[krbdev.mit.edu #8550] gss_import_name() does not allow interposition for importing exported names
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Feb 16 13:45:20 EST 2017
If gss_import_name() sees that the token is an exported name token,
the helper function importExportName() parses out the mechanism OID
and looks up the mechanism with gssint_get_mechanism(), without
calling gssint_select_mech_type(). As a result, an interposer cannot
interpose this operation.
Complicating matters, after the exported name token is unwrapped and a
mech is selected, the entire name token is passed to the mech, which
then has to unwrap it again. At least the krb5 mech will fail if the
name token is not wrapped with the krb5 mech OID.
We could change all existing mechanisms so that they ignore the
wrapper OID when processing exported name tokens. Alternatively,
after unwrapping the exported token and calling
gssint_select_mech_type(), we could construct a synthetic name token
which is wrapped with the selected mech OID and pass that to the
mechanism.
More information about the krb5-bugs
mailing list