Ticket History #3775: krb5_gss_accept_sec_context should handle inconsistent mutual auth requests

# Fri May 19 23:14:59 2006 tlyu (Taylor Yu) - Ticket created

Subject:

krb5_gss_accept_sec_context should handle inconsistent mutual auth requests

Download (untitled) / with headers
text/plain 356B

If an initiator sends an initial krb5 mechanism token with GSS_C_MUTUAL_FLAG clear, but with
mutual-required set in the AP-REQ, krb5_gss_accept_sec_context() only looks at the GSS flag.
The MS krb5 GSS mechanism implementation, when mutual auth isn't requested, appears to
emit a krb5 token that is inconsistent in this way, yet expects a reply token.

# Sat May 20 00:29:24 2006 tlyu (Taylor Yu) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #3775] krb5_gss_accept_sec_context should handle inconsistent mutual auth requests
From:	Tom Yu <tlyu@MIT.EDU>
Date:	Sat, 20 May 2006 00:29:15 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 424B

Actually, it isn't inconsistent within the MS krb5 mech itself. I
just wan't looking at the same things in two different places. What
is actually happening is that if mutual auth is not requested, the MS
SPNEGO implementation always turns on mutual auth for the optimistic
krb5 mech token, but not for a krb5 mech token after we
counter-propose. It then insists on not doing a MIC exchange, despite
us counter-proposing.

# Mon Jun 19 17:39:14 2006 tlyu (Taylor Yu) - CustomField 1.5 deleted