diff options
Diffstat (limited to 'krb5-master-ignore-empty-unnecessary-final-token.patch')
-rw-r--r-- | krb5-master-ignore-empty-unnecessary-final-token.patch | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/krb5-master-ignore-empty-unnecessary-final-token.patch b/krb5-master-ignore-empty-unnecessary-final-token.patch deleted file mode 100644 index 3ebb888..0000000 --- a/krb5-master-ignore-empty-unnecessary-final-token.patch +++ /dev/null @@ -1,37 +0,0 @@ -commit 37af638b742dbd642eb70092e4f7781c3f69d86d -Author: Greg Hudson <ghudson@mit.edu> -Date: Tue Dec 10 12:04:18 2013 -0500 - - Fix SPNEGO one-hop interop against old IIS - - IIS 6.0 and similar return a zero length reponse buffer in the last - SPNEGO packet when context initiation is performed without mutual - authentication. In this case the underlying Kerberos mechanism has - already completed successfully on the first invocation, and SPNEGO - does not expect a mech response token in the answer. If we get an - empty mech response token when the mech is complete during - negotiation, ignore it. - - [ghudson@mit.edu: small code style and commit message changes] - - ticket: 7797 (new) - target_version: 1.12.1 - tags: pullup - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 3937662..d82934b 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, - map_errcode(minor_status); - ret = GSS_S_DEFECTIVE_TOKEN; - } -+ } else if ((*responseToken)->length == 0 && sc->mech_complete) { -+ /* Handle old IIS servers returning empty token instead of -+ * null tokens in the non-mutual auth case. */ -+ *negState = ACCEPT_COMPLETE; -+ *tokflag = NO_TOKEN_SEND; -+ ret = GSS_S_COMPLETE; - } else if (sc->mech_complete) { - /* Reject spurious mech token. */ - ret = GSS_S_DEFECTIVE_TOKEN; |