Commit 63e58ad0 authored by Mark Andrews's avatar Mark Andrews
Browse files

4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED

                        was returned. [RT #42733]
parent d937f8e9
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
was returned. [RT #42733]
4412. [cleanup] Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
removed. [RT #42721]
......
......@@ -2976,13 +2976,15 @@ recvgss(isc_task_t *task, isc_event_t *event) {
tsigkey = NULL;
result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname,
&context, &tsigkey, gssring,
use_win2k_gsstsig,
&err_message);
use_win2k_gsstsig, &err_message);
switch (result) {
case DNS_R_CONTINUE:
dns_message_destroy(&rcvmsg);
dns_request_destroy(&request);
send_gssrequest(kserver, tsigquery, &request, context);
break;
ddebug("Out of recvgss");
return;
case ISC_R_SUCCESS:
/*
......@@ -3019,7 +3021,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {
break;
default:
fatal("dns_tkey_negotiategss: %s %s",
fatal("dns_tkey_gssnegotiate: %s %s",
isc_result_totext(result),
err_message != NULL ? err_message : "");
}
......
......@@ -712,10 +712,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
switch (gret) {
case GSS_S_COMPLETE:
result = ISC_R_SUCCESS;
break;
case GSS_S_CONTINUE_NEEDED:
result = DNS_R_CONTINUE;
break;
case GSS_S_DEFECTIVE_TOKEN:
case GSS_S_DEFECTIVE_CREDENTIAL:
......@@ -780,7 +777,8 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
gss_error_tostring(gret, minor, buf,
sizeof(buf)));
}
}
} else
result = DNS_R_CONTINUE;
*ctxout = context;
......
......@@ -136,6 +136,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
* Returns:
* ISC_R_SUCCESS msg was successfully updated to include the
* query to be sent
* DNS_R_CONTINUE transaction still in progress
* other an error occurred while building the message
*/
......
......@@ -561,7 +561,7 @@ gss_accept_sec_context_spnego(OM_uint32 *minor_status,
gss_cred_id_t *delegated_cred_handle)
{
NegTokenInit init_token;
OM_uint32 major_status;
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 minor_status2;
gss_buffer_desc ibuf, obuf;
gss_buffer_t ot = NULL;
......@@ -677,7 +677,7 @@ gss_accept_sec_context_spnego(OM_uint32 *minor_status,
if (ot != NULL && ot->length != 0U)
gss_release_buffer(&minor_status2, ot);
return (ret);
return (ret != GSS_S_COMPLETE ? ret : major_status);
}
/* decapsulate.c */
......
......@@ -444,7 +444,8 @@ process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
isc_result_t result = ISC_R_SUCCESS;
dst_key_t *dstkey = NULL;
dns_tsigkey_t *tsigkey = NULL;
dns_fixedname_t principal;
dns_fixedname_t fixed;
dns_name_t *principal;
isc_stdtime_t now;
isc_region_t intoken;
isc_buffer_t *outtoken = NULL;
......@@ -481,16 +482,15 @@ process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
if (result == ISC_R_SUCCESS)
gss_ctx = dst_key_getgssctx(tsigkey->key);
dns_fixedname_init(&principal);
dns_fixedname_init(&fixed);
principal = dns_fixedname_name(&fixed);
/*
* Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
*/
result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
&intoken,
&outtoken, &gss_ctx,
dns_fixedname_name(&principal),
tctx->mctx);
&intoken, &outtoken, &gss_ctx,
principal, tctx->mctx);
if (result == DNS_R_INVALIDTKEY) {
if (tsigkey != NULL)
dns_tsigkey_detach(&tsigkey);
......@@ -506,7 +506,10 @@ process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
isc_stdtime_get(&now);
if (tsigkey == NULL) {
if (dns_name_countlabels(principal) == 0U) {
if (tsigkey != NULL)
dns_tsigkey_detach(&tsigkey);
} else if (tsigkey == NULL) {
#ifdef GSSAPI
OM_uint32 gret, minor, lifetime;
#endif
......@@ -525,8 +528,7 @@ process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
expire = now + lifetime;
#endif
RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
dstkey, ISC_TRUE,
dns_fixedname_name(&principal),
dstkey, ISC_TRUE, principal,
now, expire, ring->mctx, ring,
NULL));
dst_key_free(&dstkey);
......@@ -1262,7 +1264,7 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
dst_key_t *dstkey = NULL;
isc_buffer_t intoken;
isc_result_t result;
unsigned char array[1024];
unsigned char array[TEMP_BUFFER_SZ];
REQUIRE(outtoken != NULL);
REQUIRE(qmsg != NULL);
......@@ -1391,11 +1393,11 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
{
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
dns_name_t *tkeyname;
dns_rdata_tkey_t rtkey, qtkey;
dns_rdata_tkey_t rtkey, qtkey, tkey;
isc_buffer_t intoken, outtoken;
dst_key_t *dstkey = NULL;
isc_result_t result;
unsigned char array[1024];
unsigned char array[TEMP_BUFFER_SZ];
isc_boolean_t freertkey = ISC_FALSE;
REQUIRE(qmsg != NULL);
......@@ -1438,6 +1440,38 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
return (result);
if (result == DNS_R_CONTINUE) {
dns_fixedname_t fixed;
dns_fixedname_init(&fixed);
dns_name_copy(tkeyname, dns_fixedname_name(&fixed), NULL);
tkeyname = dns_fixedname_name(&fixed);
tkey.common.rdclass = dns_rdataclass_any;
tkey.common.rdtype = dns_rdatatype_tkey;
ISC_LINK_INIT(&tkey.common, link);
tkey.mctx = NULL;
dns_name_init(&tkey.algorithm, NULL);
if (win2k)
dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
else
dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
tkey.inception = qtkey.inception;
tkey.expire = qtkey.expire;
tkey.mode = DNS_TKEYMODE_GSSAPI;
tkey.error = 0;
tkey.key = isc_buffer_base(&outtoken);
tkey.keylen = isc_buffer_usedlength(&outtoken);
tkey.other = NULL;
tkey.otherlen = 0;
dns_message_reset(qmsg, DNS_MESSAGE_INTENTRENDER);
RETERR(buildquery(qmsg, tkeyname, &tkey, win2k));
return (DNS_R_CONTINUE);
}
RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
&dstkey, NULL));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment