Bug in SPNEGO
Luke Howard
lukeh at padl.com
Thu Sep 22 04:58:34 EDT 2011
SPNEGO fails to set some of the return arguments to gss_accept_sec_context() if the negotiated mechanism's gss_accept_sec_context() isn't called, as happens when the last token only contains a mechlistMIC. This breaks some applications, for example gss-server which expects the returned mech_type OID to be non-NULL.
The following patch is a start but one also needs to deal with delegated_cred_handle:
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 657a2f8..30f9eeb 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1749,6 +1749,13 @@ cleanup:
*src_name = sc->internal_name;
sc->internal_name = GSS_C_NO_NAME;
}
+ if (sc->internal_mech != GSS_C_NO_OID &&
+ mech_type != NULL) {
+ *mech_type = sc->internal_mech;
+ sc->internal_mech = GSS_C_NO_OID;
+ }
+ if (ret_flags != NULL)
+ *ret_flags = sc->ctx_flags;
release_spnego_ctx(&sc);
} else if (ret != GSS_S_CONTINUE_NEEDED) {
if (sc != NULL) {
-- Luke
More information about the krbdev
mailing list