diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-12-10 12:04:18 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-12-12 10:51:34 -0500 |
| commit | 37af638b742dbd642eb70092e4f7781c3f69d86d (patch) | |
| tree | fc829408641c1e8c41d9a09140fff320fb817315 /src | |
| parent | 291f03290b6476ec6b98e48c6971b65f1d899269 (diff) | |
| download | krb5-37af638b742dbd642eb70092e4f7781c3f69d86d.tar.gz krb5-37af638b742dbd642eb70092e4f7781c3f69d86d.tar.xz krb5-37af638b742dbd642eb70092e4f7781c3f69d86d.zip | |
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/gssapi/spnego/spnego_mech.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 393766274..d82934b6c 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, map_errcode(minor_status); ret = GSS_S_DEFECTIVE_TOKEN; } + } else if ((*responseToken)->length == 0 && sc->mech_complete) { + /* Handle old IIS servers returning empty token instead of + * null tokens in the non-mutual auth case. */ + *negState = ACCEPT_COMPLETE; + *tokflag = NO_TOKEN_SEND; + ret = GSS_S_COMPLETE; } else if (sc->mech_complete) { /* Reject spurious mech token. */ ret = GSS_S_DEFECTIVE_TOKEN; |