[17199] in Kerberos_V5_Development
Bug in SPNEGO
daemon@ATHENA.MIT.EDU (Luke Howard)
Thu Sep 22 04:58:42 2011
From: Luke Howard <lukeh@padl.com>
Date: Thu, 22 Sep 2011 18:58:34 +1000
Message-Id: <B4FEE6A1-206A-4402-9815-98298DACB97A@padl.com>
To: krbdev@mit.edu
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
SPNEGO fails to set some of the return arguments to gss_accept_sec_context() if the negotiated mechanism's gss_accept_sec_context() isn't called, as happens when the last token only contains a mechlistMIC. This breaks some applications, for example gss-server which expects the returned mech_type OID to be non-NULL.
The following patch is a start but one also needs to deal with delegated_cred_handle:
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 657a2f8..30f9eeb 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1749,6 +1749,13 @@ cleanup:
*src_name = sc->internal_name;
sc->internal_name = GSS_C_NO_NAME;
}
+ if (sc->internal_mech != GSS_C_NO_OID &&
+ mech_type != NULL) {
+ *mech_type = sc->internal_mech;
+ sc->internal_mech = GSS_C_NO_OID;
+ }
+ if (ret_flags != NULL)
+ *ret_flags = sc->ctx_flags;
release_spnego_ctx(&sc);
} else if (ret != GSS_S_CONTINUE_NEEDED) {
if (sc != NULL) {
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
