Hello community,
here is the log from the commit of package cyrus-sasl for openSUSE:Leap:15.2
checked in at 2020-03-13 10:56:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/cyrus-sasl (Old)
and /work/SRC/openSUSE:Leap:15.2/.cyrus-sasl.new.3160 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cyrus-sasl"
Fri Mar 13 10:56:05 2020 rev:19 rq:781579 version:2.1.26
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/cyrus-sasl/cyrus-sasl-saslauthd.changes
2020-01-15 14:51:45.857464543 +0100
+++
/work/SRC/openSUSE:Leap:15.2/.cyrus-sasl.new.3160/cyrus-sasl-saslauthd.changes
2020-03-13 10:56:17.352388221 +0100
@@ -1,0 +2,10 @@
+Thu Feb 6 17:55:59 UTC 2020 - Samuel Cabrero <[email protected]>
+
+- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
+ * Add 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
+ * Add 0003-Check-return-error-from-gss_wrap_size_limit.patch
+ * Add 0004-Add-support-for-retrieving-the-mech_ssf.patch
+- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
+ * Add 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Leap:15.2/cyrus-sasl/cyrus-sasl.changes 2020-01-15
14:51:45.905464572 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.cyrus-sasl.new.3160/cyrus-sasl.changes
2020-03-13 10:56:18.588389103 +0100
@@ -1,0 +2,10 @@
+Thu Feb 6 17:50:21 UTC 2020 - Samuel Cabrero <[email protected]>
+
+- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
+ * Add 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
+ * Add 0003-Check-return-error-from-gss_wrap_size_limit.patch
+ * Add 0004-Add-support-for-retrieving-the-mech_ssf.patch
+- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
+ * Add 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
+
+-------------------------------------------------------------------
New:
----
0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
0003-Check-return-error-from-gss_wrap_size_limit.patch
0004-Add-support-for-retrieving-the-mech_ssf.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cyrus-sasl-saslauthd.spec ++++++
--- /var/tmp/diff_new_pack.tFoJCG/_old 2020-03-13 10:56:20.192390246 +0100
+++ /var/tmp/diff_new_pack.tFoJCG/_new 2020-03-13 10:56:20.196390249 +0100
@@ -40,6 +40,10 @@
Patch6: cyrus-sasl-lfs.patch
Patch7: fix-sasl-header.diff
Patch10: cyrus-sasl-2.1.27-openssl-1.1.0.patch
+Patch12: 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
+Patch13: 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
+Patch14: 0003-Check-return-error-from-gss_wrap_size_limit.patch
+Patch15: 0004-Add-support-for-retrieving-the-mech_ssf.patch
PreReq: %fillup_prereq
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: db-devel
@@ -82,6 +86,10 @@
%patch6
%patch7 -p1
%patch10 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
%build
find . -name "*.cvsignore" -exec rm -fv "{}" "+"
++++++ cyrus-sasl.spec ++++++
--- /var/tmp/diff_new_pack.tFoJCG/_old 2020-03-13 10:56:20.212390261 +0100
+++ /var/tmp/diff_new_pack.tFoJCG/_new 2020-03-13 10:56:20.212390261 +0100
@@ -39,6 +39,10 @@
Patch9: cyrus-sasl-issue-402.patch
Patch10: cyrus-sasl-2.1.27-openssl-1.1.0.patch
Patch11: cyrus-sasl-fix-logging-in-gssapi.patch
+Patch12: 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
+Patch13: 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
+Patch14: 0003-Check-return-error-from-gss_wrap_size_limit.patch
+Patch15: 0004-Add-support-for-retrieving-the-mech_ssf.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: db-devel
BuildRequires: krb5-mini-devel
@@ -178,6 +182,10 @@
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
%build
find . -name "*.cvsignore" -exec rm -fv "{}" "+"
++++++ 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch ++++++
>From 070b96df8c6620843083e1ff81822272712dc787 Mon Sep 17 00:00:00 2001
From: Simo Sorce <[email protected]>
Date: Thu, 16 Feb 2017 15:25:56 -0500
Subject: [PATCH 1/4] Fix GSS-SPNEGO mechanism's incompatible behavior
The GSS-SPNEGO mechanism has been designed and introduced by Microsoft for use
by Active Directory clients. It allows to negotiate an underlying
Security Mechanism like Krb5 or NTLMSSP.
However, the implementaion in cyrus-sasl is broken and never correctly
interoperated with Microsoft servers or clients. This patch fixes the
compatibility issue which is caused by incorrectly trying to negotiate
SSF layers explicitly instead of using the flags negotiated by GSSAPI
as required by Microsoft's implementation.
Signed-off-by: Simo Sorce <[email protected]>
---
plugins/gssapi.c | 70 +++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 64 insertions(+), 6 deletions(-)
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 2fd1b3b..9da1362 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -620,10 +620,62 @@ static void gssapi_common_mech_free(void *global_context
__attribute__((unused))
#endif
}
+/* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
+ * flags negotiated by GSSAPI to determine If confidentiality or integrity are
+ * used. These flags are stored in text->qop transalated as layers by the
+ * caller */
+static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils,
+ sasl_security_properties_t *props,
+ sasl_out_params_t *oparams)
+{
+ OM_uint32 maj_stat = 0, min_stat = 0;
+ OM_uint32 max_input;
+
+ if (text->qop & LAYER_CONFIDENTIALITY) {
+ oparams->encode = &gssapi_privacy_encode;
+ oparams->decode = &gssapi_decode;
+ oparams->mech_ssf = K5_MAX_SSF;
+ } else if (text->qop & LAYER_INTEGRITY) {
+ oparams->encode = &gssapi_integrity_encode;
+ oparams->decode = &gssapi_decode;
+ oparams->mech_ssf = 1;
+ } else {
+ oparams->encode = NULL;
+ oparams->decode = NULL;
+ oparams->mech_ssf = 0;
+ }
+
+ if (oparams->mech_ssf) {
+ maj_stat = gss_wrap_size_limit(&min_stat,
+ text->gss_ctx,
+ 1,
+ GSS_C_QOP_DEFAULT,
+ (OM_uint32)oparams->maxoutbuf,
+ &max_input);
+
+ if (max_input > oparams->maxoutbuf) {
+ /* Heimdal appears to get this wrong */
+ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+ } else {
+ /* This code is actually correct */
+ oparams->maxoutbuf = max_input;
+ }
+ }
+
+ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+
+ /* used by layers */
+ _plug_decode_init(&text->decode_context, text->utils,
+ (props->maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
+ props->maxbufsize);
+
+ return SASL_OK;
+}
+
/***************************** Server Section *****************************/
static int
-gssapi_server_mech_new(void *glob_context __attribute__((unused)),
+gssapi_server_mech_new(void *glob_context,
sasl_server_params_t *params,
const char *challenge __attribute__((unused)),
unsigned challen __attribute__((unused)),
@@ -645,6 +697,7 @@ gssapi_server_mech_new(void *glob_context
__attribute__((unused)),
text->state = SASL_GSSAPI_STATE_AUTHNEG;
text->http_mode = (params->flags & SASL_NEED_HTTP);
+ text->mech_type = (gss_OID) glob_context;
*conn_context = text;
@@ -658,7 +711,7 @@ gssapi_server_mech_authneg(context_t *text,
unsigned clientinlen,
const char **serverout,
unsigned *serveroutlen,
- sasl_out_params_t *oparams __attribute__((unused)))
+ sasl_out_params_t *oparams)
{
gss_buffer_t input_token, output_token;
gss_buffer_desc real_input_token, real_output_token;
@@ -937,8 +990,9 @@ gssapi_server_mech_authneg(context_t *text,
/* HTTP doesn't do any ssf negotiation */
text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
ret = SASL_OK;
- }
- else {
+ } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
+ ret = gssapi_spnego_ssf(text, params->utils, ¶ms->props, oparams);
+ } else {
/* Switch to ssf negotiation */
text->state = SASL_GSSAPI_STATE_SSFCAP;
ret = SASL_CONTINUE;
@@ -1352,7 +1406,7 @@ static sasl_server_plug_t gssapi_server_plugins[] =
| SASL_FEAT_ALLOWS_PROXY
| SASL_FEAT_DONTUSE_USERPASSWD
| SASL_FEAT_SUPPORTS_HTTP, /* features */
- NULL, /* glob_context */
+ &gss_spnego_oid, /* glob_context */
&gssapi_server_mech_new, /* mech_new */
&gssapi_server_mech_step, /* mech_step */
&gssapi_common_mech_dispose, /* mech_dispose */
@@ -1730,7 +1784,11 @@ static int gssapi_client_mech_step(void *conn_context,
text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
oparams->doneflag = 1;
return SASL_OK;
- }
+ } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
+ oparams->doneflag = 1;
+ return gssapi_spnego_ssf(text, params->utils, ¶ms->props,
+ oparams);
+ }
/* Switch to ssf negotiation */
text->state = SASL_GSSAPI_STATE_SSFCAP;
--
2.25.0
++++++ 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch ++++++
>From 03956557033e7871fe3f6006664504c483518d7d Mon Sep 17 00:00:00 2001
From: Simo Sorce <[email protected]>
Date: Tue, 11 Apr 2017 18:31:46 -0400
Subject: [PATCH 2/4] Drop unused parameter from gssapi_spnego_ssf()
Signed-off-by: Simo Sorce <[email protected]>
---
plugins/gssapi.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 9da1362..35c3a91 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -624,7 +624,7 @@ static void gssapi_common_mech_free(void *global_context
__attribute__((unused))
* flags negotiated by GSSAPI to determine If confidentiality or integrity are
* used. These flags are stored in text->qop transalated as layers by the
* caller */
-static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils,
+static int gssapi_spnego_ssf(context_t *text,
sasl_security_properties_t *props,
sasl_out_params_t *oparams)
{
@@ -991,7 +991,7 @@ gssapi_server_mech_authneg(context_t *text,
text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
ret = SASL_OK;
} else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
- ret = gssapi_spnego_ssf(text, params->utils, ¶ms->props, oparams);
+ ret = gssapi_spnego_ssf(text, ¶ms->props, oparams);
} else {
/* Switch to ssf negotiation */
text->state = SASL_GSSAPI_STATE_SSFCAP;
@@ -1786,8 +1786,7 @@ static int gssapi_client_mech_step(void *conn_context,
return SASL_OK;
} else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
oparams->doneflag = 1;
- return gssapi_spnego_ssf(text, params->utils, ¶ms->props,
- oparams);
+ return gssapi_spnego_ssf(text, ¶ms->props, oparams);
}
/* Switch to ssf negotiation */
--
2.25.0
++++++ 0003-Check-return-error-from-gss_wrap_size_limit.patch ++++++
>From d32147a7b5b9d6012f5438479e3324005a1675b2 Mon Sep 17 00:00:00 2001
From: Simo Sorce <[email protected]>
Date: Mon, 10 Apr 2017 18:35:10 -0400
Subject: [PATCH 3/4] Check return error from gss_wrap_size_limit()
The return error of this function is ignored and potentially
uninitialized values returned by this function are used.
Fix this by moving the function into a proper helper as it is used in an
identical way in 3 different places.
Signed-off-by: Simo Sorce <[email protected]>
---
plugins/gssapi.c | 104 +++++++++++++++++++++++------------------------
1 file changed, 51 insertions(+), 53 deletions(-)
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 35c3a91..e3cb23b 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -620,6 +620,32 @@ static void gssapi_common_mech_free(void *global_context
__attribute__((unused))
#endif
}
+static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams)
+{
+ OM_uint32 maj_stat = 0, min_stat = 0;
+ OM_uint32 max_input = 0;
+
+ maj_stat = gss_wrap_size_limit(&min_stat,
+ text->gss_ctx,
+ 1,
+ GSS_C_QOP_DEFAULT,
+ (OM_uint32)oparams->maxoutbuf,
+ &max_input);
+ if (maj_stat != GSS_S_COMPLETE) {
+ return SASL_FAIL;
+ }
+
+ if (max_input > oparams->maxoutbuf) {
+ /* Heimdal appears to get this wrong */
+ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+ } else {
+ /* This code is actually correct */
+ oparams->maxoutbuf = max_input;
+ }
+
+ return SASL_OK;
+}
+
/* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
* flags negotiated by GSSAPI to determine If confidentiality or integrity are
* used. These flags are stored in text->qop transalated as layers by the
@@ -628,8 +654,7 @@ static int gssapi_spnego_ssf(context_t *text,
sasl_security_properties_t *props,
sasl_out_params_t *oparams)
{
- OM_uint32 maj_stat = 0, min_stat = 0;
- OM_uint32 max_input;
+ int ret;
if (text->qop & LAYER_CONFIDENTIALITY) {
oparams->encode = &gssapi_privacy_encode;
@@ -646,20 +671,10 @@ static int gssapi_spnego_ssf(context_t *text,
}
if (oparams->mech_ssf) {
- maj_stat = gss_wrap_size_limit(&min_stat,
- text->gss_ctx,
- 1,
- GSS_C_QOP_DEFAULT,
- (OM_uint32)oparams->maxoutbuf,
- &max_input);
-
- if (max_input > oparams->maxoutbuf) {
- /* Heimdal appears to get this wrong */
- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
- } else {
- /* This code is actually correct */
- oparams->maxoutbuf = max_input;
- }
+ ret = gssapi_wrap_sizes(text, oparams);
+ if (ret != SASL_OK) {
+ return ret;
+ }
}
text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
@@ -1168,7 +1183,6 @@ gssapi_server_mech_ssfreq(context_t *text,
gss_buffer_t input_token, output_token;
gss_buffer_desc real_input_token, real_output_token;
OM_uint32 maj_stat = 0, min_stat = 0;
- OM_uint32 max_input;
int layerchoice;
input_token = &real_input_token;
@@ -1258,27 +1272,20 @@ gssapi_server_mech_ssfreq(context_t *text,
(((unsigned char *) output_token->value)[2] << 8) |
(((unsigned char *) output_token->value)[3] << 0);
- if (oparams->mech_ssf) {
- maj_stat = gss_wrap_size_limit( &min_stat,
- text->gss_ctx,
- 1,
- GSS_C_QOP_DEFAULT,
- (OM_uint32) oparams->maxoutbuf,
- &max_input);
-
- if(max_input > oparams->maxoutbuf) {
- /* Heimdal appears to get this wrong */
- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
- } else {
- /* This code is actually correct */
- oparams->maxoutbuf = max_input;
- }
- }
-
GSS_LOCK_MUTEX(params->utils);
gss_release_buffer(&min_stat, output_token);
GSS_UNLOCK_MUTEX(params->utils);
+ if (oparams->mech_ssf) {
+ int ret;
+
+ ret = gssapi_wrap_sizes(text, oparams);
+ if (ret != SASL_OK) {
+ sasl_gss_free_context_contents(text);
+ return ret;
+ }
+ }
+
text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
/* used by layers */
@@ -1530,7 +1537,6 @@ static int gssapi_client_mech_step(void *conn_context,
gss_buffer_t input_token, output_token;
gss_buffer_desc real_input_token, real_output_token;
OM_uint32 maj_stat = 0, min_stat = 0;
- OM_uint32 max_input;
gss_buffer_desc name_token;
int ret;
OM_uint32 req_flags = 0, out_req_flags = 0;
@@ -1913,27 +1919,19 @@ static int gssapi_client_mech_step(void *conn_context,
(((unsigned char *) output_token->value)[2] << 8) |
(((unsigned char *) output_token->value)[3] << 0);
- if (oparams->mech_ssf) {
- maj_stat = gss_wrap_size_limit( &min_stat,
- text->gss_ctx,
- 1,
- GSS_C_QOP_DEFAULT,
- (OM_uint32) oparams->maxoutbuf,
- &max_input);
-
- if (max_input > oparams->maxoutbuf) {
- /* Heimdal appears to get this wrong */
- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
- } else {
- /* This code is actually correct */
- oparams->maxoutbuf = max_input;
- }
- }
-
GSS_LOCK_MUTEX(params->utils);
gss_release_buffer(&min_stat, output_token);
GSS_UNLOCK_MUTEX(params->utils);
-
+
+ if (oparams->mech_ssf) {
+ int ret;
+
+ ret = gssapi_wrap_sizes(text, oparams);
+ if (ret != SASL_OK) {
+ sasl_gss_free_context_contents(text);
+ return ret;
+ }
+ }
/* oparams->user is always set, due to canon_user requirements.
* Make sure the client actually requested it though, by checking
* if our context was set.
--
2.25.0
++++++ 0004-Add-support-for-retrieving-the-mech_ssf.patch ++++++
>From 55173cd84d0dc40b767d98b70b642ced78354c7d Mon Sep 17 00:00:00 2001
From: Simo Sorce <[email protected]>
Date: Mon, 10 Apr 2017 19:54:19 -0400
Subject: [PATCH 4/4] Add support for retrieving the mech_ssf
In the latest MIT Kerberos implementation it is possible to extract
the calculated SSF wich is based on the encryption type that has been
used to establish the GSSAPI security context.
Use this method if available or fall back to the old "DES" value.
Signed-off-by: Simo Sorce <[email protected]>
---
plugins/gssapi.c | 104 ++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 93 insertions(+), 11 deletions(-)
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index e3cb23b..b620282 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -51,6 +51,13 @@
#include <gssapi/gssapi.h>
#endif
+#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H
+#include <gssapi/gssapi_krb5.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
+#include <gssapi/gssapi_ext.h>
+#endif
+
#ifdef WIN32
# include <winsock2.h>
@@ -98,18 +105,25 @@ extern gss_OID gss_nt_service_name;
/* Check if CyberSafe flag is defined */
#ifdef CSF_GSS_C_DES3_FLAG
#define K5_MAX_SSF 112
+#define K5_MIN_SSF 112
#endif
/* Heimdal and MIT use the following */
#ifdef GSS_KRB5_CONF_C_QOP_DES3_KD
#define K5_MAX_SSF 112
+#define K5_MIN_SSF 112
#endif
#endif
#ifndef K5_MAX_SSF
+/* All modern Kerberos implementations support AES */
+#define K5_MAX_SSF 256
+#endif
+
/* All Kerberos implementations support DES */
-#define K5_MAX_SSF 56
+#ifndef K5_MIN_SSF
+#define K5_MIN_SSF 56
#endif
/* GSSAPI SASL Mechanism by Leif Johansson <[email protected]>
@@ -646,6 +660,47 @@ static int gssapi_wrap_sizes(context_t *text,
sasl_out_params_t *oparams)
return SASL_OK;
}
+#if !defined(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF)
+gss_OID_desc gss_sasl_ssf = {
+ 11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"
+};
+gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = &gss_sasl_ssf;
+#endif
+
+static int gssapi_get_ssf(context_t *text, sasl_ssf_t *mech_ssf)
+{
+#ifdef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID
+ OM_uint32 maj_stat = 0, min_stat = 0;
+ gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
+ gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF;
+ uint32_t ssf;
+
+ maj_stat = gss_inquire_sec_context_by_oid(&min_stat, text->gss_ctx,
+ ssf_oid, &bufset);
+ switch (maj_stat) {
+ case GSS_S_UNAVAILABLE:
+ /* Not supported by the library, fallback to default */
+ goto fallback;
+ case GSS_S_COMPLETE:
+ if ((bufset->count != 1) || (bufset->elements[0].length != 4)) {
+ /* Malformed bufset, fail */
+ (void)gss_release_buffer_set(&min_stat, &bufset);
+ return SASL_FAIL;
+ }
+ memcpy(&ssf, bufset->elements[0].value, 4);
+ (void)gss_release_buffer_set(&min_stat, &bufset);
+ *mech_ssf = ntohl(ssf);
+ return SASL_OK;
+ default:
+ return SASL_FAIL;
+ }
+
+fallback:
+#endif
+ *mech_ssf = K5_MIN_SSF;
+ return SASL_OK;
+}
+
/* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
* flags negotiated by GSSAPI to determine If confidentiality or integrity are
* used. These flags are stored in text->qop transalated as layers by the
@@ -659,7 +714,10 @@ static int gssapi_spnego_ssf(context_t *text,
if (text->qop & LAYER_CONFIDENTIALITY) {
oparams->encode = &gssapi_privacy_encode;
oparams->decode = &gssapi_decode;
- oparams->mech_ssf = K5_MAX_SSF;
+ ret = gssapi_get_ssf(text, &oparams->mech_ssf);
+ if (ret != SASL_OK) {
+ return ret;
+ }
} else if (text->qop & LAYER_INTEGRITY) {
oparams->encode = &gssapi_integrity_encode;
oparams->decode = &gssapi_decode;
@@ -1049,6 +1107,7 @@ gssapi_server_mech_ssfcap(context_t *text,
gss_buffer_desc real_input_token, real_output_token;
OM_uint32 maj_stat = 0, min_stat = 0;
unsigned char sasldata[4];
+ sasl_ssf_t mech_ssf;
int ret;
input_token = &real_input_token;
@@ -1109,9 +1168,14 @@ gssapi_server_mech_ssfcap(context_t *text,
params->props.maxbufsize) {
sasldata[0] |= LAYER_INTEGRITY;
}
+ ret = gssapi_get_ssf(text, &mech_ssf);
+ if (ret != SASL_OK) {
+ sasl_gss_free_context_contents(text);
+ return ret;
+ }
if ((text->qop & LAYER_CONFIDENTIALITY) &&
- text->requiressf <= K5_MAX_SSF &&
- text->limitssf >= K5_MAX_SSF &&
+ text->requiressf <= mech_ssf &&
+ text->limitssf >= mech_ssf &&
params->props.maxbufsize) {
sasldata[0] |= LAYER_CONFIDENTIALITY;
}
@@ -1232,10 +1296,18 @@ gssapi_server_mech_ssfreq(context_t *text,
/* For compatibility with broken clients setting both bits */
layerchoice == (LAYER_CONFIDENTIALITY|LAYER_INTEGRITY)) &&
(text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */
+ int ret;
oparams->encode = &gssapi_privacy_encode;
oparams->decode = &gssapi_decode;
- /* FIX ME: Need to extract the proper value here */
- oparams->mech_ssf = K5_MAX_SSF;
+
+ ret = gssapi_get_ssf(text, &oparams->mech_ssf);
+ if (ret != SASL_OK) {
+ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ sasl_gss_free_context_contents(text);
+ return ret;
+ }
} else {
/* not a supported encryption layer */
SETERROR(text->utils,
@@ -1806,6 +1878,8 @@ static int gssapi_client_mech_step(void *conn_context,
unsigned int alen, external = params->external_ssf;
sasl_ssf_t need, allowed;
char serverhas, mychoice;
+ sasl_ssf_t mech_ssf;
+ int ret;
real_input_token.value = (void *) serverin;
real_input_token.length = serverinlen;
@@ -1840,8 +1914,17 @@ static int gssapi_client_mech_step(void *conn_context,
return SASL_FAIL;
}
+ ret = gssapi_get_ssf(text, &mech_ssf);
+ if (ret != SASL_OK) {
+ GSS_LOCK_MUTEX_CTX(params->utils, text);
+ gss_release_buffer(&min_stat, output_token);
+ GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ sasl_gss_free_context_contents(text);
+ return SASL_FAIL;
+ }
+
/* taken from kerberos.c */
- if (secprops->min_ssf > (K5_MAX_SSF + external)) {
+ if (secprops->min_ssf > (mech_ssf + external)) {
return SASL_TOOWEAK;
} else if (secprops->min_ssf > secprops->max_ssf) {
return SASL_BADPARAM;
@@ -1865,8 +1948,8 @@ static int gssapi_client_mech_step(void *conn_context,
/* use the strongest layer available */
if ((text->qop & LAYER_CONFIDENTIALITY) &&
- allowed >= K5_MAX_SSF &&
- need <= K5_MAX_SSF &&
+ allowed >= mech_ssf &&
+ need <= mech_ssf &&
(serverhas & LAYER_CONFIDENTIALITY)) {
const char *ad_compat;
@@ -1874,8 +1957,7 @@ static int gssapi_client_mech_step(void *conn_context,
/* encryption */
oparams->encode = &gssapi_privacy_encode;
oparams->decode = &gssapi_decode;
- /* FIX ME: Need to extract the proper value here */
- oparams->mech_ssf = K5_MAX_SSF;
+ oparams->mech_ssf = mech_ssf;
mychoice = LAYER_CONFIDENTIALITY;
if (serverhas & LAYER_INTEGRITY) {
--
2.25.0
