krb5 commit [krb5-1.17]: Accept GSS mechs which don't supply attributes

Mon Dec 9 18:24:26 EST 2019

https://github.com/krb5/krb5/commit/563ad3af88f0182f4362a6702844368b0b177406
commit 563ad3af88f0182f4362a6702844368b0b177406
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sun Oct 6 18:35:50 2019 -0400

    Accept GSS mechs which don't supply attributes
    
    If gss_inquire_attrs_for_mech() is called for a mechanism which does
    not implement it, the call will succeed with mech_attrs set to
    GSS_C_NO_OID_SET (as is explicitly allowed by RFC 5587).
    generic_gss_test_oid_set_member() returns an error on this value,
    causing gss_accept_sec_context() to erroneously deny the mechanism
    when no verifier credential handle is supplied.  Change
    allow_mech_by_default() to explicitly check for no mech attribute set.
    
    (cherry picked from commit bd321c9caa6dc4b034bc3279a1af39af4c41210d)
    
    ticket: 8840
    version_fixed: 1.17.1

 src/lib/gssapi/mechglue/g_accept_sec_context.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index f28e2b1..1a03cf4 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -104,6 +104,10 @@ allow_mech_by_default(gss_OID mech)
     if (status)
 	return 0;
 
+    /* If the mechanism doesn't support RFC 5587, don't exclude it. */
+    if (attrs == GSS_C_NO_OID_SET)
+	return 1;
+
     /* Check for each attribute which would cause us to exclude this mech from
      * the default credential. */
     if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_DEPRECATED,
