[30651] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.17]: Fix SPNEGO fallback context handling
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 9 18:24:54 2019
Date: Mon, 9 Dec 2019 18:24:33 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201912092324.xB9NOXsU020225@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/206edea3b1e10bfef331d7e03dcb1e1b55c40d79
commit 206edea3b1e10bfef331d7e03dcb1e1b55c40d79
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Nov 11 12:25:41 2019 -0500
Fix SPNEGO fallback context handling
In init_ctx_call_init(), if gss_init_sec_context() fails while
producing the first SPNEGO initiator token, we remove the first
candidate mechanism from sc->mech_set and try again. If
sc->ctx_handle is present after the error (more likely after commit
56f7b1bc95a2a3eeb420e069e7655fb181ade5cf), we must clear it before
falling back or it will cause subsequent attempts to fail.
(cherry picked from commit 40ecfad10dd36700028ff0f3d0d79ce7925fe545)
ticket: 8846
version_fixed: 1.17.1
src/lib/gssapi/spnego/spnego_mech.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 9d6027c..efcec2d 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -982,6 +982,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
if (put_mech_set(sc->mech_set, &sc->DER_mechTypes) < 0)
goto fail;
+ gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER);
tmpret = init_ctx_call_init(&tmpmin, sc, spcred, target_name,
req_flags, time_req, mechtok_in,
actual_mech, mechtok_out, ret_flags,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
