[PATCH] Fix failure of mech plugins lacking gss_inquire_attrs_for_mech()
David Woodhouse
dwmw2 at infradead.org
Tue Mar 15 08:41:10 EDT 2016
On Mon, 2016-03-14 at 17:13 -0400, Greg Hudson wrote:
>
> However, I didn't like the old behavior either; it seems like a lie to
> say "this mech has no attributes but knows about all of the attributes
> from RFC 5587."
I don't quite understand why we're doing that anyway.
If a mechanism has an inquire_attrs_for_mech() method which returns
GSS_C_NO_OID_SET for the known attrs, why would we override that and
assume that it *does* know everything in RFC5587 despite explicitly
telling us it doesn't?
The simple fix on the gssntlmssp side did precisely that:
https://bugzilla.redhat.com/show_bug.cgi?id=1317609#c3
With the krb5 code as it stands, that is equivalent to gssntlmssp
saying "I know all the RFC5587 attrs and I support none of them".
Which is very different to "I know nothing but please don't reject me"
which is what it was *trying* to say.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20160316/1ffc71c9/attachment.bin
More information about the krbdev
mailing list