From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 6 Oct 2019 22:35:50 +0000 (-0400)
Subject: Accept GSS mechs which don't supply attributes
X-Git-Tag: krb5-1.18-beta1~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd321c9caa6dc4b034bc3279a1af39af4c41210d;p=thirdparty%2Fkrb5.git

Accept GSS mechs which don't supply attributes

If gss_inquire_attrs_for_mech() is called for a mechanism which does
not implement it, the call will succeed with mech_attrs set to
GSS_C_NO_OID_SET (as is explicitly allowed by RFC 5587).
generic_gss_test_oid_set_member() returns an error on this value,
causing gss_accept_sec_context() to erroneously deny the mechanism
when no verifier credential handle is supplied.  Change
allow_mech_by_default() to explicitly check for no mech attribute set.

ticket: 8840 (new)
tags: pullup
target_version: 1.17-next
target_version: 1.16-next
---

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index f28e2b14a9..1a03cf43b1 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -104,6 +104,10 @@ allow_mech_by_default(gss_OID mech)
     if (status)
 	return 0;
 
+    /* If the mechanism doesn't support RFC 5587, don't exclude it. */
+    if (attrs == GSS_C_NO_OID_SET)
+	return 1;
+
     /* Check for each attribute which would cause us to exclude this mech from
      * the default credential. */
     if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_DEPRECATED,