[Heimdal-source-changes] [heimdal/heimdal] 7df019: gss: fix downlevel Windows interop regression
Luke Howard
noreply at github.com
Mon Apr 13 02:26:51 CEST 2020
Branch: refs/heads/master
Home: https://github.com/heimdal/heimdal
Commit: 7df0195c26634576f498f1b5da18c1b479001f1b
https://github.com/heimdal/heimdal/commit/7df0195c26634576f498f1b5da18c1b479001f1b
Author: Luke Howard <lukeh at padl.com>
Date: 2020-04-13 (Mon, 13 Apr 2020)
Changed paths:
M lib/gssapi/gssapi/gssapi_oid.h
M lib/gssapi/krb5/inquire_sec_context_by_oid.c
M lib/gssapi/libgssapi-exports.def
M lib/gssapi/mech/gss_oid.c
M lib/gssapi/oid.txt
M lib/gssapi/spnego/compat.c
M lib/gssapi/version-script.map
Log Message:
-----------
gss: fix downlevel Windows interop regression
The recent changes to SPNEGO removed support for GSS_C_PEER_HAS_UPDATED_SPNEGO,
through which the Kerberos mechanism could indicate to SPNEGO that the peer did
not suffer from SPNEGO conformance bugs present in some versions of Windows.*
This patch restores this workaround, documented in [MS-SPNG] Appendix A <7>
Section 3.1.5.1. Whilst improving interoperability with these admittedly now
unsupported versions of Windows, it does introduce a risk that Kerberos with
pre-AES ciphers could be negotiated in lieu of a stronger and more preferred
mechanism.
Note: this patch inverts the mechanism interface from
GSS_C_PEER_HAS_UPDATED_SPNEGO to GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO, so that new
mechanisms (which did not ship with these older versions of Windows) are not
required to implement it.
* Windows 2000, Windows 2003, and Windows XP
More information about the Heimdal-source-changes
mailing list