|
 |
7d335d |
commit 37af638b742dbd642eb70092e4f7781c3f69d86d
|
|
|
7d335d |
Author: Greg Hudson <ghudson@mit.edu>
|
|
|
7d335d |
Date: Tue Dec 10 12:04:18 2013 -0500
|
|
|
7d335d |
|
|
|
7d335d |
Fix SPNEGO one-hop interop against old IIS
|
|
|
7d335d |
|
|
|
7d335d |
IIS 6.0 and similar return a zero length reponse buffer in the last
|
|
|
7d335d |
SPNEGO packet when context initiation is performed without mutual
|
|
|
7d335d |
authentication. In this case the underlying Kerberos mechanism has
|
|
|
7d335d |
already completed successfully on the first invocation, and SPNEGO
|
|
|
7d335d |
does not expect a mech response token in the answer. If we get an
|
|
|
7d335d |
empty mech response token when the mech is complete during
|
|
|
7d335d |
negotiation, ignore it.
|
|
|
7d335d |
|
|
|
7d335d |
[ghudson@mit.edu: small code style and commit message changes]
|
|
|
7d335d |
|
|
|
7d335d |
ticket: 7797 (new)
|
|
|
7d335d |
target_version: 1.12.1
|
|
|
7d335d |
tags: pullup
|
|
|
7d335d |
|
|
|
7d335d |
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
7d335d |
index 3937662..d82934b 100644
|
|
|
7d335d |
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
7d335d |
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
|
|
7d335d |
@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
|
|
|
7d335d |
map_errcode(minor_status);
|
|
|
7d335d |
ret = GSS_S_DEFECTIVE_TOKEN;
|
|
|
7d335d |
}
|
|
|
7d335d |
+ } else if ((*responseToken)->length == 0 && sc->mech_complete) {
|
|
|
7d335d |
+ /* Handle old IIS servers returning empty token instead of
|
|
|
7d335d |
+ * null tokens in the non-mutual auth case. */
|
|
|
7d335d |
+ *negState = ACCEPT_COMPLETE;
|
|
|
7d335d |
+ *tokflag = NO_TOKEN_SEND;
|
|
|
7d335d |
+ ret = GSS_S_COMPLETE;
|
|
|
7d335d |
} else if (sc->mech_complete) {
|
|
|
7d335d |
/* Reject spurious mech token. */
|
|
|
7d335d |
ret = GSS_S_DEFECTIVE_TOKEN;
|