[29031] in CVS-changelog-for-Kerberos-V5
krb5 commit: Check mech in gss_accept_sec_context w/ no cred
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 25 00:20:40 2015
Date: Tue, 25 Aug 2015 00:20:35 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201508250420.t7P4KZ2e028705@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/382556f580e3b7fb8469976988c50b67bba51f26
commit 382556f580e3b7fb8469976988c50b67bba51f26
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Aug 20 12:26:57 2015 -0400
Check mech in gss_accept_sec_context w/ no cred
If no verifier_cred_handle is passed to gss_accept_sec_context(),
accept the same mechs as we would with a default acceptor
credential--that is, not those which assert the GSS_C_MA_DEPRECATED or
GSS_C_MA_NOT_DFLT_MECH attributes.
ticket: 8021
src/lib/gssapi/mechglue/g_accept_sec_context.c | 28 ++++++++++++++++++++++++
1 files changed, 28 insertions(+), 0 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index b8f128b..6c72d1f 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -86,6 +86,31 @@ val_acc_sec_ctx_args(
return (GSS_S_COMPLETE);
}
+/* Return true if mech should be accepted with no acceptor credential. */
+static int
+allow_mech_by_default(gss_OID mech)
+{
+ OM_uint32 status, minor;
+ gss_OID_set attrs;
+ int reject = 0, p;
+
+ status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
+ if (status)
+ return 0;
+
+ /* Check for each attribute which would cause us to exclude this mech from
+ * the default credential. */
+ if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_DEPRECATED,
+ attrs, &p) != GSS_S_COMPLETE || p)
+ reject = 1;
+ else if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_NOT_DFLT_MECH,
+ attrs, &p) != GSS_S_COMPLETE || p)
+ reject = 1;
+
+ (void) gss_release_oid_set(&minor, &attrs);
+ return !reject;
+}
+
OM_uint32 KRB5_CALLCONV
gss_accept_sec_context (minor_status,
context_handle,
@@ -220,6 +245,9 @@ gss_cred_id_t * d_cred;
status = GSS_S_NO_CRED;
goto error_out;
}
+ } else if (!allow_mech_by_default(selected_mech)) {
+ status = GSS_S_NO_CRED;
+ goto error_out;
}
/*
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
