39888b7c42
- pull in fix from master to ignore an empty token from an acceptor if we've already finished authenticating (RT#7797, part of #1043962)
38 lines
1.5 KiB
Diff
38 lines
1.5 KiB
Diff
commit 37af638b742dbd642eb70092e4f7781c3f69d86d
|
|
Author: Greg Hudson <ghudson@mit.edu>
|
|
Date: Tue Dec 10 12:04:18 2013 -0500
|
|
|
|
Fix SPNEGO one-hop interop against old IIS
|
|
|
|
IIS 6.0 and similar return a zero length reponse buffer in the last
|
|
SPNEGO packet when context initiation is performed without mutual
|
|
authentication. In this case the underlying Kerberos mechanism has
|
|
already completed successfully on the first invocation, and SPNEGO
|
|
does not expect a mech response token in the answer. If we get an
|
|
empty mech response token when the mech is complete during
|
|
negotiation, ignore it.
|
|
|
|
[ghudson@mit.edu: small code style and commit message changes]
|
|
|
|
ticket: 7797 (new)
|
|
target_version: 1.12.1
|
|
tags: pullup
|
|
|
|
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
|
index 3937662..d82934b 100644
|
|
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
|
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
|
@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
|
map_errcode(minor_status);
|
|
ret = GSS_S_DEFECTIVE_TOKEN;
|
|
}
|
|
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
|
|
+ /* Handle old IIS servers returning empty token instead of
|
|
+ * null tokens in the non-mutual auth case. */
|
|
+ *negState = ACCEPT_COMPLETE;
|
|
+ *tokflag = NO_TOKEN_SEND;
|
|
+ ret = GSS_S_COMPLETE;
|
|
} else if (sc->mech_complete) {
|
|
/* Reject spurious mech token. */
|
|
ret = GSS_S_DEFECTIVE_TOKEN;
|