Microsoft will sometimes split GSS tokens when they exceed a certain
size in some protocols. This is specified in
[MS-SPNG]: Simple and Protected GSS-API Negotiation
Mechanism (SPNEGO) Extension
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf
sections 3.1.5.4 to 3.1.5.9.
We extend gss_accept_sec_context() to recognise partial tokens and
to accumulate the fragments until an entire token is available to
be processed. If the entire token is not yet available,
GSS_S_CONTINUE_NEEDED is returned with a zero length output token.
This is specified in RFC2744 page 25-26 to indicate that no reply
need be sent.
We include updates to the test framework to test split tokens when
using SPNEGO.
GM_USE_MG_NAME was not honored in the case where the mechanism emitted a name,
but the caller of gss_accept_sec_context() did not request it be returned. This
would result in m->gm_release_name() being called on the mechglue name, which
would crash either because that function pointer was NULL or because it would
have expected a mechanism name.
If an initial security context token doesn't have a standard header per
RFC2743 then try all mechanisms until one succeeds or all fail.
We still try to guess NTLMSSP, raw Kerberos, and SPNEGO, from tasting
the initial security context token.
Initialize mechanism output parameters before calling mechanism
GSS_Accept_sec_context(), to behave robustly with poorly implemented mechanisms
that may return before initializing them.
GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism
without additional wrapping. Although no extant mechanisms use this flag, the
flag had sporadic support in the mechanism glue already. In the interest of
consistency, add missing GM_USE_MG_CRED checks. If this functionality is not
desired, then all checks should be removed.
The GSS mechglue uses singly linked lists for mechanisms and mechanism objects,
to which new entries are inserted at the head. This breaks ordering of
mechanisms specified in OID sets and in /etc/gss/mech, as they will be back to
front. Use a tail queue instead so that new entries are inserted at the end.
Apple's Heimdal impelmentation uses a number of utility functions for
allocating names and credentials, to avoid calling malloc or calloc directly.
Import them.
harder at the input_token, idea from Luke Howard's mechglue branch.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18981 ec53bebd-3082-4978-b11e-865c3cabbd6b
0] SEQUENCE, lets assume its a DCE-style kerberos 5 connection. XXX
this needs to be made better in cause we get another GSS-API protocol
violating protocol. It should be possible to detach the Kerberos
DCE-style since it starts with a AP-REQ PDU, but that have to wait for
now.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18167 ec53bebd-3082-4978-b11e-865c3cabbd6b
Roland C. Dowdeswell