krb5 commit: Restrict SPNEGO acceptor mechs by cred acquisition
Greg Hudson
ghudson at mit.edu
Fri Nov 8 18:31:39 EST 2019
https://github.com/krb5/krb5/commit/c088f56a62702a2cc99c26185681efee1555b7fa
commit c088f56a62702a2cc99c26185681efee1555b7fa
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Nov 5 16:51:02 2019 -0500
Restrict SPNEGO acceptor mechs by cred acquisition
When the default cred is used, the SPNEGO initiator restricts the list
of negotiable mechanisms to those we can acquire a cred for, so that
we don't propose a mech we know can't work. The acceptor should do
the same.
ticket: 8844
src/lib/gssapi/spnego/spnego_mech.c | 12 ++++--------
1 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 294cb0e..c57d7d7 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3176,21 +3176,17 @@ get_negotiable_mechs(OM_uint32 *minor_status, spnego_gss_cred_id_t spcred,
gss_cred_usage_t usage, gss_OID_set *rmechs)
{
OM_uint32 ret, tmpmin;
- gss_cred_id_t creds = GSS_C_NO_CREDENTIAL, *credptr;
+ gss_cred_id_t creds = GSS_C_NO_CREDENTIAL;
gss_OID_set cred_mechs = GSS_C_NULL_OID_SET;
gss_OID_set intersect_mechs = GSS_C_NULL_OID_SET;
unsigned int i;
int present;
if (spcred == NULL) {
- /*
- * The default credentials were supplied. Return a list of all
- * available mechs except SPNEGO. When initiating, trim this
- * list to mechs we can acquire credentials for.
- */
- credptr = (usage == GSS_C_INITIATE) ? &creds : NULL;
+ /* The default credentials were supplied. Return a list of all
+ * permissible mechs we can acquire a cred for. */
ret = get_available_mechs(minor_status, GSS_C_NO_NAME, usage,
- GSS_C_NO_CRED_STORE, credptr,
+ GSS_C_NO_CRED_STORE, &creds,
rmechs, NULL);
gss_release_cred(&tmpmin, &creds);
return (ret);
More information about the cvs-krb5
mailing list