From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 15 Jul 2014 17:20:43 +0000 (-0400)
Subject: Don't equate IAKERB and krb5 in SPNEGO initiator
X-Git-Tag: krb5-1.13-alpha1~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=887951cd141dd2253912a17da08da016a8030a24;p=thirdparty%2Fkrb5.git

Don't equate IAKERB and krb5 in SPNEGO initiator

To work around a historical bug in Samba, the SPNEGO initiator treats
a counterproposal as matching the optimistic token if both are aliases
for the krb5 mech.  When IAKERB support was added (#6712), IAKERB was
unintentionally added to the set of mech OIDs which were considered to
be krb5 aliases for this purpose.

Remove IAKERB from gss_mech_set_krb5_both and create a new internal
mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs.

ticket: 7974 (new)
---

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 0b199814ad..7e807cc059 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -90,6 +90,8 @@
 #define GSS_MECH_IAKERB_OID_LENGTH 6
 #define GSS_MECH_IAKERB_OID "\053\006\001\005\002\005"
 
+extern const gss_OID_set_desc * const kg_all_mechs;
+
 #define CKSUMTYPE_KG_CB         0x8003
 
 #define KG_TOK_CTX_AP_REQ       0x0100
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index a408259cfb..6456b238e4 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -160,14 +160,14 @@ const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+5;
 static const gss_OID_set_desc oidsets[] = {
     {1, (gss_OID) krb5_gss_oid_array+0}, /* RFC OID */
     {1, (gss_OID) krb5_gss_oid_array+1}, /* pre-RFC OID */
-    {4, (gss_OID) krb5_gss_oid_array+0}, /* includes wrong OID & IAKERB */
-    {1, (gss_OID) krb5_gss_oid_array+2},
-    {3, (gss_OID) krb5_gss_oid_array+0},
+    {3, (gss_OID) krb5_gss_oid_array+0}, /* all names for krb5 mech */
+    {4, (gss_OID) krb5_gss_oid_array+0}, /* all krb5 names and IAKERB */
 };
 
 const gss_OID_set_desc * const gss_mech_set_krb5 = oidsets+0;
 const gss_OID_set_desc * const gss_mech_set_krb5_old = oidsets+1;
 const gss_OID_set_desc * const gss_mech_set_krb5_both = oidsets+2;
+const gss_OID_set_desc * const kg_all_mechs = oidsets+3;
 
 g_set kg_vdb = G_SET_INIT;
 
diff --git a/src/lib/gssapi/krb5/indicate_mechs.c b/src/lib/gssapi/krb5/indicate_mechs.c
index 4bd1fd6973..45538cb779 100644
--- a/src/lib/gssapi/krb5/indicate_mechs.c
+++ b/src/lib/gssapi/krb5/indicate_mechs.c
@@ -33,5 +33,5 @@ krb5_gss_indicate_mechs(minor_status, mech_set)
     OM_uint32 *minor_status;
     gss_OID_set *mech_set;
 {
-    return generic_gss_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set);
+    return generic_gss_copy_oid_set(minor_status, kg_all_mechs, mech_set);
 }