|
| 1 | +From 942c5036e14066a1f4badfdf67716c47f2e33a39 Mon Sep 17 00:00:00 2001 |
| 2 | +From: dovsyannikov <Dmitry.Ovsyannikov@dell.com> |
| 3 | +Date: Wed, 3 Sep 2025 13:52:57 +0000 |
| 4 | +Subject: [PATCH] Fix SPNEGO mechListMIC parsing |
| 5 | + |
| 6 | +Commit fdceb225f881e2b1337eebcb9a9443fa4a9be3fd erroneously altered |
| 7 | +get_negTokenResp() to look for mechListMIC with tag 0xA4 instead of |
| 8 | +0xA3. Fix it. |
| 9 | + |
| 10 | +Restore the t_spnego.c reselection test by constructing a |
| 11 | +two-mechanism SPNEGO initiator credential using the internal |
| 12 | +structures. |
| 13 | + |
| 14 | +[ghudson@mit.edu: added test case; rewrote commit message] |
| 15 | + |
| 16 | +ticket: 9183 (new) |
| 17 | +tags: pullup |
| 18 | +target_version: 1.21-next |
| 19 | +target_version: 1.22-next |
| 20 | +Upstream-reference: https://github.com/krb5/krb5/commit/942c5036e14066a1f4badfdf67716c47f2e33a39.patch |
| 21 | +--- |
| 22 | + src/lib/gssapi/spnego/spnego_mech.c | 2 +- |
| 23 | + src/tests/gssapi/Makefile.in | 2 +- |
| 24 | + src/tests/gssapi/deps | 19 ++++++++- |
| 25 | + src/tests/gssapi/t_spnego.c | 60 ++++++++++++++++++++++------- |
| 26 | + 4 files changed, 66 insertions(+), 17 deletions(-) |
| 27 | + |
| 28 | +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c |
| 29 | +index 43ba63ab2a7..4a778364336 100644 |
| 30 | +--- a/src/lib/gssapi/spnego/spnego_mech.c |
| 31 | ++++ b/src/lib/gssapi/spnego/spnego_mech.c |
| 32 | +@@ -3515,7 +3515,7 @@ get_negTokenResp(OM_uint32 *minor_status, struct k5input *in, |
| 33 | + return GSS_S_DEFECTIVE_TOKEN; |
| 34 | + } |
| 35 | + |
| 36 | +- if (k5_der_get_value(&seq, CONTEXT | 0x04, &field)) { |
| 37 | ++ if (k5_der_get_value(&seq, CONTEXT | 0x03, &field)) { |
| 38 | + *mechListMIC = get_octet_string(&field); |
| 39 | + |
| 40 | + /* Handle Windows 2000 duplicate response token */ |
| 41 | +diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in |
| 42 | +index 97a6ac3f3f7..5f57173cd8a 100644 |
| 43 | +--- a/src/tests/gssapi/Makefile.in |
| 44 | ++++ b/src/tests/gssapi/Makefile.in |
| 45 | +@@ -4,7 +4,7 @@ DEFINES = -DUSE_AUTOCONF_H |
| 46 | + |
| 47 | + # For t_prf.c |
| 48 | + LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \ |
| 49 | +- -I$(srcdir)/../../lib/gssapi/krb5 \ |
| 50 | ++ -I$(srcdir)/../../lib/gssapi/krb5 -I$(srcdir)/../../lib/gssapi/spnego \ |
| 51 | + -I$(srcdir)/../../lib/gssapi/generic -I../../lib/gssapi/krb5 \ |
| 52 | + -I../../lib/gssapi/generic |
| 53 | + |
| 54 | +diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps |
| 55 | +index 2c55fa51799..e93250af777 100644 |
| 56 | +--- a/src/tests/gssapi/deps |
| 57 | ++++ b/src/tests/gssapi/deps |
| 58 | +@@ -187,9 +187,24 @@ $(OUTPRE)t_saslname.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ |
| 59 | + $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ |
| 60 | + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ |
| 61 | + common.h t_saslname.c |
| 62 | +-$(OUTPRE)t_spnego.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ |
| 63 | ++$(OUTPRE)t_spnego.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ |
| 64 | ++ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_alloc.h \ |
| 65 | + $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ |
| 66 | +- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ |
| 67 | ++ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ |
| 68 | ++ $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \ |
| 69 | ++ $(COM_ERR_DEPS) $(srcdir)/../../lib/gssapi/generic/gssapiP_generic.h \ |
| 70 | ++ $(srcdir)/../../lib/gssapi/generic/gssapi_ext.h $(srcdir)/../../lib/gssapi/generic/gssapi_generic.h \ |
| 71 | ++ $(srcdir)/../../lib/gssapi/mechglue/mechglue.h $(srcdir)/../../lib/gssapi/mechglue/mglueP.h \ |
| 72 | ++ $(srcdir)/../../lib/gssapi/spnego/gssapiP_negoex.h \ |
| 73 | ++ $(srcdir)/../../lib/gssapi/spnego/gssapiP_spnego.h \ |
| 74 | ++ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ |
| 75 | ++ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-input.h \ |
| 76 | ++ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ |
| 77 | ++ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ |
| 78 | ++ $(top_srcdir)/include/k5-queue.h $(top_srcdir)/include/k5-thread.h \ |
| 79 | ++ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ |
| 80 | ++ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ |
| 81 | ++ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ |
| 82 | + common.h t_spnego.c |
| 83 | + $(OUTPRE)t_srcattrs.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ |
| 84 | + $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ |
| 85 | +diff --git a/src/tests/gssapi/t_spnego.c b/src/tests/gssapi/t_spnego.c |
| 86 | +index 4091739f835..3b53097182d 100644 |
| 87 | +--- a/src/tests/gssapi/t_spnego.c |
| 88 | ++++ b/src/tests/gssapi/t_spnego.c |
| 89 | +@@ -29,6 +29,11 @@ |
| 90 | + #include <string.h> |
| 91 | + #include <assert.h> |
| 92 | + |
| 93 | ++/* See create_reselection_cred(). */ |
| 94 | ++#include "k5-int.h" |
| 95 | ++#include <mglueP.h> |
| 96 | ++#include <gssapiP_spnego.h> |
| 97 | ++ |
| 98 | + #include "common.h" |
| 99 | + |
| 100 | + static gss_OID_desc mech_krb5_wrong = { |
| 101 | +@@ -228,6 +233,47 @@ test_neghints(void) |
| 102 | + (void)gss_delete_sec_context(&minor, &actx, NULL); |
| 103 | + } |
| 104 | + |
| 105 | ++/* |
| 106 | ++ * There is currently no API to create a SPNEGO credential supporting multiple |
| 107 | ++ * mechanisms unless a third-party mechanism is configured in the mechs file; |
| 108 | ++ * the default credential contains only krb5 (after tickets #8021 and #8217) |
| 109 | ++ * and a SPNEGO cred cannot be created from an existing union cred. Using |
| 110 | ++ * internal structures, create a two-mechanism initiator cred so that we can |
| 111 | ++ * test reselection. |
| 112 | ++ */ |
| 113 | ++static gss_cred_id_t |
| 114 | ++create_reselection_cred(void) |
| 115 | ++{ |
| 116 | ++ OM_uint32 major, minor; |
| 117 | ++ gss_OID_desc mlist[2] = { mech_krb5, mech_iakerb }; |
| 118 | ++ gss_OID_set_desc mechs = { 2, mlist }; |
| 119 | ++ gss_cred_id_t cred; |
| 120 | ++ spnego_gss_cred_id_t scred; |
| 121 | ++ gss_union_cred_t ucred; |
| 122 | ++ |
| 123 | ++ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, |
| 124 | ++ &mechs, GSS_C_INITIATE, &cred, NULL, NULL); |
| 125 | ++ check_gsserr("gss_acquire_cred(reslection)", major, minor); |
| 126 | ++ |
| 127 | ++ scred = calloc(1, sizeof(*scred)); |
| 128 | ++ assert(scred != NULL); |
| 129 | ++ scred->mcred = cred; |
| 130 | ++ |
| 131 | ++ ucred = calloc(1, sizeof(*ucred)); |
| 132 | ++ assert(ucred != NULL); |
| 133 | ++ ucred->loopback = ucred; |
| 134 | ++ ucred->count = 1; |
| 135 | ++ ucred->mechs_array = calloc(1, sizeof(*ucred->mechs_array)); |
| 136 | ++ ucred->cred_array = calloc(1, sizeof(*ucred->cred_array)); |
| 137 | ++ assert(ucred->mechs_array != NULL && ucred->cred_array != NULL); |
| 138 | ++ ucred->mechs_array[0].elements = malloc(mech_spnego.length); |
| 139 | ++ assert(ucred->mechs_array[0].elements != NULL); |
| 140 | ++ g_OID_copy(&ucred->mechs_array[0], &mech_spnego); |
| 141 | ++ ucred->cred_array[0] = (gss_cred_id_t)scred; |
| 142 | ++ |
| 143 | ++ return (gss_cred_id_t)ucred; |
| 144 | ++} |
| 145 | ++ |
| 146 | + int |
| 147 | + main(int argc, char *argv[]) |
| 148 | + { |
| 149 | +@@ -254,19 +300,7 @@ main(int argc, char *argv[]) |
| 150 | + } |
| 151 | + |
| 152 | + /* Get default initiator cred. */ |
| 153 | +- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, |
| 154 | +- &mechset_spnego, GSS_C_INITIATE, |
| 155 | +- &initiator_cred_handle, NULL, NULL); |
| 156 | +- check_gsserr("gss_acquire_cred(initiator)", major, minor); |
| 157 | +- |
| 158 | +- /* |
| 159 | +- * The following test is designed to exercise SPNEGO reselection on the |
| 160 | +- * client and server. Unfortunately, it no longer does so after tickets |
| 161 | +- * #8217 and #8021, since SPNEGO now only acquires a single krb5 cred and |
| 162 | +- * there is no way to expand the underlying creds with gss_set_neg_mechs(). |
| 163 | +- * To fix this we need gss_acquire_cred_with_cred() or some other way to |
| 164 | +- * turn a cred with a specifically requested mech set into a SPNEGO cred. |
| 165 | +- */ |
| 166 | ++ initiator_cred_handle = create_reselection_cred(); |
| 167 | + |
| 168 | + /* Make the initiator prefer IAKERB and offer krb5 as an alternative. */ |
| 169 | + pref_oids[0] = mech_iakerb; |
0 commit comments