Pick up another interop fix from master (RT#7797)
- pull in fix from master to ignore an empty token from an acceptor if we've already finished authenticating (RT#7797, part of #1043962)
This commit is contained in:
Nalin Dahyabhai
parent
735b73ebbb
commit
39888b7c42
37
krb5-master-ignore-empty-unnecessary-final-token.patch
Normal file
37
krb5-master-ignore-empty-unnecessary-final-token.patch
Normal file
@ -0,0 +1,37 @@
|
||||
commit 37af638b742dbd642eb70092e4f7781c3f69d86d
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue Dec 10 12:04:18 2013 -0500
|
||||
|
||||
Fix SPNEGO one-hop interop against old IIS
|
||||
|
||||
IIS 6.0 and similar return a zero length reponse buffer in the last
|
||||
SPNEGO packet when context initiation is performed without mutual
|
||||
authentication. In this case the underlying Kerberos mechanism has
|
||||
already completed successfully on the first invocation, and SPNEGO
|
||||
does not expect a mech response token in the answer. If we get an
|
||||
empty mech response token when the mech is complete during
|
||||
negotiation, ignore it.
|
||||
|
||||
[ghudson@mit.edu: small code style and commit message changes]
|
||||
|
||||
ticket: 7797 (new)
|
||||
target_version: 1.12.1
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 3937662..d82934b 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
||||
map_errcode(minor_status);
|
||||
ret = GSS_S_DEFECTIVE_TOKEN;
|
||||
}
|
||||
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
|
||||
+ /* Handle old IIS servers returning empty token instead of
|
||||
+ * null tokens in the non-mutual auth case. */
|
||||
+ *negState = ACCEPT_COMPLETE;
|
||||
+ *tokflag = NO_TOKEN_SEND;
|
||||
+ ret = GSS_S_COMPLETE;
|
||||
} else if (sc->mech_complete) {
|
||||
/* Reject spurious mech token. */
|
||||
ret = GSS_S_DEFECTIVE_TOKEN;
|
||||
@ -91,6 +91,7 @@ Patch105: krb5-kvno-230379.patch
|
||||
Patch129: krb5-1.11-run_user_0.patch
|
||||
Patch134: krb5-1.11-kpasswdtest.patch
|
||||
Patch135: krb5-master-no-malloc0.patch
|
||||
Patch136: krb5-master-ignore-empty-unnecessary-final-token.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -302,6 +303,7 @@ ln -s NOTICE LICENSE
|
||||
%patch86 -p0 -b .debuginfo
|
||||
%patch105 -p1 -b .kvno
|
||||
%patch135 -p1 -b .no-malloc0
|
||||
%patch136 -p1 -b .ignore-empty-unnecessary-final-token
|
||||
|
||||
# Apply when the hard-wired or configured default location is
|
||||
# DIR:/run/user/%%{uid}/krb5cc.
|
||||
@ -960,6 +962,8 @@ exit 0
|
||||
- pull in fix from master to return a NULL pointer rather than allocating
|
||||
zero bytes of memory if we read a zero-length input token (RT#7794, part of
|
||||
#1043962)
|
||||
- pull in fix from master to ignore an empty token from an acceptor if
|
||||
we've already finished authenticating (RT#7797, part of #1043962)
|
||||
|
||||
* Wed Dec 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-1
|
||||
- update to 1.12 final
|
||||
|
||||
Loading…
Reference in New Issue
Block a user