gss_init_sec_context error for spnego

Stephen Ince since at opendemand.com
Mon Oct 20 16:57:53 EDT 2008 

I think my hunch was correct, IIS is ignoring the req_flags. Everything
worked when I tested apache. The format of the token coming back from IIS
must be encrypted. I did an ethereal snoop and noticed that
gss_init_sec_context fails and does not make any network calls.
Is there a way I can check for the format of the IIS token from the first
gss_init_sec_context? I do not tell IIS to encrypt the token.

e.g.
req_flags=  GSS_C_MUTUAL_FLAG|GSS_C_DELEG_FLAG|GSS_C_REPLAY_FLAG
gss_init_sec_context
check the ret_flags if the token from IIS will be encrypted?
get and decode input negotiate from IE and decrypt or unwrap token
gss_init_sec_context


Steve

----- Original Message ----- 
From: "Stephen Ince" <since at opendemand.com>
To: <krbdev at mit.edu>
Sent: Monday, October 20, 2008 4:33 PM
Subject: Re: gss_init_sec_context error for spnego


> Simon.
>    Thx for the advice. I am going to switch back to apache to verify that
> the input_token is correct. I can do more tracing through apache than IIS.
> I did read in the Mozilla code that their base64 decode was not that 
> robust
> as IE. I am not using the same routine but the problem could be the same.
>
>        int decode_len = apr_base64_decode_len(header);
>        input_token.value = (char*)malloc(decode_len +1);
>        input_token.length = apr_base64_decode(input_token.value,header);
>
> Steve
> ----- Original Message ----- 
> From: "Simon Josefsson" <simon at josefsson.org>
> To: "Stephen Ince" <since at opendemand.com>
> Sent: Monday, October 20, 2008 10:47 AM
> Subject: Re: gss_init_sec_context error for spnego
>
>
>> Stephen, I don't know how to debug it further -- the error message
>> indicates that the token is invalid.  So either the code generating it
>> is buggy, or the code that parses it is buggy, or (and definitely most
>> likely) your code that passes the token between the generator and parser
>> is buggy and corrupts the token somehow.
>>
>> Are you sure 'input_token' is initialized properly with the token data?
>>
>> /Simon
>>
>> "Stephen Ince" <since at opendemand.com> writes:
>>
>>> Simon,
>>>    Thx for your response.
>>>    I do check for error_status. I think IIS is ignoring the req_flags
>>> and maybe encypting. When I had the req_flags set 0. It still returns
>>> GSS_S_CONTINUE_NEEDED. Is there anyway I can if I need to unwrap the
>>> token.
>>>
>>>    major_status = gss_init_sec_context(&minor_status,
>>>    if (major_status == GSS_S_COMPLETE) {
>>>    }
>>>    else if (major_status == GSS_S_CONTINUE_NEEDED) {
>>>    }
>>>
>>>    if (GSS_ERROR(major_status)) {
>>>        /* Curl_cleanup_negotiate(conn->data) ??? */
>>>        log_gss_error(major_status,minor_status,"gss_init_sec_context()
>>> failed: ");
>>>        return APR_EGENERAL;
>>>    }
>>>
>>> ----- Original Message ----- 
>>> From: "Simon Josefsson" <simon at josefsson.org>
>>> To: "Stephen Ince" <since at opendemand.com>
>>> Cc: <krbdev at mit.edu>
>>> Sent: Monday, October 20, 2008 8:16 AM
>>> Subject: Re: gss_init_sec_context error for spnego
>>>
>>>
>>>> "Stephen Ince" <since at opendemand.com> writes:
>>>>
>>>>> I am getting a 589824 major status for gss_init_sec_context. Does
>>>>> any know
>>>>> why? It is for the second call to gss_init_sec_context.
>>>>>
>>>>> Basically I am doing the following.
>>>>>
>>>>>     major_status = gss_init_sec_context(&minor_status,
>>>>>         GSS_C_NO_CREDENTIAL,
>>>>>         &neg_ctx->context,
>>>>>         neg_ctx->server_name,
>>>>>         &gss_spnego_mech_oid_desc,
>>>>>         GSS_C_MUTUAL_FLAG|GSS_C_DELEG_FLAG|GSS_C_REPLAY_FLAG ,
>>>>>         GSS_C_INDEFINITE,
>>>>>         GSS_C_NO_CHANNEL_BINDINGS,
>>>>>         &input_token,
>>>>>         NULL,
>>>>>         &output_token,
>>>>>         NULL,
>>>>>         NULL);
>>>>>
>>>>> On the first call to gss_init_sec_context the variable
>>>>> neg_ctx->context is
>>>>> intialized to GSS_C_NO_CONTEXT
>>>>> I fail on the second call to gss_init_sec_context
>>>>
>>>> Did you check error code on the first gss_init_sec_context?  Maybe it
>>>> didn't work.
>>>>
>>>> /Simon
>>>>
>>>> jas at mocca:~$ gss -m 589824
>>>> GSS-API major status code 589824 (0x90000).
>>>>
>>>>   MSB
>>>> LSB
>>>>
>>>> +-----------------+-----------------+---------------------------------+
>>>>   |  Calling Error  |  Routine Error  |       Supplementary Info
>>>> |
>>>>   | 0 0 0 0 0 0 0 0 | 0 0 0 0 1 0 0 1 | 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
>>>> |
>>>>
>>>> +-----------------+-----------------+---------------------------------+
>>>> Bit 31            24  23            16  15 
>>>> 0
>>>>
>>>> Masked routine error 589824 (0x90000) shifted into 9 (0x9):
>>>> A token was invalid
>>>>
>>>> jas at mocca:~$
>>>>
>>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list