From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 17 Dec 2015 00:31:22 +0000 (-0500)
Subject: Fix interposed gss_accept_sec_context()
X-Git-Tag: krb5-1.15-beta1~295
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b43d10333f4c4b29896cebc9447d8866b661217;p=thirdparty%2Fkrb5.git

Fix interposed gss_accept_sec_context()

If gss_accept_sec_context() is interposed, selected_mech will be an
interposer OID.  In this situation, pass the corresponding public OID
to gss_inquire_attrs_for_mech() to determine whether the mech is
allowed by default.

[ghudson@mit.edu: pared down from larger commit; rewrote commit message]

ticket: 8338 (new)
target_version: 1.14-next
tags: pullup
---

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index 6c72d1f609..ddaf87412e 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -94,6 +94,12 @@ allow_mech_by_default(gss_OID mech)
     gss_OID_set attrs;
     int reject = 0, p;
 
+    /* Whether we accept an interposer mech depends on whether we accept the
+     * mech it interposes. */
+    mech = gssint_get_public_oid(mech);
+    if (mech == GSS_C_NO_OID)
+	return 0;
+
     status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
     if (status)
 	return 0;