Files
heimdal/lib/gssapi/krb5
Luke Howard 7df0195c26 gss: fix downlevel Windows interop regression
The recent changes to SPNEGO removed support for GSS_C_PEER_HAS_UPDATED_SPNEGO,
through which the Kerberos mechanism could indicate to SPNEGO that the peer did
not suffer from SPNEGO conformance bugs present in some versions of Windows.*

This patch restores this workaround, documented in [MS-SPNG] Appendix A <7>
Section 3.1.5.1. Whilst improving interoperability with these admittedly now
unsupported versions of Windows, it does introduce a risk that Kerberos with
pre-AES ciphers could be negotiated in lieu of a stronger and more preferred
mechanism.

Note: this patch inverts the mechanism interface from
GSS_C_PEER_HAS_UPDATED_SPNEGO to GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO, so that new
mechanisms (which did not ship with these older versions of Windows) are not
required to implement it.

* Windows 2000, Windows 2003, and Windows XP
2020-04-13 10:26:38 +10:00
..
2016-11-16 17:03:14 -06:00
2009-01-25 00:35:00 +00:00
2017-04-29 01:05:59 -04:00
2016-11-16 17:03:14 -06:00
2011-05-21 11:57:31 -07:00
2017-04-29 01:05:59 -04:00
2020-02-04 17:28:35 +11:00
2011-05-21 11:57:31 -07:00
2011-07-24 16:02:22 -07:00
2018-12-28 19:26:25 -06:00
2019-10-03 13:09:18 -05:00
2017-03-10 15:47:43 -05:00
2017-04-29 01:05:59 -04:00