rpms/krb5
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Pick up another interop fix from master (RT#7797)

Browse Source 
- pull in fix from master to ignore an empty token from an acceptor if
  we've already finished authenticating (RT#7797, part of #1043962)
This commit is contained in:
Nalin Dahyabhai 2013-12-18 14:22:24 -05:00
parent 735b73ebbb
commit 39888b7c42
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
krb5-master-ignore-empty-unnecessary-final-token.patch Normal file
View File

@ -0,0 +1,37 @@
commit 37af638b742dbd642eb70092e4f7781c3f69d86d
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Dec 10 12:04:18 2013 -0500
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 3937662..d82934b 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
map_errcode(minor_status);
ret = GSS_S_DEFECTIVE_TOKEN;
}
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
+ /* Handle old IIS servers returning empty token instead of
+ * null tokens in the non-mutual auth case. */
+ *negState = ACCEPT_COMPLETE;
+ *tokflag = NO_TOKEN_SEND;
+ ret = GSS_S_COMPLETE;
} else if (sc->mech_complete) {
/* Reject spurious mech token. */
ret = GSS_S_DEFECTIVE_TOKEN;

4
krb5.spec
View File

@ -91,6 +91,7 @@ Patch105: krb5-kvno-230379.patch
Patch129: krb5-1.11-run_user_0.patch Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch Patch134: krb5-1.11-kpasswdtest.patch
Patch135: krb5-master-no-malloc0.patch Patch135: krb5-master-no-malloc0.patch
Patch136: krb5-master-ignore-empty-unnecessary-final-token.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -302,6 +303,7 @@ ln -s NOTICE LICENSE
%patch86 -p0 -b .debuginfo %patch86 -p0 -b .debuginfo
%patch105 -p1 -b .kvno %patch105 -p1 -b .kvno
%patch135 -p1 -b .no-malloc0 %patch135 -p1 -b .no-malloc0
%patch136 -p1 -b .ignore-empty-unnecessary-final-token
# Apply when the hard-wired or configured default location is # Apply when the hard-wired or configured default location is
# DIR:/run/user/%%{uid}/krb5cc. # DIR:/run/user/%%{uid}/krb5cc.
@ -960,6 +962,8 @@ exit 0
- pull in fix from master to return a NULL pointer rather than allocating - pull in fix from master to return a NULL pointer rather than allocating
zero bytes of memory if we read a zero-length input token (RT#7794, part of zero bytes of memory if we read a zero-length input token (RT#7794, part of
#1043962) #1043962)
- pull in fix from master to ignore an empty token from an acceptor if
we've already finished authenticating (RT#7797, part of #1043962)
* Wed Dec 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-1 * Wed Dec 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-1
- update to 1.12 final - update to 1.12 final