krb5 commit [krb5-1.11]: Fix SPNEGO one-hop interop against old IIS

Tom Yu tlyu at MIT.EDU
Thu Jan 16 15:46:32 EST 2014


https://github.com/krb5/krb5/commit/5773d47677478e7742b2ac227fbf33c0cc3260a1
commit 5773d47677478e7742b2ac227fbf33c0cc3260a1
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Dec 10 12:04:18 2013 -0500

    Fix SPNEGO one-hop interop against old IIS
    
    IIS 6.0 and similar return a zero length reponse buffer in the last
    SPNEGO packet when context initiation is performed without mutual
    authentication.  In this case the underlying Kerberos mechanism has
    already completed successfully on the first invocation, and SPNEGO
    does not expect a mech response token in the answer.  If we get an
    empty mech response token when the mech is complete during
    negotiation, ignore it.
    
    [ghudson at mit.edu: small code style and commit message changes]
    
    (cherry picked from commit 37af638b742dbd642eb70092e4f7781c3f69d86d)
    
    ticket: 7827 (new)
    version_fixed: 1.11.5
    status: resolved

 src/lib/gssapi/spnego/spnego_mech.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index b2359d4..710183a 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -759,6 +759,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
 			map_errcode(minor_status);
 			ret = GSS_S_DEFECTIVE_TOKEN;
 		}
+	} else if ((*responseToken)->length == 0 && sc->mech_complete) {
+		/* Handle old IIS servers returning empty token instead of
+		 * null tokens in the non-mutual auth case. */
+		*negState = ACCEPT_COMPLETE;
+		*tokflag = NO_TOKEN_SEND;
+		ret = GSS_S_COMPLETE;
 	} else if (sc->mech_complete) {
 		/* Reject spurious mech token. */
 		ret = GSS_S_DEFECTIVE_TOKEN;


More information about the cvs-krb5 mailing list