[PATCH] Fix SPNEGO interoperability with servers implementing RFC2478

Greg Hudson ghudson at MIT.EDU
Fri Jul 25 20:01:56 EDT 2014

On 07/25/2014 07:26 PM, David Woodhouse wrote:
> Looking at handle_mic(), I think our implementation will return
> GSS_S_DEFECTIVE_TOKEN if it sees a final mechanism token without the MIC
> attached. It doesn't return GSS_S_CONTINUE_NEEDED and hope for the MIC
> to come in later on its own. I don't think that's even possible.

The server appears to do so if it sends the final mech token.  It has
to; the client can't necessarily produce a MIC until the context is

(My reasoning, with line numbers from current master: handle_mic decides
to reject at line 528 if no token is to be sent, but continues on if a
token is to be sent.  At line 559, it decides to respond with
ACCEPT_INCOMPLETE if a MIC is required.)

More information about the krbdev mailing list