[PATCH] Fix failure of mech plugins lacking gss_inquire_attrs_for_mech()

David Woodhouse dwmw2 at infradead.org
Tue Mar 15 08:41:10 EDT 2016

On Mon, 2016-03-14 at 17:13 -0400, Greg Hudson wrote:
> However, I didn't like the old behavior either; it seems like a lie to
> say "this mech has no attributes but knows about all of the attributes
> from RFC 5587." 

I don't quite understand why we're doing that anyway.

If a mechanism has an inquire_attrs_for_mech() method which returns
GSS_C_NO_OID_SET for the known attrs, why would we override that and
assume that it *does* know everything in RFC5587 despite explicitly
telling us it doesn't?

The simple fix on the gssntlmssp side did precisely that:

With the krb5 code as it stands, that is equivalent to gssntlmssp
saying "I know all the RFC5587 attrs and I support none of  them".
Which is very different to "I know nothing but please don't reject me"
which is what it was *trying* to say.

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20160316/1ffc71c9/attachment.bin

More information about the krbdev mailing list