[30601] in CVS-changelog-for-Kerberos-V5
krb5 commit: Restrict SPNEGO acceptor mechs by cred acquisition
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Nov 8 18:32:00 2019
Date: Fri, 8 Nov 2019 18:31:39 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201911082331.xA8NVdIx000802@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/c088f56a62702a2cc99c26185681efee1555b7fa
commit c088f56a62702a2cc99c26185681efee1555b7fa
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Nov 5 16:51:02 2019 -0500
Restrict SPNEGO acceptor mechs by cred acquisition
When the default cred is used, the SPNEGO initiator restricts the list
of negotiable mechanisms to those we can acquire a cred for, so that
we don't propose a mech we know can't work. The acceptor should do
the same.
ticket: 8844
src/lib/gssapi/spnego/spnego_mech.c | 12 ++++--------
1 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 294cb0e..c57d7d7 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3176,21 +3176,17 @@ get_negotiable_mechs(OM_uint32 *minor_status, spnego_gss_cred_id_t spcred,
gss_cred_usage_t usage, gss_OID_set *rmechs)
{
OM_uint32 ret, tmpmin;
- gss_cred_id_t creds = GSS_C_NO_CREDENTIAL, *credptr;
+ gss_cred_id_t creds = GSS_C_NO_CREDENTIAL;
gss_OID_set cred_mechs = GSS_C_NULL_OID_SET;
gss_OID_set intersect_mechs = GSS_C_NULL_OID_SET;
unsigned int i;
int present;
if (spcred == NULL) {
- /*
- * The default credentials were supplied. Return a list of all
- * available mechs except SPNEGO. When initiating, trim this
- * list to mechs we can acquire credentials for.
- */
- credptr = (usage == GSS_C_INITIATE) ? &creds : NULL;
+ /* The default credentials were supplied. Return a list of all
+ * permissible mechs we can acquire a cred for. */
ret = get_available_mechs(minor_status, GSS_C_NO_NAME, usage,
- GSS_C_NO_CRED_STORE, credptr,
+ GSS_C_NO_CRED_STORE, &creds,
rmechs, NULL);
gss_release_cred(&tmpmin, &creds);
return (ret);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
