[PATCH] Fix SPNEGO interoperability with servers implementing RFC2478

[David Woodhouse]

FWIW here's an updated version of the patch which sets sc->mic_reqd
according to whether we see request-mic or not. My previous version
still unconditionally set it to 1.

It didn't make any difference in practice. It meant that we *sent* a MIC
to the server, which hadn't asked for it and duly ignored it. And if
Firefox or Curl had actually been feeding the final SPNEGO token back
into the GSS context after receiving it in a successful HTTP 200
response, it might then have been rejected. But what web client is going
to bother doing that when the authentication has already *succeeded*? :)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 2aa6810..542a78b 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -831,17 +831,17 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
 	sc->internal_mech = &sc->mech_set->elements[i];
 
 	/*
-	 * Windows 2003 and earlier don't correctly send a
-	 * negState of request-mic when counter-proposing a
-	 * mechanism.  They probably don't handle mechListMICs
-	 * properly either.
+	 * A server conforming to RFC4178 MUST set REQUEST_MIC here
+	 * but Windows 2003 and earlier implement (roughly) RFC2478
+	 * instead, and send ACCEPT_INCOMPLETE.
 	 */
-	if (acc_negState != REQUEST_MIC)
+	if (acc_negState != REQUEST_MIC &&
+	    acc_negState != ACCEPT_INCOMPLETE)
 		return GSS_S_DEFECTIVE_TOKEN;
 
 	sc->mech_complete = 0;
-	sc->mic_reqd = 1;
-	*negState = REQUEST_MIC;
+	sc->mic_reqd = (acc_negState == REQUEST_MIC);
+	*negState = acc_negState;
 	*tokflag = CONT_TOKEN_SEND;
 	return GSS_S_CONTINUE_NEEDED;
 }
-- 
1.9.3


-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20140725/a17b7145/attachment.bin