oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gss: fix downlevel Windows interop regression

Browse Source 
The recent changes to SPNEGO removed support for GSS_C_PEER_HAS_UPDATED_SPNEGO,
through which the Kerberos mechanism could indicate to SPNEGO that the peer did
not suffer from SPNEGO conformance bugs present in some versions of Windows.*

This patch restores this workaround, documented in [MS-SPNG] Appendix A <7>
Section 3.1.5.1. Whilst improving interoperability with these admittedly now
unsupported versions of Windows, it does introduce a risk that Kerberos with
pre-AES ciphers could be negotiated in lieu of a stronger and more preferred
mechanism.

Note: this patch inverts the mechanism interface from
GSS_C_PEER_HAS_UPDATED_SPNEGO to GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO, so that new
mechanisms (which did not ship with these older versions of Windows) are not
required to implement it.

* Windows 2000, Windows 2003, and Windows XP
This commit is contained in:
Luke Howard
2020-04-09 22:51:30 +10:00
parent 0cb752258e
commit 7df0195c26
7 changed files with 35 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/gssapi/version-script.map
View File

@@ -171,7 +171,6 @@ HEIMDAL_GSS_2.0 {
__gss_krb5_mechanism_oid_desc;
__gss_ntlm_mechanism_oid_desc;
__gss_spnego_mechanism_oid_desc;
__gss_c_peer_has_updated_spnego_oid_desc;
__gss_c_ma_mech_concrete_oid_desc;
__gss_c_ma_mech_pseudo_oid_desc;
__gss_c_ma_mech_composite_oid_desc;