[krbdev.mit.edu #8782] [Comment] gss_accept_sec_context() SPNEGO-wrapped src_name interacts badly with gss_localname()
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri May 8 16:16:53 EDT 2020
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8782
This is a comment. It is not sent to the Requestor(s):
Ticket 8901 removes one of the complications for extending the
accept_sec_context contract to apply to src_name. A second complication is
gss_inquire_context(), which is an alternate way to retrieve src_name from an
acceptor context. If gss_accept_sec_context() returned an unwrapped src_name
and gss_inquire_context() returned a wrapped src_name (it currently always
wraps), that would be an unfortunate inconsistency.
Heimdal has a more comprehensive approach to this issue: a mech can declare via
flags that it uses mechglue creds or mechglue names for all purposes. SPNEGO
does both; as a consequence, gss_set_neg_mechs() has to be implemented at the
mechglue layer rather than the SPNEGO layer. There are some interesting and
arguably beneficial side-effects: (1) a non-SPNEGO cred can be used as a SPNEGO
claimant or acceptor cred handle, and (2) SPNEGO does not have to implement
pass-through credential or name methods. However, the mechglue code to
implement these flags is not trivial, and there is a lot of potential for
memory errors if it is done incorrectly.
More information about the krb5-bugs
mailing list