diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-12-18 14:22:24 -0500 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-12-18 14:22:24 -0500 |
| commit | 39888b7c424b00db72d32c2841b55cd0ffc16b33 (patch) | |
| tree | 63c59d93707afc15610dec5e6dec08859b017e65 | |
| parent | 735b73ebbba370d01d427affa96fb0807f61720e (diff) | |
| download | krb5-39888b7c424b00db72d32c2841b55cd0ffc16b33.tar.gz krb5-39888b7c424b00db72d32c2841b55cd0ffc16b33.tar.xz krb5-39888b7c424b00db72d32c2841b55cd0ffc16b33.zip | |
Pick up another interop fix from master (RT#7797)
- pull in fix from master to ignore an empty token from an acceptor if
we've already finished authenticating (RT#7797, part of #1043962)
| -rw-r--r-- | krb5-master-ignore-empty-unnecessary-final-token.patch | 37 | ||||
| -rw-r--r-- | krb5.spec | 4 |
2 files changed, 41 insertions, 0 deletions
diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch new file mode 100644 index 0000000..3ebb888 --- /dev/null +++ b/krb5-master-ignore-empty-unnecessary-final-token.patch @@ -0,0 +1,37 @@ +commit 37af638b742dbd642eb70092e4f7781c3f69d86d +Author: Greg Hudson <ghudson@mit.edu> +Date: Tue Dec 10 12:04:18 2013 -0500 + + Fix SPNEGO one-hop interop against old IIS + + IIS 6.0 and similar return a zero length reponse buffer in the last + SPNEGO packet when context initiation is performed without mutual + authentication. In this case the underlying Kerberos mechanism has + already completed successfully on the first invocation, and SPNEGO + does not expect a mech response token in the answer. If we get an + empty mech response token when the mech is complete during + negotiation, ignore it. + + [ghudson@mit.edu: small code style and commit message changes] + + ticket: 7797 (new) + target_version: 1.12.1 + tags: pullup + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 3937662..d82934b 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, + map_errcode(minor_status); + ret = GSS_S_DEFECTIVE_TOKEN; + } ++ } else if ((*responseToken)->length == 0 && sc->mech_complete) { ++ /* Handle old IIS servers returning empty token instead of ++ * null tokens in the non-mutual auth case. */ ++ *negState = ACCEPT_COMPLETE; ++ *tokflag = NO_TOKEN_SEND; ++ ret = GSS_S_COMPLETE; + } else if (sc->mech_complete) { + /* Reject spurious mech token. */ + ret = GSS_S_DEFECTIVE_TOKEN; @@ -91,6 +91,7 @@ Patch105: krb5-kvno-230379.patch Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch Patch135: krb5-master-no-malloc0.patch +Patch136: krb5-master-ignore-empty-unnecessary-final-token.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -302,6 +303,7 @@ ln -s NOTICE LICENSE %patch86 -p0 -b .debuginfo %patch105 -p1 -b .kvno %patch135 -p1 -b .no-malloc0 +%patch136 -p1 -b .ignore-empty-unnecessary-final-token # Apply when the hard-wired or configured default location is # DIR:/run/user/%%{uid}/krb5cc. @@ -960,6 +962,8 @@ exit 0 - pull in fix from master to return a NULL pointer rather than allocating zero bytes of memory if we read a zero-length input token (RT#7794, part of #1043962) +- pull in fix from master to ignore an empty token from an acceptor if + we've already finished authenticating (RT#7797, part of #1043962) * Wed Dec 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-1 - update to 1.12 final |