From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 20 Aug 2015 16:26:57 +0000 (-0400)
Subject: Check mech in gss_accept_sec_context w/ no cred
X-Git-Tag: krb5-1.14-alpha1~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=382556f580e3b7fb8469976988c50b67bba51f26;p=thirdparty%2Fkrb5.git

Check mech in gss_accept_sec_context w/ no cred

If no verifier_cred_handle is passed to gss_accept_sec_context(),
accept the same mechs as we would with a default acceptor
credential--that is, not those which assert the GSS_C_MA_DEPRECATED or
GSS_C_MA_NOT_DFLT_MECH attributes.

ticket: 8021
---

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index b8f128bc48..6c72d1f609 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -86,6 +86,31 @@ val_acc_sec_ctx_args(
     return (GSS_S_COMPLETE);
 }
 
+/* Return true if mech should be accepted with no acceptor credential. */
+static int
+allow_mech_by_default(gss_OID mech)
+{
+    OM_uint32 status, minor;
+    gss_OID_set attrs;
+    int reject = 0, p;
+
+    status = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
+    if (status)
+	return 0;
+
+    /* Check for each attribute which would cause us to exclude this mech from
+     * the default credential. */
+    if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_DEPRECATED,
+					attrs, &p) != GSS_S_COMPLETE || p)
+	reject = 1;
+    else if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_NOT_DFLT_MECH,
+					     attrs, &p) != GSS_S_COMPLETE || p)
+	reject = 1;
+
+    (void) gss_release_oid_set(&minor, &attrs);
+    return !reject;
+}
+
 OM_uint32 KRB5_CALLCONV
 gss_accept_sec_context (minor_status,
                         context_handle,
@@ -220,6 +245,9 @@ gss_cred_id_t *		d_cred;
 	    status = GSS_S_NO_CRED;
 	    goto error_out;
 	}
+    } else if (!allow_mech_by_default(selected_mech)) {
+	status = GSS_S_NO_CRED;
+	goto error_out;
     }
 
     /*