Don't equate IAKERB and krb5 in SPNEGO initiator

To work around a historical bug in Samba, the SPNEGO initiator treats
a counterproposal as matching the optimistic token if both are aliases
for the krb5 mech.  When IAKERB support was added (#6712), IAKERB was
unintentionally added to the set of mech OIDs which were considered to
be krb5 aliases for this purpose.

Remove IAKERB from gss_mech_set_krb5_both and create a new internal
mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs.

ticket: 7974 (new)

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 0b199814ad7237d6dcd79c9873c2c463e801288b..7e807cc059835baa61373ca8d590cdfa576b4232 100644 (file)
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -90,6 +90,8 @@
 #define GSS_MECH_IAKERB_OID_LENGTH 6
 #define GSS_MECH_IAKERB_OID "\053\006\001\005\002\005"
 
+extern const gss_OID_set_desc * const kg_all_mechs;
+
 #define CKSUMTYPE_KG_CB         0x8003
 
 #define KG_TOK_CTX_AP_REQ       0x0100

diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index a408259cfbbe8f313335a78b8e0ac5cc76b4f2f1..6456b238e4e366131cd1bdc60fc947ab1791c7d1 100644 (file)
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -160,14 +160,14 @@ const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+5;
 static const gss_OID_set_desc oidsets[] = {
     {1, (gss_OID) krb5_gss_oid_array+0}, /* RFC OID */
     {1, (gss_OID) krb5_gss_oid_array+1}, /* pre-RFC OID */
-    {4, (gss_OID) krb5_gss_oid_array+0}, /* includes wrong OID & IAKERB */
-    {1, (gss_OID) krb5_gss_oid_array+2},
-    {3, (gss_OID) krb5_gss_oid_array+0},
+    {3, (gss_OID) krb5_gss_oid_array+0}, /* all names for krb5 mech */
+    {4, (gss_OID) krb5_gss_oid_array+0}, /* all krb5 names and IAKERB */
 };
 
 const gss_OID_set_desc * const gss_mech_set_krb5 = oidsets+0;
 const gss_OID_set_desc * const gss_mech_set_krb5_old = oidsets+1;
 const gss_OID_set_desc * const gss_mech_set_krb5_both = oidsets+2;
+const gss_OID_set_desc * const kg_all_mechs = oidsets+3;
 
 g_set kg_vdb = G_SET_INIT;
 

diff --git a/src/lib/gssapi/krb5/indicate_mechs.c b/src/lib/gssapi/krb5/indicate_mechs.c
index 4bd1fd6973a27d3859b906cc434a4c7570192559..45538cb779aa5be7ea0d37710c199fc4fcef876f 100644 (file)
--- a/src/lib/gssapi/krb5/indicate_mechs.c
+++ b/src/lib/gssapi/krb5/indicate_mechs.c
@@ -33,5 +33,5 @@ krb5_gss_indicate_mechs(minor_status, mech_set)
     OM_uint32 *minor_status;
     gss_OID_set *mech_set;
 {
-    return generic_gss_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set);
+    return generic_gss_copy_oid_set(minor_status, kg_all_mechs, mech_set);
 }