krb5 commit: Don't equate IAKERB and krb5 in SPNEGO initiator

Mon Jul 21 13:04:23 EDT 2014

https://github.com/krb5/krb5/commit/887951cd141dd2253912a17da08da016a8030a24
commit 887951cd141dd2253912a17da08da016a8030a24
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Jul 15 13:20:43 2014 -0400

    Don't equate IAKERB and krb5 in SPNEGO initiator
    
    To work around a historical bug in Samba, the SPNEGO initiator treats
    a counterproposal as matching the optimistic token if both are aliases
    for the krb5 mech.  When IAKERB support was added (#6712), IAKERB was
    unintentionally added to the set of mech OIDs which were considered to
    be krb5 aliases for this purpose.
    
    Remove IAKERB from gss_mech_set_krb5_both and create a new internal
    mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs.
    
    ticket: 7974 (new)

 src/lib/gssapi/krb5/gssapiP_krb5.h   |    2 ++
 src/lib/gssapi/krb5/gssapi_krb5.c    |    6 +++---
 src/lib/gssapi/krb5/indicate_mechs.c |    2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 0b19981..7e807cc 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -90,6 +90,8 @@
 #define GSS_MECH_IAKERB_OID_LENGTH 6
 #define GSS_MECH_IAKERB_OID "\053\006\001\005\002\005"
 
+extern const gss_OID_set_desc * const kg_all_mechs;
+
 #define CKSUMTYPE_KG_CB         0x8003
 
 #define KG_TOK_CTX_AP_REQ       0x0100
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index a408259..6456b23 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -160,14 +160,14 @@ const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+5;
 static const gss_OID_set_desc oidsets[] = {
     {1, (gss_OID) krb5_gss_oid_array+0}, /* RFC OID */
     {1, (gss_OID) krb5_gss_oid_array+1}, /* pre-RFC OID */
-    {4, (gss_OID) krb5_gss_oid_array+0}, /* includes wrong OID & IAKERB */
-    {1, (gss_OID) krb5_gss_oid_array+2},
-    {3, (gss_OID) krb5_gss_oid_array+0},
+    {3, (gss_OID) krb5_gss_oid_array+0}, /* all names for krb5 mech */
+    {4, (gss_OID) krb5_gss_oid_array+0}, /* all krb5 names and IAKERB */
 };
 
 const gss_OID_set_desc * const gss_mech_set_krb5 = oidsets+0;
 const gss_OID_set_desc * const gss_mech_set_krb5_old = oidsets+1;
 const gss_OID_set_desc * const gss_mech_set_krb5_both = oidsets+2;
+const gss_OID_set_desc * const kg_all_mechs = oidsets+3;
 
 g_set kg_vdb = G_SET_INIT;
 
diff --git a/src/lib/gssapi/krb5/indicate_mechs.c b/src/lib/gssapi/krb5/indicate_mechs.c
index 4bd1fd6..45538cb 100644
--- a/src/lib/gssapi/krb5/indicate_mechs.c
+++ b/src/lib/gssapi/krb5/indicate_mechs.c
@@ -33,5 +33,5 @@ krb5_gss_indicate_mechs(minor_status, mech_set)
     OM_uint32 *minor_status;
     gss_OID_set *mech_set;
 {
-    return generic_gss_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set);
+    return generic_gss_copy_oid_set(minor_status, kg_all_mechs, mech_set);
 }
