From: Greg Hudson Date: Mon, 13 Jul 2015 21:06:29 +0000 (-0400) Subject: Limit use of deprecated krb5 mech OIDs X-Git-Tag: krb5-1.14-alpha1~64 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479;p=thirdparty%2Fkrb5.git Limit use of deprecated krb5 mech OIDs Filter out mechs with the GSS_C_MA_DEPRECATED attribute from the set of mechanisms obtained by SPNEGO, and from the set used when gss_acquire_cred() is called with no desired_mechs attribute. SPNEGO acceptors will still accept the old and wrong krb5 OIDs, but SPNEGO initiators will not offer them. According to [MS-SPNG], only Windows 2000 does not recognize the standard krb5 OID, and it is client-only. In gss-client.c, use the standard krb5 OID for the -krb5 option, as acceptors who call gss_acquire_cred() with no desired_mechs to create an acceptor cred will no longer accept the old or wrong krb5 OIDs. ticket: 8217 (new) --- diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c index 6070d428c8..c96da88aa2 100644 --- a/src/appl/gss-sample/gss-client.c +++ b/src/appl/gss-sample/gss-client.c @@ -816,7 +816,7 @@ main(argc, argv) } else if (strcmp(*argv, "-spnego") == 0) { spnego = 1; } else if (strcmp(*argv, "-krb5") == 0) { - mechanism = "{ 1 3 5 1 5 2 }"; + mechanism = "{ 1 2 840 113554 1 2 2 }"; #ifdef _WIN32 } else if (strcmp(*argv, "-threads") == 0) { argc--; diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c index b9a3142a9d..22be5b4717 100644 --- a/src/lib/gssapi/mechglue/g_acquire_cred.c +++ b/src/lib/gssapi/mechglue/g_acquire_cred.c @@ -135,6 +135,8 @@ OM_uint32 * time_rec; OM_uint32 first_major = GSS_S_COMPLETE, first_minor = 0; OM_uint32 initTimeOut, acceptTimeOut, outTime = GSS_C_INDEFINITE; gss_OID_set mechs = GSS_C_NO_OID_SET; + gss_OID_set_desc except_attrs; + gss_OID_desc attr_oids[1]; unsigned int i; gss_union_cred_t creds = NULL; @@ -152,10 +154,15 @@ OM_uint32 * time_rec; /* * if desired_mechs equals GSS_C_NULL_OID_SET, then try to - * acquire credentials for all mechanisms. + * acquire credentials for all non-deprecated mechanisms. */ if (desired_mechs == GSS_C_NULL_OID_SET) { - major = gss_indicate_mechs(minor_status, &mechs); + attr_oids[0] = *GSS_C_MA_DEPRECATED; + except_attrs.count = 1; + except_attrs.elements = attr_oids; + major = gss_indicate_mechs_by_attrs(minor_status, GSS_C_NO_OID_SET, + &except_attrs, GSS_C_NO_OID_SET, + &mechs); if (major != GSS_S_COMPLETE) goto cleanup; } else diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index bf44bc0b53..9a794abdc5 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -2995,7 +2995,7 @@ release_spnego_ctx(spnego_gss_ctx_id_t *ctx) * SPNEGO because it will also return the SPNEGO mech and we do not * want to consider SPNEGO as an available security mech for * negotiation. For this reason, get_available_mechs will return - * all available mechs except SPNEGO. + * all available, non-deprecated mechs except SPNEGO. * * If a ptr to a creds list is given, this function will attempt * to acquire creds for the creds given and trim the list of @@ -3012,8 +3012,16 @@ get_available_mechs(OM_uint32 *minor_status, int found = 0; OM_uint32 major_status = GSS_S_COMPLETE, tmpmin; gss_OID_set mechs, goodmechs; - - major_status = gss_indicate_mechs(minor_status, &mechs); + gss_OID_set_desc except_attrs; + gss_OID_desc attr_oids[1]; + + attr_oids[0] = *GSS_C_MA_DEPRECATED; + except_attrs.count = 1; + except_attrs.elements = attr_oids; + major_status = gss_indicate_mechs_by_attrs(minor_status, + GSS_C_NO_OID_SET, + &except_attrs, + GSS_C_NO_OID_SET, &mechs); if (major_status != GSS_S_COMPLETE) { return (major_status);