Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit

Report inquire_attrs_for_mech mech failures

Previously, gss_inquire_attrs_for_mech() would return a list of mech
attributes that it knew about when given a bad mech oid or a mechanism
which did not provide a gss_inquire_attrs_for_mech() method. It seems
more useful to just report the failure to the application rather than
allowing it to continue with a faulty mechanism.

https://github.com/krb5/krb5/commit/030a4a03a0480969d6acf1591f39fd194642805a
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 030a4a03a0480969d6acf1591f39fd194642805a
Branch: master
src/lib/gssapi/mechglue/g_mechattr.c | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)
As committed, this change breaks SPNEGO and gss_acquire_cred() in the
presence of mechs which don't implement RFC 5587. I have removed the
pullup tag until we commit a better change.
From: ghudson@mit.edu
Subject: git commit

Revisit inquire_attrs_for_mech on old mechs

In gss_inquire_attrs_for_mech(), if the mech does not implement RFC
5587, return success with empty mech_attrs and known_mech_attrs sets
to indicate a lack of knowledge for all attributes. The previous
behavior of returning an error caused gss_indicate_mechs_by_attr() to
fail out in the presence of an old mechanism, in turn causing
gss_acquire_cred() and SPNEGO to break.

https://github.com/krb5/krb5/commit/89683d1f135765e91041f3a239af865b11aaf86b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 89683d1f135765e91041f3a239af865b11aaf86b
Branch: master
src/lib/gssapi/mechglue/g_mechattr.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Report inquire_attrs_for_mech mech failures

Previously, gss_inquire_attrs_for_mech() would return a list of mech
attributes that it knew about when given a bad mech oid or a mechanism
which did not provide a gss_inquire_attrs_for_mech() method. It seems
more useful to just report the failure to the application rather than
allowing it to continue with a faulty mechanism.

(cherry picked from commit 030a4a03a0480969d6acf1591f39fd194642805a)

https://github.com/krb5/krb5/commit/96125088fc6cf56dd839004dc6f6ef202de9da7e
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 96125088fc6cf56dd839004dc6f6ef202de9da7e
Branch: krb5-1.14
src/lib/gssapi/mechglue/g_mechattr.c | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Revisit inquire_attrs_for_mech on old mechs

In gss_inquire_attrs_for_mech(), if the mech does not implement RFC
5587, return success with empty mech_attrs and known_mech_attrs sets
to indicate a lack of knowledge for all attributes. The previous
behavior of returning an error caused gss_indicate_mechs_by_attr() to
fail out in the presence of an old mechanism, in turn causing
gss_acquire_cred() and SPNEGO to break.

(cherry picked from commit 89683d1f135765e91041f3a239af865b11aaf86b)

https://github.com/krb5/krb5/commit/9e26436f2acb5fcd450f5cc1ac1f81ccbb0aa6ac
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 9e26436f2acb5fcd450f5cc1ac1f81ccbb0aa6ac
Branch: krb5-1.14
src/lib/gssapi/mechglue/g_mechattr.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
This may need revisiting again.

In the current state (after these commits), an old mech returns GSS_S_COMPLETE with *mech_attrs and *known_mech_attrs set to GSS_C_NO_OID_SET.  RFC 5587 explicitly allows this for mech_attrs: "the output mech_attrs parameter MAY be the empty set (GSS_C_NO_OID_SET)".  It does not explicitly allow this for known_mech_attrs; this is possibly an accidental omission in the RFC.

gss_indicate_mechs_by_attrs() uses generic_gss_test_oid_set_member() on the values returned by gss_inquire_attrs_for_mech().  generic_gss_test_oid_set_member() considers set==GSS_C_NO_OID_SET to be a calling error and returns GSS_S_CALL_INACCESSIBLE_READ.  gss_indicate_mechs_by_attrs() interprets any error as equivalent to success with present=0, but the occurrence of a calling error suggests that either gss_inquire_attrs_for_mech() is wrong to output GSS_C_NO_OID_SET or that gss_test_oid_set_member() is wrong to consider set==GSS_C_NO_OID_SET to be an error.

RFC 2743 and 2744 do not say whether gss_test_oid_set_member() should error on set==GSS_C_NO_OID_SET.  They do not lend any general support to the idea of using GSS_C_NO_OID_SET as a synonym for the empty set, and gss_acquire_cred() uses desired_mechs==GSS_C_NO_OID_SET to indicate a default mechanism set, not the empty set.  So there is a reasonable argument that RFC 5587 should not have included text permitting GSS_C_NO_OID_SET outputs.

Heimdal's gss_test_oid_set_member() crashes on set==GSS_C_NO_OID_SET, and its gss_inquire_attrs_for_mech() does not appear to use GSS_C_NO_OID_SET outputs.