minor_status);
-		free(ctx);
-	} else {
-		*context_handle = (gss_ctx_id_t) ctx;
-	}
+        if (krb5_ret_uint8(sp, &verflags))
+            goto failure;

-	return (major_status);
+        if ((verflags & EXPORT_CONTEXT_VERSION_MASK) != 0) {
+            _gss_mg_log(10, "gss-isc failed, token version %d not recognised",
+                (int)(verflags & EXPORT_CONTEXT_VERSION_MASK));
+            /* We don't recognise the version */
+            goto failure;
+        }
+
+        if (verflags & EXPORT_CONTEXT_FLAG_ACCUMULATING) {
+            uint32_t target_len;
+
+            if (krb5_ret_uint8(sp, &ctx->gc_initial))
+                goto failure;
+
+            if (krb5_ret_uint32(sp, &target_len))
+                goto failure;
+
+            if (krb5_ret_data(sp, &data))
+                goto failure;
+
+            ctx->gc_target_len   = target_len;
+            ctx->gc_input.value  = data.data;
+            ctx->gc_input.length = data.length;
+            /* Don't need to free data because we gave it to gc_input */
+        }
+
+        if (verflags & EXPORT_CONTEXT_FLAG_MECH_CTX) {
+            if (krb5_ret_data(sp, &data))
+                goto failure;
+
+            mech_oid.length   = data.length;
+            mech_oid.elements = data.data;
+            m = __gss_get_mechanism(&mech_oid);
+            krb5_data_free(&data);
+            if (!m)
+                return GSS_S_DEFECTIVE_TOKEN;
+            ctx->gc_mech = m;
+
+            if (krb5_ret_data(sp, &data))
+                goto failure;
+
+            buf.length = data.length;
+            buf.value  = data.data;
+
+            ret = m->gm_import_sec_context(minor_status, &buf, &ctx->gc_ctx);
+            if (ret != GSS_S_COMPLETE) {
+                _gss_mg_error(m, *minor_status);
+                free(ctx);
+            } else {
+                *context_handle = (gss_ctx_id_t) ctx;
+            }
+        }
+
+        krb5_storage_free(sp);
+        return (ret);
+
+failure:
+        free(ctx);
+        krb5_storage_free(sp);
+        return ret;
 }