rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity
03254981cb
krb5/krb5-master-ignore-empty-unnecessary-final-token.patch
Michael Calmer 03254981cb Accepting request 213903 from home:ckornacker:branches:network 
- update to version 1.12
  * Add GSSAPI extensions for constructing MIC tokens using IOV lists
  * Add a FAST OTP preauthentication module for the KDC which uses
    RADIUS to validate OTP token values.
  * The AES-based encryption types will use AES-NI instructions
    when possible for improved performance.
- revert dependency on libcom_err-mini-devel since it's not yet
  available
- update and rebase patches

OBS-URL: https://build.opensuse.org/request/show/213903
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=114
2014-01-15 14:14:20 +00:00

38 lines
1.5 KiB
Diff
Raw Blame History

commit 37af638b742dbd642eb70092e4f7781c3f69d86d
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Dec 10 12:04:18 2013 -0500
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 3937662..d82934b 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
map_errcode(minor_status);
ret = GSS_S_DEFECTIVE_TOKEN;
}
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
+ /* Handle old IIS servers returning empty token instead of
+ * null tokens in the non-mutual auth case. */
+ *negState = ACCEPT_COMPLETE;
+ *tokflag = NO_TOKEN_SEND;
+ ret = GSS_S_COMPLETE;
} else if (sc->mech_complete) {
/* Reject spurious mech token. */
ret = GSS_S_DEFECTIVE_TOKEN;
View Git Blame Copy Permalink