Accept GSS mechs which don't supply attributes

If gss_inquire_attrs_for_mech() is called for a mechanism which does
not implement it, the call will succeed with mech_attrs set to
GSS_C_NO_OID_SET (as is explicitly allowed by RFC 5587).
generic_gss_test_oid_set_member() returns an error on this value,
causing gss_accept_sec_context() to erroneously deny the mechanism
when no verifier credential handle is supplied.  Change
allow_mech_by_default() to explicitly check for no mech attribute set.

ticket: 8840 (new)
tags: pullup
target_version: 1.17-next
target_version: 1.16-next

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index f28e2b14a9036d3d79470a55cfc5bde7b52be247..1a03cf43b16e36dae99580d16bd243a3c09f697d 100644 (file)
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -104,6 +104,10 @@ allow_mech_by_default(gss_OID mech)
     if (status)
        return 0;
 
+    /* If the mechanism doesn't support RFC 5587, don't exclude it. */
+    if (attrs == GSS_C_NO_OID_SET)
+       return 1;
+
     /* Check for each attribute which would cause us to exclude this mech from
      * the default credential. */
     if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_DEPRECATED,