[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[mechglue] No initial response at all if no responseToken

To: heimdal-discuss@sics.se
Subject: [mechglue] No initial response at all if no responseToken
From: Michael B Allen <mba2000@ioplex.com>
Date: Tue, 14 Mar 2006 14:19:04 -0500
Sender: owner-heimdal-discuss@sics.se

I may have mentioned this before but in the mechglue-branch I noticed that
the spnego/accept_sec_context.c will set require_response = 0 if there
is no responseToken possibly resulting in an empty output_buffer. From
reading RFC4178 I think there must be a response to the inital
NegTokenInit since the initiator needs to check the supportedMech to
determine if it should request-mic.

My fix was to set require_response to initialToken:

        } else
            verify_mic = get_mic = FALSE;
   
        if (ctx->mech_flags & GSS_C_DCE_STYLE)
            require_response = (negResult != accept_completed);
        else
            require_response = initialToken; <---

Also, from observing IIS and SMB authentications, under the said condition
an empty responseToken is sent (0x04 0x00 for octect string of length
0). To mimic this behavior I just removed the mech_token->legnth !=
0 in spnego/accept_sec_context.c:send_accept.

    if (mech_token != GSS_C_NO_BUFFER) { <---
        ALLOC(resp.responseToken, 1);
        if (resp.responseToken == NULL) {

Mike

Prev by Date: Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
Next by Date: Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
Prev by thread: Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
Next by thread: gss problem, invalid cksum type
Index(es):
- Date
- Thread