[11257] in Kerberos-V5-bugs
[krbdev.mit.edu #6603] issues with SPNEGO
daemon@ATHENA.MIT.EDU (Arlene Berry" via RT)
Tue Dec 22 21:29:59 2009
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: ""Arlene Berry" via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6603@krbdev.mit.edu>
Message-ID: <rt-6603-31932.10.952068316419@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6603'":;"'AdminCc of krbdev.mit.edu Ticket #6603'":;@MIT.EDU
Date: Wed, 23 Dec 2009 02:29:31 +0000 (UTC)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
I found two problems with SPNEGO and the conversation between the
initiator and the acceptor. One is that if the initiator produces the
final mechanism token it doesn't send it to the acceptor who is waiting
for it. The other is that if the mechanism doesn't set
GSS_C_INTEG_FLAG, the acceptor never sets the state to ACCEPT_COMPLETE.
This fixed both problems for us:
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 23482)
+++ src/lib/gssapi/spnego/spnego_mech.c (working copy)
@@ -652,8 +652,9 @@
* mech not finished and mech token missing
*/
ret = GSS_S_DEFECTIVE_TOKEN;
- } else if (sc->mic_reqd &&
- (sc->ctx_flags & GSS_C_INTEG_FLAG)) {
+ } else if (*acc_negState == ACCEPT_INCOMPLETE ||
+ (sc->mic_reqd &&
+ (sc->ctx_flags & GSS_C_INTEG_FLAG))) {
*negState = ACCEPT_INCOMPLETE;
*tokflag = CONT_TOKEN_SEND;
ret = GSS_S_CONTINUE_NEEDED;
@@ -1534,6 +1535,11 @@
sc->mic_reqd = 0;
}
#endif
+
+ if (sc->mic_reqd && !(sc->ctx_flags & GSS_C_INTEG_FLAG))
{
+ sc->mic_reqd = 0;
+ }
+
sc->mech_complete = 1;
if (ret_flags != NULL)
*ret_flags = sc->ctx_flags;
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
