rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/krb5-1.15-NTLM_SPNEGO.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   8c1676705aba2424a199c01a669dde5740e9d05f
  2.   SOURCES
  3.   krb5-1.15-NTLM_SPNEGO.patch
Blob History Raw
8c1676 
From a7e899281f24aadec536f3cb0adf7340683c27cb Mon Sep 17 00:00:00 2001
8c1676 
From: Simo Sorce <simo@redhat.com>
8c1676 
Date: Wed, 30 Mar 2016 13:00:19 -0400
8c1676 
Subject: [PATCH] Add SPNEGO special case for NTLMSSP+MechListMIC
8c1676
8c1676 
MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer
8c1676 
needs to implement specifically for the NTLMSSP mechanism.  This is
8c1676 
required for compatibility with Windows services.
8c1676
8c1676 
ticket: 8423 (new)
8c1676 
---
8c1676 
 src/lib/gssapi/spnego/spnego_mech.c | 48 +++++++++++++++++++++++++++++++++----
8c1676 
 1 file changed, 43 insertions(+), 5 deletions(-)
8c1676
8c1676 
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
8c1676 
index bb754d9..b76f7d6 100644
8c1676 
--- a/src/lib/gssapi/spnego/spnego_mech.c
8c1676 
+++ b/src/lib/gssapi/spnego/spnego_mech.c
8c1676 
@@ -520,6 +520,45 @@ mech_requires_mechlistMIC(spnego_gss_ctx_id_t sc)
8c1676 
 	return result;
8c1676 
 }
8c1676
8c1676 
+/* iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) Microsoft(311)
8c1676 
+ * security(2) mechanisms(2) NTLM(10) */
8c1676 
+static const gss_OID_desc gss_mech_ntlmssp_oid =
8c1676 
+	{ 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
8c1676 
+
8c1676 
+/* iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) samba(7165)
8c1676 
+ * gssntlmssp(655) controls(1) ntlmssp_reset_crypto(3) */
8c1676 
+static const gss_OID_desc ntlmssp_reset_crypto_oid =
8c1676 
+	{ 11, "\x2B\x06\x01\x04\x01\xB7\x7D\x85\x0F\x01\x03" };
8c1676 
+
8c1676 
+/*
8c1676 
+ * MS-SPNG section 3.3.5.1 warns that the NTLM mechanism requires special
8c1676 
+ * handling of the crypto state to interop with Windows.  If the mechanism for
8c1676 
+ * sc is SPNEGO, invoke a mechanism-specific operation on the context to reset
8c1676 
+ * the RC4 state after producing or verifying a MIC.  Ignore a result of
8c1676 
+ * GSS_S_UNAVAILABLE for compatibility with older versions of the mechanism
8c1676 
+ * that do not support this functionality.
8c1676 
+ */
8c1676 
+static OM_uint32
8c1676 
+ntlmssp_reset_crypto_state(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
8c1676 
+			   OM_uint32 verify)
8c1676 
+{
8c1676 
+	OM_uint32 major, minor;
8c1676 
+	gss_buffer_desc value;
8c1676 
+
8c1676 
+	if (!g_OID_equal(sc->internal_mech, &gss_mech_ntlmssp_oid))
8c1676 
+		return GSS_S_COMPLETE;
8c1676 
+
8c1676 
+	value.length = sizeof(verify);
8c1676 
+	value.value = &verify;
8c1676 
+	major = gss_set_sec_context_option(&minor, &sc->ctx_handle,
8c1676 
+					   (gss_OID)&ntlmssp_reset_crypto_oid,
8c1676 
+					   &value);
8c1676 
+	if (major == GSS_S_UNAVAILABLE)
8c1676 
+		return GSS_S_COMPLETE;
8c1676 
+	*minor_status = minor;
8c1676 
+	return major;
8c1676 
+}
8c1676 
+
8c1676 
 /*
8c1676 
  * Both initiator and acceptor call here to verify and/or create mechListMIC,
8c1676 
  * and to consistency-check the MIC state.  handle_mic is invoked only if the
8c1676 
@@ -601,6 +640,8 @@ process_mic(OM_uint32 *minor_status, gss_buffer_t mic_in,
8c1676 
 		ret = gss_verify_mic(minor_status, sc->ctx_handle,
8c1676 
 				     &sc->DER_mechTypes,
8c1676 
 				     mic_in, &qop_state);
8c1676 
+		if (ret == GSS_S_COMPLETE)
8c1676 
+			ret = ntlmssp_reset_crypto_state(minor_status, sc, 1);
8c1676 
 		if (ret != GSS_S_COMPLETE) {
8c1676 
 			*negState = REJECT;
8c1676 
 			*tokflag = ERROR_TOKEN_SEND;
8c1676 
@@ -615,6 +656,8 @@ process_mic(OM_uint32 *minor_status, gss_buffer_t mic_in,
8c1676 
 				  GSS_C_QOP_DEFAULT,
8c1676 
 				  &sc->DER_mechTypes,
8c1676 
 				  &tmpmic);
8c1676 
+		if (ret == GSS_S_COMPLETE)
8c1676 
+			ret = ntlmssp_reset_crypto_state(minor_status, sc, 0);
8c1676 
 		if (ret != GSS_S_COMPLETE) {
8c1676 
 			gss_release_buffer(&tmpmin, &tmpmic);
8c1676 
 			*tokflag = NO_TOKEN_SEND;
8c1676 
@@ -820,11 +863,6 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
8c1676 
 	return ret;
8c1676 
 }
8c1676
8c1676 
-/* iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) Microsoft(311)
8c1676 
- * security(2) mechanisms(2) NTLM(10) */
8c1676 
-static const gss_OID_desc gss_mech_ntlmssp_oid =
8c1676 
-	{ 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
8c1676 
-
8c1676 
 /*
8c1676 
  * Handle acceptor's counter-proposal of an alternative mechanism.
8c1676 
  */
8c1676 
--
8c1676 
2.8.1
8c1676

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation