#define SPNEGO_OID_LEN 7
#define NTLMSSP_OID_LEN 10
+#define KRB5_OID_LEN 7
+#define MSKRB5_OID_LEN 7
static unsigned long SPNEGO_OID[7] = { 1, 3, 6, 1, 5, 5, 2 };
static unsigned long NTLMSSP_OID[10] = { 1, 3, 6, 1, 4, 1, 311, 2, 2, 10 };
+static unsigned long KRB5_OID[7] = { 1, 2, 840, 113554, 1, 2, 2 };
+static unsigned long MSKRB5_OID[7] = { 1, 2, 840, 48018, 1, 2, 2 };
/*
* ASN.1 context.
}
}
}
+
+ /* don't trust len bigger than ctx buffer */
+ if (*len > ctx->end - ctx->pointer)
+ return 0;
+
return 1;
}
if (!asn1_length_decode(ctx, &def, &len))
return 0;
+ /* primitive shall be definite, indefinite shall be constructed */
+ if (*con == ASN1_PRI && !def)
+ return 0;
+
if (def)
*eoc = ctx->pointer + len;
else
unsigned long *optr;
size = eoc - ctx->pointer + 1;
+
+ /* first subid actually encodes first two subids */
+ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
+ return 0;
+
*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
if (*oid == NULL)
return 0;
unsigned char *sequence_end;
unsigned long *oid = NULL;
unsigned int cls, con, tag, oidlen, rc;
- int use_ntlmssp = FALSE;
+ bool use_ntlmssp = false;
+ bool use_kerberos = false;
*secType = NTLM; /* BB eventually make Kerberos or NLTMSSP the default*/
return 0;
}
if ((tag == ASN1_OJI) && (con == ASN1_PRI)) {
- rc = asn1_oid_decode(&ctx, end, &oid, &oidlen);
- if (rc) {
+ if (asn1_oid_decode(&ctx, end, &oid, &oidlen)) {
+
cFYI(1,
("OID len = %d oid = 0x%lx 0x%lx "
"0x%lx 0x%lx",
oidlen, *oid, *(oid + 1),
*(oid + 2), *(oid + 3)));
- rc = compare_oid(oid, oidlen,
- NTLMSSP_OID, NTLMSSP_OID_LEN);
+
+ if (compare_oid(oid, oidlen,
+ MSKRB5_OID,
+ MSKRB5_OID_LEN))
+ use_kerberos = true;
+ else if (compare_oid(oid, oidlen,
+ KRB5_OID,
+ KRB5_OID_LEN))
+ use_kerberos = true;
+ else if (compare_oid(oid, oidlen,
+ NTLMSSP_OID,
+ NTLMSSP_OID_LEN))
+ use_ntlmssp = true;
+
kfree(oid);
- if (rc)
- use_ntlmssp = TRUE;
}
} else {
cFYI(1, ("Should be an oid what is going on?"));
ctx.pointer)); /* is this UTF-8 or ASCII? */
}
- /* if (use_kerberos)
- *secType = Kerberos
- else */
- if (use_ntlmssp) {
+ if (use_kerberos)
+ *secType = Kerberos;
+ else if (use_ntlmssp)
*secType = NTLMSSP;
- }
return 1;
}