oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gss_accept_sec_context: support reassembling split tokens.

Browse Source 
Microsoft will sometimes split GSS tokens when they exceed a certain
size in some protocols.  This is specified in

	[MS-SPNG]: Simple and Protected GSS-API Negotiation
	Mechanism (SPNEGO) Extension

https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf

sections 3.1.5.4 to 3.1.5.9.

We extend gss_accept_sec_context() to recognise partial tokens and
to accumulate the fragments until an entire token is available to
be processed.  If the entire token is not yet available,
GSS_S_CONTINUE_NEEDED is returned with a zero length output token.
This is specified in RFC2744 page 25-26 to indicate that no reply
need be sent.

We include updates to the test framework to test split tokens when
using SPNEGO.
This commit is contained in:
Roland C. Dowdeswell
2021-08-02 22:55:47 +01:00
committed by Luke Howard
parent 80f3194a76
commit 3a6229f64a
7 changed files with 543 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/gssapi/mech/context.h
View File

@@ -30,10 +30,20 @@
#include <gssapi_mech.h>
struct _gss_context {
gssapi_mech_interface gc_mech;
gss_ctx_id_t gc_ctx;
gss_buffer_desc gc_input;
char *gc_free_this;
size_t gc_target_len;
size_t gc_oid_offset;
gssapi_mech_interface gc_mech;
gss_ctx_id_t gc_ctx;
uint8_t gc_initial;
};
#define EXPORT_CONTEXT_VERSION_MASK 0x03
#define EXPORT_CONTEXT_FLAGS_MASK 0xfc
#define EXPORT_CONTEXT_FLAG_ACCUMULATING 0x04
#define EXPORT_CONTEXT_FLAG_MECH_CTX 0x08
void
_gss_mg_error(gssapi_mech_interface, OM_uint32);

284
lib/gssapi/mech/gss_accept_sec_context.c
View File

@@ -28,87 +28,148 @@
#include "mech_locl.h"
/*
* accumulate_token() tries to assemble a complete GSS token which may
* be fed to it in pieces. Microsoft does this when tokens are too large
* in CIFS, e.g. It may occur in other places as well. It is specified in:
*
* [MS-SPNG]: Simple and Protected GSS-API Negotiation
* Mechanism (SPNEGO) Extension
*
* https://winprotocoldoc.blob.core.windows.net/
* productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf
*
* Sections 3.1.5.4 to 3.1.5.9.
*
* We only accumulate if we see the appropriate application tag in the
* first byte of 0x60 because in the absence of this, we cannot interpret
* the following bytes as a DER length.
*
* We only allocate an accumulating buffer if we detect that the token
* is split between multiple packets as this is the uncommon case and
* we want to optimise for the common case. If we aren't accumulating,
* we simply return success.
*
* Our return value is GSS_S_CONTINUE_NEEDED if we need more input.
* We return GSS_S_COMPLETE if we are either finished accumulating or
* if we decide that we do not understand this token. We only return
* an error if we think that we should understand the token and still
* fail to understand it.
*/
static OM_uint32
parse_header(const gss_buffer_t input_token, gss_OID *mech_oid)
accumulate_token(struct _gss_context *ctx, gss_buffer_t input_token)
{
gss_OID_desc mech;
unsigned char *p = input_token->value;
size_t len = input_token->length;
size_t a, b;
gss_buffer_t gci;
size_t l;
/*
* Token must start with [APPLICATION 0] SEQUENCE.
* But if it doesn't assume it is DCE-STYLE Kerberos!
*/
if (!ctx->gc_target_len) {
free(ctx->gc_free_this);
ctx->gc_free_this = NULL;
_mg_buffer_zero(&ctx->gc_input);
/*
* Let's prepare gc_input for the case where
* we aren't accumulating.
*/
ctx->gc_input.length = len;
ctx->gc_input.value = p;
if (len == 0)
return GSS_S_COMPLETE;
/* Not our DER w/ a length */
if (*p != 0x60)
return GSS_S_COMPLETE;
if (der_get_length(p+1, len-1, &ctx->gc_target_len, &l) != 0)
return GSS_S_DEFECTIVE_TOKEN;
_gss_mg_log(10, "gss-asc: DER length: %zu",
ctx->gc_target_len);
ctx->gc_oid_offset = l + 1;
ctx->gc_target_len += ctx->gc_oid_offset;
_gss_mg_log(10, "gss-asc: total length: %zu",
ctx->gc_target_len);
if (ctx->gc_target_len == ASN1_INDEFINITE ||
ctx->gc_target_len < len)
return GSS_S_DEFECTIVE_TOKEN;
/* We've got it all, short-circuit the accumulating */
if (ctx->gc_target_len == len)
goto done;
_gss_mg_log(10, "gss-asc: accumulating partial token");
ctx->gc_input.length = 0;
ctx->gc_input.value = calloc(ctx->gc_target_len, 1);
if (!ctx->gc_input.value)
return GSS_S_FAILURE;
ctx->gc_free_this = ctx->gc_input.value;
}
if (len == 0)
return (GSS_S_DEFECTIVE_TOKEN);
return GSS_S_DEFECTIVE_TOKEN;
p++;
len--;
gci = &ctx->gc_input;
/*
* Decode the length and make sure it agrees with the
* token length.
*/
if (len == 0)
return (GSS_S_DEFECTIVE_TOKEN);
if ((*p & 0x80) == 0) {
a = *p;
p++;
len--;
} else {
b = *p & 0x7f;
p++;
len--;
if (len < b)
return (GSS_S_DEFECTIVE_TOKEN);
a = 0;
while (b) {
a = (a << 8) | *p;
p++;
len--;
b--;
}
}
if (a != len)
return (GSS_S_DEFECTIVE_TOKEN);
if (ctx->gc_target_len > gci->length) {
if (gci->length + len > ctx->gc_target_len) {
_gss_mg_log(10, "gss-asc: accumulation exceeded "
"target length: bailing");
return GSS_S_DEFECTIVE_TOKEN;
}
memcpy((char *)gci->value + gci->length, p, len);
gci->length += len;
}
/*
* Decode the OID for the mechanism. Simplify life by
* assuming that the OID length is less than 128 bytes.
*/
if (len < 2 || *p != 0x06)
return (GSS_S_DEFECTIVE_TOKEN);
if ((p[1] & 0x80) || p[1] > (len - 2))
return (GSS_S_DEFECTIVE_TOKEN);
mech.length = p[1];
p += 2;
len -= 2;
mech.elements = p;
if (gci->length != ctx->gc_target_len) {
_gss_mg_log(10, "gss-asc: collected %zu/%zu bytes",
gci->length, ctx->gc_target_len);
return GSS_S_CONTINUE_NEEDED;
}
*mech_oid = _gss_mg_support_mechanism(&mech);
if (*mech_oid == GSS_C_NO_OID)
return GSS_S_BAD_MECH;
done:
_gss_mg_log(10, "gss-asc: received complete %zu byte token",
ctx->gc_target_len);
ctx->gc_target_len = 0;
return GSS_S_COMPLETE;
}
static gss_OID
choose_mech(const gss_buffer_t input)
static void
log_oid(const char *str, gss_OID mech)
{
OM_uint32 status;
gss_OID mech_oid = GSS_C_NO_OID;
OM_uint32 maj, min;
gss_buffer_desc buf;
/*
* First try to parse the gssapi token header and see if it's a
* correct header, use that in the first hand.
*/
maj = gss_oid_to_str(&min, mech, &buf);
if (maj == GSS_S_COMPLETE) {
_gss_mg_log(10, "%s: %.*s", str, (int)buf.length,
(char *)buf.value);
gss_release_buffer(&min, &buf);
}
}
status = parse_header(input, &mech_oid);
if (status == GSS_S_COMPLETE && mech_oid != GSS_C_NO_OID)
return mech_oid;
static OM_uint32
choose_mech(struct _gss_context *ctx)
{
gss_OID_desc mech;
gss_OID mech_oid;
unsigned char *p = ctx->gc_input.value;
size_t len = ctx->gc_input.length;
if (input->length == 0) {
if (len == 0) {
/*
* There is the a wierd mode of SPNEGO (in CIFS and
* SASL GSS-SPENGO where the first token is zero
@@ -118,15 +179,52 @@ choose_mech(const gss_buffer_t input)
* http://msdn.microsoft.com/en-us/library/cc213114.aspx
* "NegTokenInit2 Variation for Server-Initiation"
*/
return &__gss_spnego_mechanism_oid_desc;
mech_oid = &__gss_spnego_mechanism_oid_desc;
goto gss_get_mechanism;
}
_gss_mg_log(10, "Don't have client request mech");
p += ctx->gc_oid_offset;
len -= ctx->gc_oid_offset;
return mech_oid;
/*
* Decode the OID for the mechanism. Simplify life by
* assuming that the OID length is less than 128 bytes.
*/
if (len < 2 || *p != 0x06)
goto bail;
if ((p[1] & 0x80) || p[1] > (len - 2))
goto bail;
mech.length = p[1];
p += 2;
len -= 2;
mech.elements = p;
mech_oid = _gss_mg_support_mechanism(&mech);
if (mech_oid == GSS_C_NO_OID)
return GSS_S_COMPLETE;
gss_get_mechanism:
/*
* If mech_oid == GSS_C_NO_OID then the mech is non-standard
* and we have to try all mechs (that we have a cred element
* for, if we have a cred).
*/
if (mech_oid != GSS_C_NO_OID) {
log_oid("mech oid", mech_oid);
ctx->gc_mech = __gss_get_mechanism(mech_oid);
if (!ctx->gc_mech) {
_gss_mg_log(10, "mechanism client used is unknown");
return (GSS_S_BAD_MECH);
}
_gss_mg_log(10, "using mech \"%s\"", ctx->gc_mech->gm_name);
return GSS_S_COMPLETE;
}
bail:
_gss_mg_log(10, "no mech oid found");
return GSS_S_COMPLETE;
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_accept_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
@@ -150,7 +248,7 @@ gss_accept_sec_context(OM_uint32 *minor_status,
gss_cred_id_t delegated_mc = GSS_C_NO_CREDENTIAL;
gss_name_t src_mn = GSS_C_NO_NAME;
gss_OID mech_ret_type = GSS_C_NO_OID;
int initial = !!(*context_handle == GSS_C_NO_CONTEXT);
int initial;
defective_token_error.length = 0;
defective_token_error.value = NULL;
@@ -168,37 +266,35 @@ gss_accept_sec_context(OM_uint32 *minor_status,
*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
_mg_buffer_zero(output_token);
/*
* If this is the first call (*context_handle is NULL), we must
* parse the input token to figure out the mechanism to use.
*/
if (initial) {
gss_OID mech_oid;
mech_oid = choose_mech(input_token);
/*
* If mech_oid == GSS_C_NO_OID then the mech is non-standard
* and we have to try all mechs (that we have a cred element
* for, if we have a cred).
*/
ctx = calloc(1, sizeof(struct _gss_context));
if (!*context_handle) {
ctx = calloc(sizeof(*ctx), 1);
if (!ctx) {
*minor_status = ENOMEM;
return (GSS_S_DEFECTIVE_TOKEN);
}
if (mech_oid != GSS_C_NO_OID) {
m = ctx->gc_mech = __gss_get_mechanism(mech_oid);
if (!m) {
free(ctx);
_gss_mg_log(10, "mechanism client used is unknown");
return (GSS_S_BAD_MECH);
}
}
*context_handle = (gss_ctx_id_t) ctx;
} else {
m = ctx->gc_mech;
}
*context_handle = (gss_ctx_id_t)ctx;
ctx->gc_initial = 1;
}
major_status = accumulate_token(ctx, input_token);
if (major_status != GSS_S_COMPLETE)
return major_status;
/*
* If we get here, then we have a complete token. Please note
* that we may have a major_status of GSS_S_DEFECTIVE_TOKEN. This
*
*/
initial = ctx->gc_initial;
ctx->gc_initial = 0;
if (major_status == GSS_S_COMPLETE && initial) {
major_status = choose_mech(ctx);
if (major_status != GSS_S_COMPLETE)
return major_status;
}
m = ctx->gc_mech;
if (initial && !m && acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
/*
@@ -215,7 +311,7 @@ gss_accept_sec_context(OM_uint32 *minor_status,
major_status = m->gm_accept_sec_context(minor_status,
&ctx->gc_ctx,
acceptor_mc,
input_token,
&ctx->gc_input,
input_chan_bindings,
&src_mn,
&mech_ret_type,
@@ -257,7 +353,7 @@ gss_accept_sec_context(OM_uint32 *minor_status,
major_status = m->gm_accept_sec_context(minor_status,
&ctx->gc_ctx,
acceptor_mc,
input_token,
&ctx->gc_input,
input_chan_bindings,
&src_mn,
&mech_ret_type,
@@ -314,7 +410,7 @@ gss_accept_sec_context(OM_uint32 *minor_status,
major_status = m->gm_accept_sec_context(minor_status,
&ctx->gc_ctx,
acceptor_mc,
input_token,
&ctx->gc_input,
input_chan_bindings,
&src_mn,
&mech_ret_type,

27
lib/gssapi/mech/gss_delete_sec_context.c
View File

@@ -42,18 +42,21 @@ gss_delete_sec_context(OM_uint32 *minor_status,
*minor_status = 0;
major_status = GSS_S_COMPLETE;
if (ctx) {
/*
* If we have an implementation ctx, delete it,
* otherwise fake an empty token.
*/
if (ctx->gc_ctx) {
major_status = ctx->gc_mech->gm_delete_sec_context(
minor_status, &ctx->gc_ctx, output_token);
}
free(ctx);
*context_handle = GSS_C_NO_CONTEXT;
}
if (!ctx)
return GSS_S_COMPLETE;
free(ctx->gc_free_this);
/*
* If we have an implementation ctx, delete it,
* otherwise fake an empty token.
*/
if (ctx->gc_ctx) {
major_status = ctx->gc_mech->gm_delete_sec_context(
minor_status, &ctx->gc_ctx, output_token);
}
free(ctx);
*context_handle = GSS_C_NO_CONTEXT;
return major_status;
}

111
lib/gssapi/mech/gss_export_sec_context.c
View File

@@ -33,40 +33,118 @@ gss_export_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token)
{
OM_uint32 major_status;
OM_uint32 major_status = GSS_S_FAILURE;
krb5_storage *sp;
krb5_data data;
krb5_error_code kret;
struct _gss_context *ctx;
gssapi_mech_interface m;
gss_buffer_desc buf;
unsigned char verflags;
*minor_status = 0;
if (interprocess_token)
_mg_buffer_zero(interprocess_token);
else
if (!interprocess_token)
return GSS_S_CALL_INACCESSIBLE_READ;
_mg_buffer_zero(interprocess_token);
if (context_handle == NULL)
return GSS_S_NO_CONTEXT;
ctx = (struct _gss_context *) *context_handle;
if (ctx == NULL || ctx->gc_ctx == NULL) {
*minor_status = 0;
if (ctx == NULL)
return GSS_S_NO_CONTEXT;
if (!ctx->gc_ctx && ctx->gc_target_len) {
free(ctx);
*context_handle = GSS_C_NO_CONTEXT;
return GSS_S_NO_CONTEXT;
}
sp = krb5_storage_emem();
if (sp == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_PACKED);
verflags = 0x00; /* Version 0 */
if (ctx->gc_target_len)
verflags |= EXPORT_CONTEXT_FLAG_ACCUMULATING;
if (ctx->gc_ctx)
verflags |= EXPORT_CONTEXT_FLAG_MECH_CTX;
kret = krb5_store_uint8(sp, verflags);
if (ctx->gc_target_len) {
_gss_mg_log(10, "gss-esc: exporting partial token %zu/%zu",
ctx->gc_input.length, ctx->gc_target_len);
kret = krb5_store_uint8(sp, ctx->gc_initial);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_uint32(sp, ctx->gc_target_len);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_datalen(sp, ctx->gc_input.value,
ctx->gc_input.length);
if (kret) {
*minor_status = kret;
goto failure;
}
}
if (!ctx->gc_ctx) {
free(ctx);
*context_handle = GSS_C_NO_CONTEXT;
return GSS_S_COMPLETE;
}
m = ctx->gc_mech;
major_status = m->gm_export_sec_context(minor_status,
&ctx->gc_ctx, &buf);
if (major_status == GSS_S_COMPLETE) {
unsigned char *p;
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(m, *minor_status);
goto failure;
}
free(ctx);
*context_handle = GSS_C_NO_CONTEXT;
interprocess_token->length = buf.length
+ 2 + m->gm_mech_oid.length;
interprocess_token->value = malloc(interprocess_token->length);
kret = krb5_store_datalen(sp, m->gm_mech_oid.elements,
m->gm_mech_oid.length);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_datalen(sp, buf.value, buf.length);
if (kret) {
*minor_status = kret;
goto failure;
}
_gss_secure_release_buffer(minor_status, &buf);
kret = krb5_storage_to_data(sp, &data);
if (kret) {
*minor_status = kret;
goto failure;
}
interprocess_token->length = data.length;
interprocess_token->value = data.data;
_gss_mg_log(1, "gss-esc: token length %zu", data.length);
free(ctx);
*context_handle = GSS_C_NO_CONTEXT;
#if 0
if (!interprocess_token->value) {
/*
* We are in trouble here - the context is
@@ -84,10 +162,11 @@ gss_export_sec_context(OM_uint32 *minor_status,
p[1] = m->gm_mech_oid.length;
memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length);
memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length);
_gss_secure_release_buffer(minor_status, &buf);
} else {
_gss_mg_error(m, *minor_status);
}
#endif
return (major_status);
failure:
krb5_storage_free(sp);
return major_status;
}

121
lib/gssapi/mech/gss_import_sec_context.c
View File

@@ -33,50 +33,99 @@ gss_import_sec_context(OM_uint32 *minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
{
OM_uint32 major_status;
OM_uint32 ret = GSS_S_FAILURE;
krb5_storage *sp;
krb5_data data;
gssapi_mech_interface m;
struct _gss_context *ctx;
struct _gss_context *ctx = NULL;
gss_OID_desc mech_oid;
gss_buffer_desc buf;
unsigned char *p;
size_t len;
unsigned char verflags;
_gss_mg_log(10, "gss-isc called");
if (!minor_status || !context_handle) {
*minor_status = EFAULT;
return GSS_S_FAILURE;
}
*minor_status = 0;
*context_handle = GSS_C_NO_CONTEXT;
/*
* We added an oid to the front of the token in
* gss_export_sec_context.
*/
p = interprocess_token->value;
len = interprocess_token->length;
if (len < 2)
return (GSS_S_DEFECTIVE_TOKEN);
mech_oid.length = (p[0] << 8) | p[1];
if (len < mech_oid.length + 2)
return (GSS_S_DEFECTIVE_TOKEN);
mech_oid.elements = p + 2;
buf.length = len - 2 - mech_oid.length;
buf.value = p + 2 + mech_oid.length;
sp = krb5_storage_from_mem(interprocess_token->value,
interprocess_token->length);
if (!sp) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_PACKED);
m = __gss_get_mechanism(&mech_oid);
if (!m)
return (GSS_S_DEFECTIVE_TOKEN);
ctx = calloc(1, sizeof(struct _gss_context));
if (!ctx) {
*minor_status = ENOMEM;
goto failure;
}
ctx = malloc(sizeof(struct _gss_context));
if (!ctx) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
ctx->gc_mech = m;
major_status = m->gm_import_sec_context(minor_status,
&buf, &ctx->gc_ctx);
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(m, *minor_status);
free(ctx);
} else {
*context_handle = (gss_ctx_id_t) ctx;
}
if (krb5_ret_uint8(sp, &verflags))
goto failure;
return (major_status);
if ((verflags & EXPORT_CONTEXT_VERSION_MASK) != 0) {
_gss_mg_log(10, "gss-isc failed, token version %d not recognised",
(int)(verflags & EXPORT_CONTEXT_VERSION_MASK));
/* We don't recognise the version */
goto failure;
}
if (verflags & EXPORT_CONTEXT_FLAG_ACCUMULATING) {
uint32_t target_len;
if (krb5_ret_uint8(sp, &ctx->gc_initial))
goto failure;
if (krb5_ret_uint32(sp, &target_len))
goto failure;
if (krb5_ret_data(sp, &data))
goto failure;
ctx->gc_target_len = target_len;
ctx->gc_input.value = data.data;
ctx->gc_input.length = data.length;
/* Don't need to free data because we gave it to gc_input */
}
if (verflags & EXPORT_CONTEXT_FLAG_MECH_CTX) {
if (krb5_ret_data(sp, &data))
goto failure;
mech_oid.length = data.length;
mech_oid.elements = data.data;
m = __gss_get_mechanism(&mech_oid);
krb5_data_free(&data);
if (!m)
return GSS_S_DEFECTIVE_TOKEN;
ctx->gc_mech = m;
if (krb5_ret_data(sp, &data))
goto failure;
buf.length = data.length;
buf.value = data.data;
ret = m->gm_import_sec_context(minor_status, &buf, &ctx->gc_ctx);
if (ret != GSS_S_COMPLETE) {
_gss_mg_error(m, *minor_status);
free(ctx);
} else {
*context_handle = (gss_ctx_id_t) ctx;
}
}
krb5_storage_free(sp);
return (ret);
failure:
free(ctx);
krb5_storage_free(sp);
return ret;
}

189
lib/gssapi/test_context.c
View File

@@ -40,6 +40,14 @@
#include <gssapi_ntlm.h>
#include "test_common.h"
#ifdef NOTYET
/*
* export/import of sec contexts on the initiator side
* don't work properly, yet.
*/
#define DO_IMPORT_EXPORT_OF_CLIENT_CONTEXT 1
#endif
static char *type_string;
static char *mech_string;
static char *mechs_string;
@@ -69,6 +77,7 @@ static int client_time_offset = 0;
static int server_time_offset = 0;
static int max_loops = 0;
static char *limit_enctype_string = NULL;
static int token_split = 0;
static int version_flag = 0;
static int verbose_flag = 0;
static int help_flag = 0;
@@ -170,6 +179,10 @@ loop(gss_OID mechoid,
OM_uint32 maj_stat, min_stat;
gss_name_t gss_target_name, src_name;
gss_buffer_desc input_token, output_token;
#ifdef DO_IMPORT_EXPORT_OF_CLIENT_CONTEXT
gss_buffer_desc cctx_tok = GSS_C_EMPTY_BUFFER;
#endif
gss_buffer_desc sctx_tok = GSS_C_EMPTY_BUFFER;
OM_uint32 flags = 0, ret_cflags, ret_sflags;
gss_OID actual_mech_client;
gss_OID actual_mech_server;
@@ -177,6 +190,7 @@ loop(gss_OID mechoid,
struct gss_channel_bindings_struct a_channel_bindings_data = {0};
gss_channel_bindings_t i_channel_bindings_p = GSS_C_NO_CHANNEL_BINDINGS;
gss_channel_bindings_t a_channel_bindings_p = GSS_C_NO_CHANNEL_BINDINGS;
size_t offset = 0;
*actual_mech = GSS_C_NO_OID;
@@ -219,66 +233,132 @@ loop(gss_OID mechoid,
a_channel_bindings_p = &a_channel_bindings_data;
}
/*
* This loop simulates both the initiator and acceptor sides of
* a GSS conversation. We also simulate tokens that are broken
* into pieces before handed to gss_accept_sec_context(). Each
* iteration of the loop optionally calls gss_init_sec_context()
* then optionally calls gss_accept_sec_context().
*/
while (!server_done || !client_done) {
num_loops++;
if (verbose_flag)
printf("loop #%d: input_token.length=%zu client_done=%d\n",
num_loops, input_token.length, client_done);
gsskrb5_set_time_offset(client_time_offset);
/*
* First, we need to call gss_import_sec_context() if we are
* running through the loop the first time, or if we have been
* given a token (input_token) by gss_accept_sec_context().
* We aren't going to be called every time because when we are
* using split tokens, we may need to call gss_accept_sec_context()
* multiple times because it receives an entire token.
*/
if ((num_loops == 1 || input_token.length > 0) && !client_done) {
gsskrb5_set_time_offset(client_time_offset);
#ifdef DO_IMPORT_EXPORT_OF_CLIENT_CONTEXT
if (ei_ctx_flag && cctx_tok.length > 0) {
maj_stat = gss_import_sec_context(&min_stat, &cctx_tok, cctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import client context failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
gss_release_buffer(&min_stat, &cctx_tok);
}
#endif
maj_stat = gss_init_sec_context(&min_stat,
init_cred,
cctx,
gss_target_name,
mechoid,
flags,
0,
i_channel_bindings_p,
&input_token,
&actual_mech_client,
&output_token,
&ret_cflags,
NULL);
if (GSS_ERROR(maj_stat))
errx(1, "init_sec_context: %s",
gssapi_err(maj_stat, min_stat, mechoid));
if (maj_stat & GSS_S_CONTINUE_NEEDED)
;
else
client_done = 1;
maj_stat = gss_init_sec_context(&min_stat, init_cred, cctx,
gss_target_name, mechoid,
flags, 0, i_channel_bindings_p,
&input_token, &actual_mech_client,
&output_token, &ret_cflags, NULL);
if (GSS_ERROR(maj_stat))
errx(1, "init_sec_context: %s",
gssapi_err(maj_stat, min_stat, mechoid));
client_done = !(maj_stat & GSS_S_CONTINUE_NEEDED);
gsskrb5_get_time_offset(&client_time_offset);
if (client_done && server_done)
break;
if (input_token.length != 0)
gss_release_buffer(&min_stat, &input_token);
input_token.length = 0;
input_token.value = NULL;
gsskrb5_set_time_offset(server_time_offset);
#if DO_IMPORT_EXPORT_OF_CLIENT_CONTEXT
if (!client_done && ei_ctx_flag) {
maj_stat = gss_export_sec_context(&min_stat, cctx, &cctx_tok);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "export server context failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
if (*cctx != GSS_C_NO_CONTEXT)
errx(1, "export client context did not release it");
}
#endif
maj_stat = gss_accept_sec_context(&min_stat,
sctx,
GSS_C_NO_CREDENTIAL,
&output_token,
a_channel_bindings_p,
&src_name,
&actual_mech_server,
&input_token,
&ret_sflags,
NULL,
deleg_cred);
if (GSS_ERROR(maj_stat))
errx(1, "accept_sec_context: %s",
gssapi_err(maj_stat, min_stat, actual_mech_server));
if (verbose_flag)
printf("loop #%d: output_token.length=%zu\n", num_loops,
output_token.length);
gsskrb5_get_time_offset(&server_time_offset);
offset = 0;
}
if (output_token.length != 0)
gss_release_buffer(&min_stat, &output_token);
/*
* We now call gss_accept_sec_context(). To support split
* tokens, we keep track of the offset into the token that
* we have used and keep handing in chunks until we're done.
*/
if (maj_stat & GSS_S_CONTINUE_NEEDED)
gss_release_name(&min_stat, &src_name);
else
server_done = 1;
if (offset < output_token.length && !server_done) {
gss_buffer_desc tmp;
gsskrb5_get_time_offset(&client_time_offset);
gsskrb5_set_time_offset(server_time_offset);
tmp.length = output_token.length - offset;
if (token_split && tmp.length > token_split)
tmp.length = token_split;
tmp.value = (char *)output_token.value + offset;
if (verbose_flag)
printf("loop #%d: accept offset=%zu len=%zu\n", num_loops,
offset, tmp.length);
if (ei_ctx_flag && sctx_tok.length > 0) {
maj_stat = gss_import_sec_context(&min_stat, &sctx_tok, sctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import server context failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
gss_release_buffer(&min_stat, &sctx_tok);
}
maj_stat = gss_accept_sec_context(&min_stat, sctx,
GSS_C_NO_CREDENTIAL, &tmp,
a_channel_bindings_p, &src_name,
&actual_mech_server,
&input_token, &ret_sflags,
NULL, deleg_cred);
if (GSS_ERROR(maj_stat))
errx(1, "accept_sec_context: %s",
gssapi_err(maj_stat, min_stat, actual_mech_server));
offset += tmp.length;
if (maj_stat & GSS_S_CONTINUE_NEEDED)
gss_release_name(&min_stat, &src_name);
else
server_done = 1;
if (ei_ctx_flag && !server_done) {
maj_stat = gss_export_sec_context(&min_stat, sctx, &sctx_tok);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "export server context failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
if (*sctx != GSS_C_NO_CONTEXT)
errx(1, "export server context did not release it");
}
gsskrb5_get_time_offset(&server_time_offset);
if (output_token.length == offset)
gss_release_buffer(&min_stat, &output_token);
}
if (verbose_flag)
printf("loop #%d: end\n", num_loops);
}
if (output_token.length != 0)
gss_release_buffer(&min_stat, &output_token);
@@ -334,11 +414,13 @@ loop(gss_OID mechoid,
gss_buffer_desc iname;
maj_stat = gss_display_name(&min_stat, src_name, &iname, NULL);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "display_name: %s",
if (maj_stat == GSS_S_COMPLETE) {
printf("client name: %.*s\n", (int)iname.length,
(char *)iname.value);
gss_release_buffer(&min_stat, &iname);
} else
warnx("display_name: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
printf("client name: %.*s\n", (int)iname.length, (char *)iname.value);
gss_release_buffer(&min_stat, &iname);
}
gss_release_name(&min_stat, &src_name);
@@ -701,6 +783,7 @@ static struct getargs args[] = {
{"client-time-offset", 0, arg_integer, &client_time_offset, "time", NULL },
{"server-time-offset", 0, arg_integer, &server_time_offset, "time", NULL },
{"max-loops", 0, arg_integer, &max_loops, "time", NULL },
{"token-split", 0, arg_integer, &token_split, "bytes", NULL },
{"version", 0, arg_flag, &version_flag, "print version", NULL },
{"verbose", 'v', arg_flag, &verbose_flag, "verbose", NULL },
{"help", 0, arg_flag, &help_flag, NULL, NULL }

10
tests/gss/check-spnego.in
View File

@@ -138,6 +138,16 @@ ${context} \
host@host.test.h5l.se || \
{ exitcode=1 ; echo test failed; }
echo "spnego (split tokens)"
${context} \
--token-split=128 \
--client-ccache="${cache}" \
--mech-type=spnego \
--ret-mech-type=krb5 \
--name-type=hostbased-service \
host@host.test.h5l.se || \
{ exitcode=1 ; echo test failed; }
echo "test failure cases"
${context} --mech-type=ntlm --ret-mech-type=krb5 \
--client-ccache="${cache}" \