[krbdev.mit.edu #6603] issues with SPNEGO
Arlene Berry via RT
rt-comment at krbdev.mit.edu
Tue Dec 22 21:29:31 EST 2009
I found two problems with SPNEGO and the conversation between the
initiator and the acceptor. One is that if the initiator produces the
final mechanism token it doesn't send it to the acceptor who is waiting
for it. The other is that if the mechanism doesn't set
GSS_C_INTEG_FLAG, the acceptor never sets the state to ACCEPT_COMPLETE.
This fixed both problems for us:
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 23482)
+++ src/lib/gssapi/spnego/spnego_mech.c (working copy)
@@ -652,8 +652,9 @@
* mech not finished and mech token missing
*/
ret = GSS_S_DEFECTIVE_TOKEN;
- } else if (sc->mic_reqd &&
- (sc->ctx_flags & GSS_C_INTEG_FLAG)) {
+ } else if (*acc_negState == ACCEPT_INCOMPLETE ||
+ (sc->mic_reqd &&
+ (sc->ctx_flags & GSS_C_INTEG_FLAG))) {
*negState = ACCEPT_INCOMPLETE;
*tokflag = CONT_TOKEN_SEND;
ret = GSS_S_CONTINUE_NEEDED;
@@ -1534,6 +1535,11 @@
sc->mic_reqd = 0;
}
#endif
+
+ if (sc->mic_reqd && !(sc->ctx_flags & GSS_C_INTEG_FLAG))
{
+ sc->mic_reqd = 0;
+ }
+
sc->mech_complete = 1;
if (ret_flags != NULL)
*ret_flags = sc->ctx_flags;
More information about the krb5-bugs
mailing list