gss_init_sec_context error for spnego
Stephen Ince
since at opendemand.com
Mon Oct 20 16:33:06 EDT 2008
Simon.
Thx for the advice. I am going to switch back to apache to verify that
the input_token is correct. I can do more tracing through apache than IIS.
I did read in the Mozilla code that their base64 decode was not that robust
as IE. I am not using the same routine but the problem could be the same.
int decode_len = apr_base64_decode_len(header);
input_token.value = (char*)malloc(decode_len +1);
input_token.length = apr_base64_decode(input_token.value,header);
Steve
----- Original Message -----
From: "Simon Josefsson" <simon at josefsson.org>
To: "Stephen Ince" <since at opendemand.com>
Sent: Monday, October 20, 2008 10:47 AM
Subject: Re: gss_init_sec_context error for spnego
> Stephen, I don't know how to debug it further -- the error message
> indicates that the token is invalid. So either the code generating it
> is buggy, or the code that parses it is buggy, or (and definitely most
> likely) your code that passes the token between the generator and parser
> is buggy and corrupts the token somehow.
>
> Are you sure 'input_token' is initialized properly with the token data?
>
> /Simon
>
> "Stephen Ince" <since at opendemand.com> writes:
>
>> Simon,
>> Thx for your response.
>> I do check for error_status. I think IIS is ignoring the req_flags
>> and maybe encypting. When I had the req_flags set 0. It still returns
>> GSS_S_CONTINUE_NEEDED. Is there anyway I can if I need to unwrap the
>> token.
>>
>> major_status = gss_init_sec_context(&minor_status,
>> if (major_status == GSS_S_COMPLETE) {
>> }
>> else if (major_status == GSS_S_CONTINUE_NEEDED) {
>> }
>>
>> if (GSS_ERROR(major_status)) {
>> /* Curl_cleanup_negotiate(conn->data) ??? */
>> log_gss_error(major_status,minor_status,"gss_init_sec_context()
>> failed: ");
>> return APR_EGENERAL;
>> }
>>
>> ----- Original Message -----
>> From: "Simon Josefsson" <simon at josefsson.org>
>> To: "Stephen Ince" <since at opendemand.com>
>> Cc: <krbdev at mit.edu>
>> Sent: Monday, October 20, 2008 8:16 AM
>> Subject: Re: gss_init_sec_context error for spnego
>>
>>
>>> "Stephen Ince" <since at opendemand.com> writes:
>>>
>>>> I am getting a 589824 major status for gss_init_sec_context. Does
>>>> any know
>>>> why? It is for the second call to gss_init_sec_context.
>>>>
>>>> Basically I am doing the following.
>>>>
>>>> major_status = gss_init_sec_context(&minor_status,
>>>> GSS_C_NO_CREDENTIAL,
>>>> &neg_ctx->context,
>>>> neg_ctx->server_name,
>>>> &gss_spnego_mech_oid_desc,
>>>> GSS_C_MUTUAL_FLAG|GSS_C_DELEG_FLAG|GSS_C_REPLAY_FLAG ,
>>>> GSS_C_INDEFINITE,
>>>> GSS_C_NO_CHANNEL_BINDINGS,
>>>> &input_token,
>>>> NULL,
>>>> &output_token,
>>>> NULL,
>>>> NULL);
>>>>
>>>> On the first call to gss_init_sec_context the variable
>>>> neg_ctx->context is
>>>> intialized to GSS_C_NO_CONTEXT
>>>> I fail on the second call to gss_init_sec_context
>>>
>>> Did you check error code on the first gss_init_sec_context? Maybe it
>>> didn't work.
>>>
>>> /Simon
>>>
>>> jas at mocca:~$ gss -m 589824
>>> GSS-API major status code 589824 (0x90000).
>>>
>>> MSB
>>> LSB
>>>
>>> +-----------------+-----------------+---------------------------------+
>>> | Calling Error | Routine Error | Supplementary Info
>>> |
>>> | 0 0 0 0 0 0 0 0 | 0 0 0 0 1 0 0 1 | 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
>>> |
>>>
>>> +-----------------+-----------------+---------------------------------+
>>> Bit 31 24 23 16 15 0
>>>
>>> Masked routine error 589824 (0x90000) shifted into 9 (0x9):
>>> A token was invalid
>>>
>>> jas at mocca:~$
>>>
>
More information about the krbdev
mailing list