[PATCH] Fix SPNEGO interoperability with servers implementing RFC2478
Greg Hudson
ghudson at MIT.EDU
Fri Jul 25 20:01:56 EDT 2014
On 07/25/2014 07:26 PM, David Woodhouse wrote:
> Looking at handle_mic(), I think our implementation will return
> GSS_S_DEFECTIVE_TOKEN if it sees a final mechanism token without the MIC
> attached. It doesn't return GSS_S_CONTINUE_NEEDED and hope for the MIC
> to come in later on its own. I don't think that's even possible.
The server appears to do so if it sends the final mech token. It has
to; the client can't necessarily produce a MIC until the context is
established.
(My reasoning, with line numbers from current master: handle_mic decides
to reject at line 528 if no token is to be sent, but continues on if a
token is to be sent. At line 559, it decides to respond with
ACCEPT_INCOMPLETE if a MIC is required.)
More information about the krbdev
mailing list