krb5 commit: Check mech in gss_accept_sec_context w/ no cred
Greg Hudson
ghudson at mit.edu
Tue Aug 25 00:20:35 EDT 2015
https://github.com/krb5/krb5/commit/382556f580e3b7fb8469976988c50b67bba51f26
commit 382556f580e3b7fb8469976988c50b67bba51f26
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Aug 20 12:26:57 2015 -0400
Check mech in gss_accept_sec_context w/ no cred
If no verifier_cred_handle is passed to gss_accept_sec_context(),
accept the same mechs as we would with a default acceptor
credential--that is, not those which assert the GSS_C_MA_DEPRECATED or
GSS_C_MA_NOT_DFLT_MECH attributes.
ticket: 8021
src/lib/gssapi/mechglue/g_accept_sec_context.c | 28 ++++++++++++++++++++++++
1 files changed, 28 insertions(+), 0 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index b8f128b..6c72d1f 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -86,6 +86,31 @@ val_acc_sec_ctx_args(
return (GSS_S_COMPLETE);
}
+/* Return true if mech should be accepted with no acceptor credential. */
+static int
+allow_mech_by_default(gss_OID mech)
+{
+ OM_uint32 status, minor;
+ gss_OID_set attrs;
+ int reject = 0, p;
+
+ status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
+ if (status)
+ return 0;
+
+ /* Check for each attribute which would cause us to exclude this mech from
+ * the default credential. */
+ if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_DEPRECATED,
+ attrs, &p) != GSS_S_COMPLETE || p)
+ reject = 1;
+ else if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_NOT_DFLT_MECH,
+ attrs, &p) != GSS_S_COMPLETE || p)
+ reject = 1;
+
+ (void) gss_release_oid_set(&minor, &attrs);
+ return !reject;
+}
+
OM_uint32 KRB5_CALLCONV
gss_accept_sec_context (minor_status,
context_handle,
@@ -220,6 +245,9 @@ gss_cred_id_t * d_cred;
status = GSS_S_NO_CRED;
goto error_out;
}
+ } else if (!allow_mech_by_default(selected_mech)) {
+ status = GSS_S_NO_CRED;
+ goto error_out;
}
/*
More information about the cvs-krb5
mailing list