To: | rt@krbdev.mit.edu |
Subject: | SPNEGO should filter mechs on acceptor with gss_acquire_cred() |
Date: | Tue, 29 Oct 2019 14:41:16 -0400 |
From: | ghudson@mit.edu |
In SPNEGO, the initiator proposes a list of mechanisms and the acceptor picks one. In the code, the list of negotiable mechanisms on each side is taken from the credential if one is provided; otherwise gss_indicate_mechs() is used (with SPNEGO removed, and after tickets 8021 and 8217 some mechs are filtered out by attribute). In the latter case, the initiator but not the acceptor filters the mechs using gss_acquire_cred(). This distinction in behavior dates back to the original import of the Solaris SPNEGO code.
I believe the acceptor should also filter mechs using gss_acquire_cred(), to reduce the likelihood that it will choose a mechanism it cannot accept. This will also provide greater consistency between using the default verifier_cred_handle and using an explicitly acquired verifier_cred_handle obtained with the default name and mech list.
I believe the acceptor should also filter mechs using gss_acquire_cred(), to reduce the likelihood that it will choose a mechanism it cannot accept. This will also provide greater consistency between using the default verifier_cred_handle and using an explicitly acquired verifier_cred_handle obtained with the default name and mech list.