krb5 commit: Limit use of deprecated krb5 mech OIDs
Greg Hudson
ghudson at mit.edu
Fri Jul 17 23:37:28 EDT 2015
https://github.com/krb5/krb5/commit/7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479
commit 7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Jul 13 17:06:29 2015 -0400
Limit use of deprecated krb5 mech OIDs
Filter out mechs with the GSS_C_MA_DEPRECATED attribute from the set
of mechanisms obtained by SPNEGO, and from the set used when
gss_acquire_cred() is called with no desired_mechs attribute.
SPNEGO acceptors will still accept the old and wrong krb5 OIDs, but
SPNEGO initiators will not offer them. According to [MS-SPNG], only
Windows 2000 does not recognize the standard krb5 OID, and it is
client-only.
In gss-client.c, use the standard krb5 OID for the -krb5 option, as
acceptors who call gss_acquire_cred() with no desired_mechs to create
an acceptor cred will no longer accept the old or wrong krb5 OIDs.
ticket: 8217 (new)
src/appl/gss-sample/gss-client.c | 2 +-
src/lib/gssapi/mechglue/g_acquire_cred.c | 11 +++++++++--
src/lib/gssapi/spnego/spnego_mech.c | 14 +++++++++++---
3 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c
index 6070d42..c96da88 100644
--- a/src/appl/gss-sample/gss-client.c
+++ b/src/appl/gss-sample/gss-client.c
@@ -816,7 +816,7 @@ main(argc, argv)
} else if (strcmp(*argv, "-spnego") == 0) {
spnego = 1;
} else if (strcmp(*argv, "-krb5") == 0) {
- mechanism = "{ 1 3 5 1 5 2 }";
+ mechanism = "{ 1 2 840 113554 1 2 2 }";
#ifdef _WIN32
} else if (strcmp(*argv, "-threads") == 0) {
argc--;
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c
index b9a3142..22be5b4 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred.c
@@ -135,6 +135,8 @@ OM_uint32 * time_rec;
OM_uint32 first_major = GSS_S_COMPLETE, first_minor = 0;
OM_uint32 initTimeOut, acceptTimeOut, outTime = GSS_C_INDEFINITE;
gss_OID_set mechs = GSS_C_NO_OID_SET;
+ gss_OID_set_desc except_attrs;
+ gss_OID_desc attr_oids[1];
unsigned int i;
gss_union_cred_t creds = NULL;
@@ -152,10 +154,15 @@ OM_uint32 * time_rec;
/*
* if desired_mechs equals GSS_C_NULL_OID_SET, then try to
- * acquire credentials for all mechanisms.
+ * acquire credentials for all non-deprecated mechanisms.
*/
if (desired_mechs == GSS_C_NULL_OID_SET) {
- major = gss_indicate_mechs(minor_status, &mechs);
+ attr_oids[0] = *GSS_C_MA_DEPRECATED;
+ except_attrs.count = 1;
+ except_attrs.elements = attr_oids;
+ major = gss_indicate_mechs_by_attrs(minor_status, GSS_C_NO_OID_SET,
+ &except_attrs, GSS_C_NO_OID_SET,
+ &mechs);
if (major != GSS_S_COMPLETE)
goto cleanup;
} else
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index bf44bc0..9a794ab 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -2995,7 +2995,7 @@ release_spnego_ctx(spnego_gss_ctx_id_t *ctx)
* SPNEGO because it will also return the SPNEGO mech and we do not
* want to consider SPNEGO as an available security mech for
* negotiation. For this reason, get_available_mechs will return
- * all available mechs except SPNEGO.
+ * all available, non-deprecated mechs except SPNEGO.
*
* If a ptr to a creds list is given, this function will attempt
* to acquire creds for the creds given and trim the list of
@@ -3012,8 +3012,16 @@ get_available_mechs(OM_uint32 *minor_status,
int found = 0;
OM_uint32 major_status = GSS_S_COMPLETE, tmpmin;
gss_OID_set mechs, goodmechs;
-
- major_status = gss_indicate_mechs(minor_status, &mechs);
+ gss_OID_set_desc except_attrs;
+ gss_OID_desc attr_oids[1];
+
+ attr_oids[0] = *GSS_C_MA_DEPRECATED;
+ except_attrs.count = 1;
+ except_attrs.elements = attr_oids;
+ major_status = gss_indicate_mechs_by_attrs(minor_status,
+ GSS_C_NO_OID_SET,
+ &except_attrs,
+ GSS_C_NO_OID_SET, &mechs);
if (major_status != GSS_S_COMPLETE) {
return (major_status);
More information about the cvs-krb5
mailing list