[krbdev.mit.edu #8374] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Mar 1 12:47:16 EST 2016
Interoperate with incomplete SPNEGO responses
We have found at least one HTTP/Negotiate implementation in Java that
does not set anything but the responseToken field in the first SPNEGO
acceptor response token. This is technically a violation of RFC 4178
section 4.2.2, but it is harmless to support; we know the mechanism we
were trying to negotiate, and can use that mechanism to process the
token.
These implementations are probably not supporting any real
negotiation, as the missing negState precludes any mechanism
negotiation on failure. If a supportedMech is included that differs
from the opportunistic one but no negState is provided,
init_ctx_reselect() will fail with GSS_S_DEFECIVE_TOKEN as it should.
[ghudson at mit.edu: edit comments and commit message]
https://github.com/krb5/krb5/commit/da748e7621ad20237f105eb1167832d4898fde66
Author: Simo Sorce <simo at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: da748e7621ad20237f105eb1167832d4898fde66
Branch: master
src/lib/gssapi/spnego/spnego_mech.c | 21 +++++++++------------
1 files changed, 9 insertions(+), 12 deletions(-)
More information about the krb5-bugs
mailing list