author | akshay.kale@oracle.com <akshay.kale@oracle.com> |
Fri, 14 Oct 2016 13:13:27 -0700 | |
changeset 7112 | dab9beb5bc49 |
parent 6978 | 14cbeb78966a |
permissions | -rw-r--r-- |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
1 |
# |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
2 |
# This patch allows for better interop with MS Windows clients accessing Solaris |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
3 |
# SMB services. It fixes a few memory leaks and double frees found during SMB |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
4 |
# stress testing. The CRs in order: |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
5 |
# |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
6 |
# 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_... |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
7 |
# 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
8 |
# 16005842 Should retry SMB authentication upgrade to account for network... |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
9 |
# 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW.. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
10 |
# |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
11 |
# Note: MIT tickets will subsequently be filed, but the solution may differ from |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
12 |
# what we currently offer in Solaris, because they may want the changes as the |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
13 |
# default behavior therefore removing the dependency on the MS_INTEROP |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
14 |
# environment variable. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
15 |
# Patch source: in-house |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
16 |
# |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
17 |
--- a/src/lib/gssapi/krb5/accept_sec_context.c |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
18 |
+++ b/src/lib/gssapi/krb5/accept_sec_context.c |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
19 |
@@ -454,8 +454,6 @@ kg_accept_krb5(minor_status, context_handle, |
5562
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
20 |
const gss_OID_desc *mech_used = NULL; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
21 |
OM_uint32 major_status = GSS_S_FAILURE; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
22 |
OM_uint32 tmp_minor_status; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
23 |
- krb5_error krb_error_data; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
24 |
- krb5_data scratch; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
25 |
gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
26 |
krb5_gss_cred_id_t deleg_cred = NULL; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
27 |
krb5int_access kaccess; |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6599
diff
changeset
|
28 |
@@ -1214,6 +1212,8 @@ fail: |
5562
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
29 |
major_status == GSS_S_CONTINUE_NEEDED)) { |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
30 |
unsigned int tmsglen; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
31 |
int toktype; |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
32 |
+ krb5_error krb_error_data; |
5562
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
33 |
+ krb5_data scratch; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
34 |
|
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
35 |
/* |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
36 |
* The client is expecting a response, so we can send an |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6599
diff
changeset
|
37 |
@@ -1221,6 +1221,31 @@ fail: |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
38 |
*/ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
39 |
memset(&krb_error_data, 0, sizeof(krb_error_data)); |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
40 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
41 |
+ /* |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
42 |
+ * We need to remap error conditions for buggy Windows clients if the |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
43 |
+ * MS_INTEROP env var has been set. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
44 |
+ */ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
45 |
+ if ((code == KRB5KRB_AP_ERR_BAD_INTEGRITY || |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
46 |
+ code == KRB5KRB_AP_ERR_NOKEY || code == KRB5KRB_AP_ERR_BADKEYVER) |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
47 |
+ && getenv("MS_INTEROP")) { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
48 |
+ code = KRB5KRB_AP_ERR_MODIFIED; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
49 |
+ major_status = GSS_S_CONTINUE_NEEDED; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
50 |
+ } |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
51 |
+ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
52 |
+ /* |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
53 |
+ * Set e-data to Windows constant (verified by MSFT). |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
54 |
+ * |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
55 |
+ * This facilitates the Windows CIFS client clock skew |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
56 |
+ * recovery feature. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
57 |
+ */ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
58 |
+ if (code == KRB5KRB_AP_ERR_SKEW && getenv("MS_INTEROP")) { |
5562
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
59 |
+ /* Note that free() must not be called on |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
60 |
+ * krb_error_data.e_data.data */ |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
61 |
+ krb_error_data.e_data.data = "\x30\x05\xa1\x03\x02\x01\x02"; |
880dc66054d5
22736580 smbtorture memleak in kg_accept_krb5
Will Fiveash <will.fiveash@oracle.com>
parents:
5490
diff
changeset
|
62 |
+ krb_error_data.e_data.length = 7; |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
63 |
+ major_status = GSS_S_CONTINUE_NEEDED; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
64 |
+ } |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
65 |
+ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
66 |
code -= ERROR_TABLE_BASE_krb5; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
67 |
if (code < 0 || code > KRB_ERR_MAX) |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
68 |
code = 60 /* KRB_ERR_GENERIC */; |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
69 |
--- a/src/lib/gssapi/spnego/spnego_mech.c |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
70 |
+++ b/src/lib/gssapi/spnego/spnego_mech.c |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
71 |
@@ -180,6 +180,13 @@ get_negTokenResp(OM_uint32 *, unsigned char *, unsigned int, |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
72 |
static int |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
73 |
is_kerb_mech(gss_OID oid); |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
74 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
75 |
+/* encoded OID octet string for NTLMSSP security mechanism */ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
76 |
+#define GSS_MECH_NTLMSSP_OID_LENGTH 10 |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
77 |
+#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012" |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
78 |
+static gss_OID_desc ntlmssp_oid = { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
79 |
+ GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
80 |
+}; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
81 |
+ |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
82 |
/* SPNEGO oid structure */ |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
83 |
static const gss_OID_desc spnego_oids[] = { |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
84 |
{SPNEGO_OID_LENGTH, SPNEGO_OID}, |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
85 |
@@ -1325,6 +1332,7 @@ acc_ctx_new(OM_uint32 *minor_status, |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
86 |
gss_buffer_desc der_mechTypes; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
87 |
gss_OID mech_wanted; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
88 |
spnego_gss_ctx_id_t sc = NULL; |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
89 |
+ unsigned int i; |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
90 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
91 |
ret = GSS_S_DEFECTIVE_TOKEN; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
92 |
der_mechTypes.length = 0; |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
93 |
@@ -1347,6 +1355,26 @@ acc_ctx_new(OM_uint32 *minor_status, |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
94 |
*return_token = NO_TOKEN_SEND; |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
95 |
goto cleanup; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
96 |
} |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
97 |
+ |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
98 |
+ /* |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
99 |
+ * We add KRB5_WRONG here so that old MS clients can negotiate this |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
100 |
+ * mechanism, which allows extensions in Kerberos (clock skew |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
101 |
+ * adjustment, refresh ccache). |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
102 |
+ */ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
103 |
+ for (i = 0; i < supported_mechSet->count; i++) { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
104 |
+ if (is_kerb_mech(&supported_mechSet->elements[i])) { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
105 |
+ extern gss_OID_desc * const gss_mech_krb5_wrong; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
106 |
+ ret = gss_add_oid_set_member(minor_status, |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
107 |
+ gss_mech_krb5_wrong, |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
108 |
+ &supported_mechSet); |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
109 |
+ if (ret != GSS_S_COMPLETE) { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
110 |
+ *return_token = NO_TOKEN_SEND; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
111 |
+ goto cleanup; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
112 |
+ } |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
113 |
+ break; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
114 |
+ } |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
115 |
+ } |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
116 |
+ |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
117 |
/* |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
118 |
* Select the best match between the list of mechs |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
119 |
* that the initiator requested and the list that |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6599
diff
changeset
|
120 |
@@ -3084,6 +3112,7 @@ get_available_mechs(OM_uint32 *minor_status, |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
121 |
gss_OID_set mechs, goodmechs; |
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
122 |
gss_OID_set_desc except_attrs; |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
123 |
gss_OID_desc attr_oids[2]; |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
124 |
+ char *msinterop = getenv("MS_INTEROP"); |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
125 |
|
6599
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
126 |
attr_oids[0] = *GSS_C_MA_DEPRECATED; |
1d033832c5e7
24377741 Update Userland krb5 to MIT 1.14.3
Shawn Emery <shawn.emery@oracle.com>
parents:
6085
diff
changeset
|
127 |
attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH; |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6599
diff
changeset
|
128 |
@@ -3105,6 +3134,15 @@ get_available_mechs(OM_uint32 *minor_status, |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
129 |
return (major_status); |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
130 |
} |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
131 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
132 |
+ /* |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
133 |
+ * If the required keytab entries for Kerberized SMB service are |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
134 |
+ * missing due to an SMB authentication upgrade failure, SMB daemon |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
135 |
+ * will set MS_INTEROP environmment variable to 1 to ensure only |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
136 |
+ * NTLMSSP security mech is used for negotiation. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
137 |
+ */ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
138 |
+ if ((msinterop != NULL) && (!strcmp(msinterop, "1"))) |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
139 |
+ goto ntlmssp; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
140 |
+ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
141 |
for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
142 |
if ((mechs->elements[i].length |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
143 |
!= spnego_mechanism.mech_type.length) || |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6599
diff
changeset
|
144 |
@@ -3120,6 +3158,25 @@ get_available_mechs(OM_uint32 *minor_status, |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
145 |
} |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
146 |
} |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
147 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
148 |
+ntlmssp: |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
149 |
+ /* |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
150 |
+ * Add NTLMSSP OID to the mech OID set only if MS_INTEROP env var has |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
151 |
+ * been set to: |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
152 |
+ * - "1" (NTLMSSP only) or |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
153 |
+ * - "2" (both Krb5 and NTLMSSP) |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
154 |
+ * |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
155 |
+ * This is a requirement until NTLMSSP is implemented as a GSS-API |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
156 |
+ * plugin. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
157 |
+ */ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
158 |
+ if ((msinterop != NULL) && |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
159 |
+ (!strcmp(msinterop, "1") || !strcmp(msinterop, "2"))) { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
160 |
+ major_status = gss_add_oid_set_member(minor_status, |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
161 |
+ &ntlmssp_oid, rmechs); |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
162 |
+ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
163 |
+ if (major_status == GSS_S_COMPLETE) |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
164 |
+ found++; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
165 |
+ } |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
166 |
+ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
167 |
/* |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
168 |
* If the caller wanted a list of creds returned, |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
169 |
* trim the list of mechanisms down to only those |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6599
diff
changeset
|
170 |
@@ -3695,9 +3752,17 @@ negotiate_mech(gss_OID_set supported, gss_OID_set received, |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
171 |
for (i = 0; i < received->count; i++) { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
172 |
gss_OID mech_oid = &received->elements[i]; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
173 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
174 |
+ /* |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
175 |
+ * MIT compares against MS' wrong OID, but we actually want to |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
176 |
+ * select it if the client supports, as this will enable |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
177 |
+ * features on MS clients that allow credential refresh on |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
178 |
+ * rekeying and caching system times from servers. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
179 |
+ */ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
180 |
+#if 0 |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
181 |
/* Accept wrong mechanism OID from MS clients */ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
182 |
if (g_OID_equal(mech_oid, &gss_mech_krb5_wrong_oid)) |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
183 |
mech_oid = (gss_OID)&gss_mech_krb5_oid; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
184 |
+#endif |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
185 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
186 |
for (j = 0; j < supported->count; j++) { |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
187 |
if (g_OID_equal(mech_oid, &supported->elements[j])) { |