Skip Menu |
 

Subject: SPNEGO doesn't interoperate with Windows 2000
Date: Wed, 19 May 2010 16:46:20 -0400
From: "Arlene Berry" <aberry@likewise.com>
To: <krb5-bugs@mit.edu>
Download (untitled) / with headers
text/plain 1.4KiB
The problem is Windows 2000 returns a second copy of the mechanism
response token as the mechListMIC. We saw this with Windows 2000
Server. We worked around the problem by changing get_negTokenResp which
parses out the SPNEGO token components to detect the duplicate token and
not return it as a mechListMIC. This prevents subsequent errors when
attempting to parse the duplicate response as a mechListMIC and was
enough for it to work. The decision as to whether a mechListMIC is
required happens elsewhere and is unchanged.

Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 40750)
+++ src/lib/gssapi/spnego/spnego_mech.c (revision 40751)
@@ -3111,6 +3111,19 @@
*mechListMIC = get_input_token(&ptr, REMAIN);
if (*mechListMIC == GSS_C_NO_BUFFER)
return GSS_S_DEFECTIVE_TOKEN;
+
+ /* Handle Windows 2000 duplicate response token */
+ if (*responseToken &&
+ ((*responseToken)->length ==
(*mechListMIC)->length) &&
+ !memcmp((*responseToken)->value,
(*mechListMIC)->value,
+ (*responseToken)->length))
+ {
+ OM_uint32 tmpmin;
+
+ gss_release_buffer(&tmpmin, *mechListMIC);
+ free(*mechListMIC);
+ *mechListMIC = NULL;
+ }
}
return GSS_S_COMPLETE;
#undef REMAIN
From: tlyu@mit.edu
Subject: SVN Commit

Apply patch from Arlene Berry to detect and ignore a duplicate
mechanism token sent in the mechListMIC field, such as sent by Windows
2000 Server.

https://github.com/krb5/krb5/commit/b2b972bb559c7f9df289d814bce1ba1f55eb3416
Commit By: tlyu
Revision: 24075
Changed Files:
U trunk/src/lib/gssapi/spnego/spnego_mech.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r24075 from trunk

------------------------------------------------------------------------
r24075 | tlyu | 2010-05-20 17:32:47 -0400 (Thu, 20 May 2010) | 8 lines

ticket: 6726
target_version: 1.8.2
tags: pullup

Apply patch from Arlene Berry to detect and ignore a duplicate
mechanism token sent in the mechListMIC field, such as sent by Windows
2000 Server.

https://github.com/krb5/krb5/commit/497b3e2cb92ca98280a9c889e21572e8c707d5ec
Commit By: tlyu
Revision: 24076
Changed Files:
U branches/krb5-1-8/src/lib/gssapi/spnego/spnego_mech.c