Check mech in gss_accept_sec_context w/ no cred

If no verifier_cred_handle is passed to gss_accept_sec_context(),
accept the same mechs as we would with a default acceptor
credential--that is, not those which assert the GSS_C_MA_DEPRECATED or
GSS_C_MA_NOT_DFLT_MECH attributes.

ticket: 8021

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index b8f128bc4833e175a1d72d4c10e77172654bdb3a..6c72d1f6097ce1e4acf3f10dd043d2a96ffb88b4 100644 (file)
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -86,6 +86,31 @@ val_acc_sec_ctx_args(
     return (GSS_S_COMPLETE);
 }
 
+/* Return true if mech should be accepted with no acceptor credential. */
+static int
+allow_mech_by_default(gss_OID mech)
+{
+    OM_uint32 status, minor;
+    gss_OID_set attrs;
+    int reject = 0, p;
+
+    status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
+    if (status)
+       return 0;
+
+    /* Check for each attribute which would cause us to exclude this mech from
+     * the default credential. */
+    if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_DEPRECATED,
+                                       attrs, &p) != GSS_S_COMPLETE || p)
+       reject = 1;
+    else if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_NOT_DFLT_MECH,
+                                            attrs, &p) != GSS_S_COMPLETE || p)
+       reject = 1;
+
+    (void) gss_release_oid_set(&minor, &attrs);
+    return !reject;
+}
+
 OM_uint32 KRB5_CALLCONV
 gss_accept_sec_context (minor_status,
                         context_handle,
@@ -220,6 +245,9 @@ gss_cred_id_t *             d_cred;
            status = GSS_S_NO_CRED;
            goto error_out;
        }
+    } else if (!allow_mech_by_default(selected_mech)) {
+       status = GSS_S_NO_CRED;
+       goto error_out;
     }
 
     /*