2 # This patch allows for better interop with MS Windows clients accessing Solaris |
2 # This patch allows for better interop with MS Windows clients accessing Solaris |
3 # SMB services. It fixes a few memory leaks and double frees found during SMB |
3 # SMB services. It fixes a few memory leaks and double frees found during SMB |
4 # stress testing. The CRs in order: |
4 # stress testing. The CRs in order: |
5 # |
5 # |
6 # 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_... |
6 # 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_... |
7 # 15648322 SUNBT6959251 coredump in gss_release_name+0x36 |
|
8 # 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID |
7 # 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID |
9 # 16005842 Should retry SMB authentication upgrade to account for network... |
8 # 16005842 Should retry SMB authentication upgrade to account for network... |
10 # 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW.. |
9 # 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW.. |
11 # |
10 # |
12 # Note: MIT tickets will subsequently be filed, but the solution may differ from |
11 # Note: MIT tickets will subsequently be filed, but the solution may differ from |
66 + } |
65 + } |
67 + |
66 + |
68 code -= ERROR_TABLE_BASE_krb5; |
67 code -= ERROR_TABLE_BASE_krb5; |
69 if (code < 0 || code > KRB_ERR_MAX) |
68 if (code < 0 || code > KRB_ERR_MAX) |
70 code = 60 /* KRB_ERR_GENERIC */; |
69 code = 60 /* KRB_ERR_GENERIC */; |
71 diff -ur krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c |
70 |
72 --- krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c |
71 diff -pur new/src/lib/gssapi/spnego/spnego_mech.c patched/src/lib/gssapi/spnego/spnego_mech.c |
73 +++ krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c |
72 --- new/src/lib/gssapi/spnego/spnego_mech.c 2016-02-29 11:50:13.000000000 -0800 |
74 @@ -190,6 +190,13 @@ |
73 +++ patched/src/lib/gssapi/spnego/spnego_mech.c 2016-03-18 21:55:31.131280297 -0700 |
|
74 @@ -191,7 +190,14 @@ static const gss_OID_set_desc spnego_oid |
75 }; |
75 }; |
76 const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0; |
76 const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0; |
77 |
77 |
|
78 static int make_NegHints(OM_uint32 *, gss_buffer_t *); |
78 +/* encoded OID octet string for NTLMSSP security mechanism */ |
79 +/* encoded OID octet string for NTLMSSP security mechanism */ |
79 +#define GSS_MECH_NTLMSSP_OID_LENGTH 10 |
80 +#define GSS_MECH_NTLMSSP_OID_LENGTH 10 |
80 +#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012" |
81 +#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012" |
81 +static gss_OID_desc ntlmssp_oid = { |
82 +static gss_OID_desc ntlmssp_oid = { |
82 + GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID |
83 + GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID |
83 +}; |
84 +}; |
84 + |
85 + |
85 static int make_NegHints(OM_uint32 *, spnego_gss_cred_id_t, gss_buffer_t *); |
|
86 static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int); |
86 static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int); |
87 static OM_uint32 |
87 static OM_uint32 |
88 @@ -1237,7 +1244,7 @@ |
88 acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, spnego_gss_cred_id_t, |
89 &hintNameBuf, |
89 @@ -1325,6 +1387,7 @@ acc_ctx_new(OM_uint32 *minor_status, |
90 &hintNameType); |
|
91 if (major_status != GSS_S_COMPLETE) { |
|
92 - gss_release_name(&minor, &hintName); |
|
93 + gss_release_name(&minor, &hintKerberosName); |
|
94 return (major_status); |
|
95 } |
|
96 gss_release_name(&minor, &hintKerberosName); |
|
97 @@ -1380,6 +1387,7 @@ |
|
98 gss_buffer_desc der_mechTypes; |
90 gss_buffer_desc der_mechTypes; |
99 gss_OID mech_wanted; |
91 gss_OID mech_wanted; |
100 spnego_gss_ctx_id_t sc = NULL; |
92 spnego_gss_ctx_id_t sc = NULL; |
101 + unsigned int i; |
93 + unsigned int i; |
102 |
94 |
103 ret = GSS_S_DEFECTIVE_TOKEN; |
95 ret = GSS_S_DEFECTIVE_TOKEN; |
104 der_mechTypes.length = 0; |
96 der_mechTypes.length = 0; |
105 @@ -1403,6 +1411,24 @@ |
97 @@ -1348,6 +1411,24 @@ acc_ctx_new(OM_uint32 *minor_status, |
106 goto cleanup; |
98 goto cleanup; |
107 } |
99 } |
108 /* |
100 /* |
109 + * We add KRB5_WRONG here so that old MS clients can negotiate this |
101 + * We add KRB5_WRONG here so that old MS clients can negotiate this |
110 + * mechanism, which allows extensions in Kerberos (clock skew |
102 + * mechanism, which allows extensions in Kerberos (clock skew |
125 + } |
117 + } |
126 + /* |
118 + /* |
127 * Select the best match between the list of mechs |
119 * Select the best match between the list of mechs |
128 * that the initiator requested and the list that |
120 * that the initiator requested and the list that |
129 * the acceptor will support. |
121 * the acceptor will support. |
130 @@ -3136,6 +3162,7 @@ |
122 @@ -3072,6 +3163,7 @@ static OM_uint32 |
131 int found = 0; |
|
132 OM_uint32 major_status = GSS_S_COMPLETE, tmpmin; |
|
133 gss_OID_set mechs, goodmechs; |
123 gss_OID_set mechs, goodmechs; |
|
124 gss_OID_set_desc except_attrs; |
|
125 gss_OID_desc attr_oids[2]; |
134 + char *msinterop = getenv("MS_INTEROP"); |
126 + char *msinterop = getenv("MS_INTEROP"); |
135 |
127 |
136 major_status = gss_indicate_mechs(minor_status, &mechs); |
128 attr_oids[0] = *GSS_C_MA_DEPRECATED; |
137 |
129 attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH; |
138 @@ -3150,6 +3177,15 @@ |
130 @@ -3108,6 +3177,15 @@ get_available_mechs(OM_uint32 *minor_sta |
139 return (major_status); |
131 return (major_status); |
140 } |
132 } |
141 |
133 |
142 + /* |
134 + /* |
143 + * If the required keytab entries for Kerberized SMB service are |
135 + * If the required keytab entries for Kerberized SMB service are |
175 + } |
167 + } |
176 + |
168 + |
177 /* |
169 /* |
178 * If the caller wanted a list of creds returned, |
170 * If the caller wanted a list of creds returned, |
179 * trim the list of mechanisms down to only those |
171 * trim the list of mechanisms down to only those |
180 @@ -3740,9 +3795,17 @@ |
172 @@ -3698,9 +3795,17 @@ negotiate_mech(gss_OID_set supported, gs |
181 for (i = 0; i < received->count; i++) { |
173 for (i = 0; i < received->count; i++) { |
182 gss_OID mech_oid = &received->elements[i]; |
174 gss_OID mech_oid = &received->elements[i]; |
183 |
175 |
184 + /* |
176 + /* |
185 + * MIT compares against MS' wrong OID, but we actually want to |
177 + * MIT compares against MS' wrong OID, but we actually want to |