|
|
8c1676 |
From a7e899281f24aadec536f3cb0adf7340683c27cb Mon Sep 17 00:00:00 2001
|
|
|
8c1676 |
From: Simo Sorce <simo@redhat.com>
|
|
|
8c1676 |
Date: Wed, 30 Mar 2016 13:00:19 -0400
|
|
|
8c1676 |
Subject: [PATCH] Add SPNEGO special case for NTLMSSP+MechListMIC
|
|
|
8c1676 |
|
|
|
8c1676 |
MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer
|
|
|
8c1676 |
needs to implement specifically for the NTLMSSP mechanism. This is
|
|
|
8c1676 |
required for compatibility with Windows services.
|
|
|
8c1676 |
|
|
|
8c1676 |
ticket: 8423 (new)
|
|
|
8c1676 |
---
|
|
|
8c1676 |
src/lib/gssapi/spnego/spnego_mech.c | 48 +++++++++++++++++++++++++++++++++----
|
|
|
8c1676 |
1 file changed, 43 insertions(+), 5 deletions(-)
|
|
|
8c1676 |
|
|
|
8c1676 |
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
8c1676 |
index bb754d9..b76f7d6 100644
|
|
|
8c1676 |
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
8c1676 |
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
8c1676 |
@@ -520,6 +520,45 @@ mech_requires_mechlistMIC(spnego_gss_ctx_id_t sc)
|
|
|
8c1676 |
return result;
|
|
|
8c1676 |
}
|
|
|
8c1676 |
|
|
|
8c1676 |
+/* iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) Microsoft(311)
|
|
|
8c1676 |
+ * security(2) mechanisms(2) NTLM(10) */
|
|
|
8c1676 |
+static const gss_OID_desc gss_mech_ntlmssp_oid =
|
|
|
8c1676 |
+ { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
|
|
|
8c1676 |
+
|
|
|
8c1676 |
+/* iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) samba(7165)
|
|
|
8c1676 |
+ * gssntlmssp(655) controls(1) ntlmssp_reset_crypto(3) */
|
|
|
8c1676 |
+static const gss_OID_desc ntlmssp_reset_crypto_oid =
|
|
|
8c1676 |
+ { 11, "\x2B\x06\x01\x04\x01\xB7\x7D\x85\x0F\x01\x03" };
|
|
|
8c1676 |
+
|
|
|
8c1676 |
+/*
|
|
|
8c1676 |
+ * MS-SPNG section 3.3.5.1 warns that the NTLM mechanism requires special
|
|
|
8c1676 |
+ * handling of the crypto state to interop with Windows. If the mechanism for
|
|
|
8c1676 |
+ * sc is SPNEGO, invoke a mechanism-specific operation on the context to reset
|
|
|
8c1676 |
+ * the RC4 state after producing or verifying a MIC. Ignore a result of
|
|
|
8c1676 |
+ * GSS_S_UNAVAILABLE for compatibility with older versions of the mechanism
|
|
|
8c1676 |
+ * that do not support this functionality.
|
|
|
8c1676 |
+ */
|
|
|
8c1676 |
+static OM_uint32
|
|
|
8c1676 |
+ntlmssp_reset_crypto_state(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
|
|
8c1676 |
+ OM_uint32 verify)
|
|
|
8c1676 |
+{
|
|
|
8c1676 |
+ OM_uint32 major, minor;
|
|
|
8c1676 |
+ gss_buffer_desc value;
|
|
|
8c1676 |
+
|
|
|
8c1676 |
+ if (!g_OID_equal(sc->internal_mech, &gss_mech_ntlmssp_oid))
|
|
|
8c1676 |
+ return GSS_S_COMPLETE;
|
|
|
8c1676 |
+
|
|
|
8c1676 |
+ value.length = sizeof(verify);
|
|
|
8c1676 |
+ value.value = &verify;
|
|
|
8c1676 |
+ major = gss_set_sec_context_option(&minor, &sc->ctx_handle,
|
|
|
8c1676 |
+ (gss_OID)&ntlmssp_reset_crypto_oid,
|
|
|
8c1676 |
+ &value);
|
|
|
8c1676 |
+ if (major == GSS_S_UNAVAILABLE)
|
|
|
8c1676 |
+ return GSS_S_COMPLETE;
|
|
|
8c1676 |
+ *minor_status = minor;
|
|
|
8c1676 |
+ return major;
|
|
|
8c1676 |
+}
|
|
|
8c1676 |
+
|
|
|
8c1676 |
/*
|
|
|
8c1676 |
* Both initiator and acceptor call here to verify and/or create mechListMIC,
|
|
|
8c1676 |
* and to consistency-check the MIC state. handle_mic is invoked only if the
|
|
|
8c1676 |
@@ -601,6 +640,8 @@ process_mic(OM_uint32 *minor_status, gss_buffer_t mic_in,
|
|
|
8c1676 |
ret = gss_verify_mic(minor_status, sc->ctx_handle,
|
|
|
8c1676 |
&sc->DER_mechTypes,
|
|
|
8c1676 |
mic_in, &qop_state);
|
|
|
8c1676 |
+ if (ret == GSS_S_COMPLETE)
|
|
|
8c1676 |
+ ret = ntlmssp_reset_crypto_state(minor_status, sc, 1);
|
|
|
8c1676 |
if (ret != GSS_S_COMPLETE) {
|
|
|
8c1676 |
*negState = REJECT;
|
|
|
8c1676 |
*tokflag = ERROR_TOKEN_SEND;
|
|
|
8c1676 |
@@ -615,6 +656,8 @@ process_mic(OM_uint32 *minor_status, gss_buffer_t mic_in,
|
|
|
8c1676 |
GSS_C_QOP_DEFAULT,
|
|
|
8c1676 |
&sc->DER_mechTypes,
|
|
|
8c1676 |
&tmpmic);
|
|
|
8c1676 |
+ if (ret == GSS_S_COMPLETE)
|
|
|
8c1676 |
+ ret = ntlmssp_reset_crypto_state(minor_status, sc, 0);
|
|
|
8c1676 |
if (ret != GSS_S_COMPLETE) {
|
|
|
8c1676 |
gss_release_buffer(&tmpmin, &tmpmic);
|
|
|
8c1676 |
*tokflag = NO_TOKEN_SEND;
|
|
|
8c1676 |
@@ -820,11 +863,6 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
|
|
8c1676 |
return ret;
|
|
|
8c1676 |
}
|
|
|
8c1676 |
|
|
|
8c1676 |
-/* iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) Microsoft(311)
|
|
|
8c1676 |
- * security(2) mechanisms(2) NTLM(10) */
|
|
|
8c1676 |
-static const gss_OID_desc gss_mech_ntlmssp_oid =
|
|
|
8c1676 |
- { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
|
|
|
8c1676 |
-
|
|
|
8c1676 |
/*
|
|
|
8c1676 |
* Handle acceptor's counter-proposal of an alternative mechanism.
|
|
|
8c1676 |
*/
|
|
|
8c1676 |
--
|
|
|
8c1676 |
2.8.1
|
|
|
8c1676 |
|