Skip Menu |
 

Subject: SPNEGO gss_init_sec_context() can fail or prematurely resolve creds
Download (untitled) / with headers
text/plain 1.2KiB
SPNEGO's gss_init_sec_context() must determines a set of negotiable
mechanisms to send to the server. If an initiator cred handle was
provided by the caller, this process begins by calling
gss_inquire_cred() on the mechglue cred handle, passing NULL for all
of the result fields except the mechanism list.

Although the mechglue can service this request without making any
calls to mechs, it makes a call to the first mech in the credential
anyway. This can have some unfortunate side-effects:

* If the first cred is a krb5 cred which has not yet been resolved to
a specific ccache, it will be resolved without the benefit of the
target name, so the SPNEGO authorization will use the primary
credential cache rather than one chosen based on the authentication
target.

* If the first cred is a krb5 cred which has expired (before or after
resolution), the krb5 gss_inquire_cred() method will return
GSS_S_CREDENTIALS_EXPIRED, causing the SPNEGO gss_init_sec_context()
call to fail when it could otherwise proceed with a different
mechanism. (In at least some cases, this error could be detected at
gss_acquire_cred() time.)

The mechglue gss_inquire_context() function should skip the call into
the mechanism if the caller did not request a name, lifetime, or cred
usage.
From: ghudson@mit.edu
Subject: git commit

Skip unnecessary mech calls in gss_inquire_cred()

If the caller does not request a name, lifetime, or cred_usage when
calling gss_inquire_cred(), service the call by copying the mechanism
list (if requested) but do not call into the mech.

This change alleviates an issue (reported by Adam Bernstein) where
SPNEGO can fail in the presence of expired krb5 credentials rather
than proceeding with a different mechanism, or can resolve a krb5
credential without the benefit of the target name.

https://github.com/krb5/krb5/commit/ff5eb892910eeac335d989ae14020da4ffbcc8ec
Author: Greg Hudson <ghudson@mit.edu>
Commit: ff5eb892910eeac335d989ae14020da4ffbcc8ec
Branch: master
src/lib/gssapi/mechglue/g_inq_cred.c | 41 +++++++++++++++++++---------------
1 files changed, 23 insertions(+), 18 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Skip unnecessary mech calls in gss_inquire_cred()

If the caller does not request a name, lifetime, or cred_usage when
calling gss_inquire_cred(), service the call by copying the mechanism
list (if requested) but do not call into the mech.

This change alleviates an issue (reported by Adam Bernstein) where
SPNEGO can fail in the presence of expired krb5 credentials rather
than proceeding with a different mechanism, or can resolve a krb5
credential without the benefit of the target name.

(cherry picked from commit ff5eb892910eeac335d989ae14020da4ffbcc8ec)

https://github.com/krb5/krb5/commit/1f3e550f5c7a626d45c8bacccb6d52079308aa7e
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 1f3e550f5c7a626d45c8bacccb6d52079308aa7e
Branch: krb5-1.14
src/lib/gssapi/mechglue/g_inq_cred.c | 41 +++++++++++++++++++---------------
1 files changed, 23 insertions(+), 18 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Skip unnecessary mech calls in gss_inquire_cred()

If the caller does not request a name, lifetime, or cred_usage when
calling gss_inquire_cred(), service the call by copying the mechanism
list (if requested) but do not call into the mech.

This change alleviates an issue (reported by Adam Bernstein) where
SPNEGO can fail in the presence of expired krb5 credentials rather
than proceeding with a different mechanism, or can resolve a krb5
credential without the benefit of the target name.

(cherry picked from commit ff5eb892910eeac335d989ae14020da4ffbcc8ec)

https://github.com/krb5/krb5/commit/dd51cee8414b37e7ff4ffb8b2d1b0659b106f87c
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: dd51cee8414b37e7ff4ffb8b2d1b0659b106f87c
Branch: krb5-1.13
src/lib/gssapi/mechglue/g_inq_cred.c | 41 +++++++++++++++++++---------------
1 files changed, 23 insertions(+), 18 deletions(-)