diff options
author | Greg Hudson <ghudson@mit.edu> | 2019-10-06 18:35:50 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2019-12-09 17:02:52 -0500 |
commit | 563ad3af88f0182f4362a6702844368b0b177406 (patch) | |
tree | 1a1b4778db37cfd830a44fa2383e064617a019be | |
parent | 4ec5724fc6988e2cbcecda72c9ef5785c4197ac3 (diff) | |
download | krb5-563ad3af88f0182f4362a6702844368b0b177406.zip krb5-563ad3af88f0182f4362a6702844368b0b177406.tar.gz krb5-563ad3af88f0182f4362a6702844368b0b177406.tar.bz2 |
Accept GSS mechs which don't supply attributes
If gss_inquire_attrs_for_mech() is called for a mechanism which does
not implement it, the call will succeed with mech_attrs set to
GSS_C_NO_OID_SET (as is explicitly allowed by RFC 5587).
generic_gss_test_oid_set_member() returns an error on this value,
causing gss_accept_sec_context() to erroneously deny the mechanism
when no verifier credential handle is supplied. Change
allow_mech_by_default() to explicitly check for no mech attribute set.
(cherry picked from commit bd321c9caa6dc4b034bc3279a1af39af4c41210d)
ticket: 8840
version_fixed: 1.17.1
-rw-r--r-- | src/lib/gssapi/mechglue/g_accept_sec_context.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c index f28e2b1..1a03cf4 100644 --- a/src/lib/gssapi/mechglue/g_accept_sec_context.c +++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c @@ -104,6 +104,10 @@ allow_mech_by_default(gss_OID mech) if (status) return 0; + /* If the mechanism doesn't support RFC 5587, don't exclude it. */ + if (attrs == GSS_C_NO_OID_SET) + return 1; + /* Check for each attribute which would cause us to exclude this mech from * the default credential. */ if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_DEPRECATED, |