[16385] in Kerberos-V5-bugs
[krbdev.mit.edu #8845] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sat Nov 9 00:05:34 2019
From: "Greg Hudson via RT" <rt@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.4-106126-1573275922-594.8845-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8845":;
Date: Sat, 09 Nov 2019 00:05:22 -0500
MIME-Version: 1.0
Reply-To: rt@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8845 >
Fix SPNEGO output parameter bugs
When accepting, do not leak a name if the underlying mech reports a
src_name twice. Record mech_type and delegated_cred_handle and report
them to the caller at the final SPNEGO step, not when the underlying
mech reports them.
When initiating or accepting, report ret_flags at every step, and
filter out PROT_READY as required by RFC 4178 section 3.1. Report a
time_rec value at the final step even if we didn't call into the
underlying mech, using a call to gss_context_time() if necessary.
In the mechglue, initialize ret_flags and time_rec for both
gss_initialize_sec_context() and gss_accept_sec_context().
https://github.com/krb5/krb5/commit/24b844714dea3e47b17511746b5df5b6ddf13d43
Author: Greg Hudson <ghudson@mit.edu>
Commit: 24b844714dea3e47b17511746b5df5b6ddf13d43
Branch: master
src/lib/gssapi/mechglue/g_accept_sec_context.c | 6 ++
src/lib/gssapi/mechglue/g_init_sec_context.c | 6 ++
src/lib/gssapi/spnego/gssapiP_spnego.h | 1 +
src/lib/gssapi/spnego/spnego_mech.c | 85 +++++++++++++-----------
4 files changed, 60 insertions(+), 38 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
