krb5 commit [krb5-1.16]: Fix SPNEGO fallback context handling
Greg Hudson
ghudson at mit.edu
Mon Dec 9 18:22:34 EST 2019
https://github.com/krb5/krb5/commit/e72efb781a8fcf6a8fb9d2db17cd81a01ed489e2
commit e72efb781a8fcf6a8fb9d2db17cd81a01ed489e2
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Nov 11 12:25:41 2019 -0500
Fix SPNEGO fallback context handling
In init_ctx_call_init(), if gss_init_sec_context() fails while
producing the first SPNEGO initiator token, we remove the first
candidate mechanism from sc->mech_set and try again. If
sc->ctx_handle is present after the error (more likely after commit
56f7b1bc95a2a3eeb420e069e7655fb181ade5cf), we must clear it before
falling back or it will cause subsequent attempts to fail.
(cherry picked from commit 40ecfad10dd36700028ff0f3d0d79ce7925fe545)
ticket: 8846
version_fixed: 1.16.4
src/lib/gssapi/spnego/spnego_mech.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 9d6027c..efcec2d 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -982,6 +982,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
if (put_mech_set(sc->mech_set, &sc->DER_mechTypes) < 0)
goto fail;
+ gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER);
tmpret = init_ctx_call_init(&tmpmin, sc, spcred, target_name,
req_flags, time_req, mechtok_in,
actual_mech, mechtok_out, ret_flags,
More information about the cvs-krb5
mailing list