From 39888b7c424b00db72d32c2841b55cd0ffc16b33 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 18 Dec 2013 14:22:24 -0500
Subject: [PATCH] Pick up another interop fix from master (RT#7797)

- pull in fix from master to ignore an empty token from an acceptor if
  we've already finished authenticating (RT#7797, part of #1043962)
---
 ...ignore-empty-unnecessary-final-token.patch | 37 +++++++++++++++++++
 krb5.spec                                     |  4 ++
 2 files changed, 41 insertions(+)
 create mode 100644 krb5-master-ignore-empty-unnecessary-final-token.patch

diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch
new file mode 100644
index 0000000..3ebb888
--- /dev/null
+++ b/krb5-master-ignore-empty-unnecessary-final-token.patch
@@ -0,0 +1,37 @@
+commit 37af638b742dbd642eb70092e4f7781c3f69d86d
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Tue Dec 10 12:04:18 2013 -0500
+
+    Fix SPNEGO one-hop interop against old IIS
+    
+    IIS 6.0 and similar return a zero length reponse buffer in the last
+    SPNEGO packet when context initiation is performed without mutual
+    authentication.  In this case the underlying Kerberos mechanism has
+    already completed successfully on the first invocation, and SPNEGO
+    does not expect a mech response token in the answer.  If we get an
+    empty mech response token when the mech is complete during
+    negotiation, ignore it.
+    
+    [ghudson@mit.edu: small code style and commit message changes]
+    
+    ticket: 7797 (new)
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 3937662..d82934b 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 			map_errcode(minor_status);
+ 			ret = GSS_S_DEFECTIVE_TOKEN;
+ 		}
++	} else if ((*responseToken)->length == 0 && sc->mech_complete) {
++		/* Handle old IIS servers returning empty token instead of
++		 * null tokens in the non-mutual auth case. */
++		*negState = ACCEPT_COMPLETE;
++		*tokflag = NO_TOKEN_SEND;
++		ret = GSS_S_COMPLETE;
+ 	} else if (sc->mech_complete) {
+ 		/* Reject spurious mech token. */
+ 		ret = GSS_S_DEFECTIVE_TOKEN;
diff --git a/krb5.spec b/krb5.spec
index bac784a..3182659 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -91,6 +91,7 @@ Patch105: krb5-kvno-230379.patch
 Patch129: krb5-1.11-run_user_0.patch
 Patch134: krb5-1.11-kpasswdtest.patch
 Patch135: krb5-master-no-malloc0.patch
+Patch136: krb5-master-ignore-empty-unnecessary-final-token.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -302,6 +303,7 @@ ln -s NOTICE LICENSE
 %patch86 -p0 -b .debuginfo
 %patch105 -p1 -b .kvno
 %patch135 -p1 -b .no-malloc0
+%patch136 -p1 -b .ignore-empty-unnecessary-final-token
 
 # Apply when the hard-wired or configured default location is
 # DIR:/run/user/%%{uid}/krb5cc.
@@ -960,6 +962,8 @@ exit 0
 - pull in fix from master to return a NULL pointer rather than allocating
   zero bytes of memory if we read a zero-length input token (RT#7794, part of
   #1043962)
+- pull in fix from master to ignore an empty token from an acceptor if
+  we've already finished authenticating (RT#7797, part of #1043962)
 
 * Wed Dec 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-1
 - update to 1.12 final