[28221] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.10]: Fix SPNEGO one-hop interop against old IIS
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Jan 22 22:38:12 2014
Date: Wed, 22 Jan 2014 22:37:58 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201401230337.s0N3bwrM031006@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/e36d043094fe214c5519244ea93112ca5331e007
commit e36d043094fe214c5519244ea93112ca5331e007
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Dec 10 12:04:18 2013 -0500
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
(cherry picked from commit 37af638b742dbd642eb70092e4f7781c3f69d86d)
ticket: 7842 (new)
version_fixed: 1.10.8
status: resolved
src/lib/gssapi/spnego/spnego_mech.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index fe93140..f26db63 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -749,6 +749,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
map_errcode(minor_status);
ret = GSS_S_DEFECTIVE_TOKEN;
}
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
+ /* Handle old IIS servers returning empty token instead of
+ * null tokens in the non-mutual auth case. */
+ *negState = ACCEPT_COMPLETE;
+ *tokflag = NO_TOKEN_SEND;
+ ret = GSS_S_COMPLETE;
} else if (sc->mech_complete) {
/* Reject spurious mech token. */
ret = GSS_S_DEFECTIVE_TOKEN;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
