gss: fix downlevel Windows interop regression

The recent changes to SPNEGO removed support for GSS_C_PEER_HAS_UPDATED_SPNEGO, through which the Kerberos mechanism could indicate to SPNEGO that the peer did not suffer from SPNEGO conformance bugs present in some versions of Windows.* This patch restores this workaround, documented in [MS-SPNG] Appendix A <7> Section 3.1.5.1. Whilst improving interoperability with these admittedly now unsupported versions of Windows, it does introduce a risk that Kerberos with pre-AES ciphers could be negotiated in lieu of a stronger and more preferred mechanism. Note: this patch inverts the mechanism interface from GSS_C_PEER_HAS_UPDATED_SPNEGO to GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO, so that new mechanisms (which did not ship with these older versions of Windows) are not required to implement it. * Windows 2000, Windows 2003, and Windows XP
2020-04-09 22:51:30 +10:00
parent 0cb752258e
commit 7df0195c26
7 changed files with 35 additions and 48 deletions
--- a/lib/gssapi/gssapi/gssapi_oid.h
+++ b/lib/gssapi/gssapi/gssapi_oid.h
@@ -154,8 +154,8 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_spnego_mechanism_oid_desc;
 #define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)

 /* From Luke Howard */
-extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_peer_has_updated_spnego_oid_desc;
-#define GSS_C_PEER_HAS_UPDATED_SPNEGO (&__gss_c_peer_has_updated_spnego_oid_desc)
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_inq_peer_has_buggy_spnego_oid_desc;
+#define GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO (&__gss_c_inq_peer_has_buggy_spnego_oid_desc)

 extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ntlm_reset_crypto_oid_desc;
 #define GSS_C_NTLM_RESET_CRYPTO (&__gss_c_ntlm_reset_crypto_oid_desc)