From 5773d47677478e7742b2ac227fbf33c0cc3260a1 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 10 Dec 2013 12:04:18 -0500 Subject: [PATCH] Fix SPNEGO one-hop interop against old IIS IIS 6.0 and similar return a zero length reponse buffer in the last SPNEGO packet when context initiation is performed without mutual authentication. In this case the underlying Kerberos mechanism has already completed successfully on the first invocation, and SPNEGO does not expect a mech response token in the answer. If we get an empty mech response token when the mech is complete during negotiation, ignore it. [ghudson@mit.edu: small code style and commit message changes] (cherry picked from commit 37af638b742dbd642eb70092e4f7781c3f69d86d) ticket: 7827 (new) version_fixed: 1.11.5 status: resolved --- src/lib/gssapi/spnego/spnego_mech.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index b2359d4529..710183aba6 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -759,6 +759,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, map_errcode(minor_status); ret = GSS_S_DEFECTIVE_TOKEN; } + } else if ((*responseToken)->length == 0 && sc->mech_complete) { + /* Handle old IIS servers returning empty token instead of + * null tokens in the non-mutual auth case. */ + *negState = ACCEPT_COMPLETE; + *tokflag = NO_TOKEN_SEND; + ret = GSS_S_COMPLETE; } else if (sc->mech_complete) { /* Reject spurious mech token. */ ret = GSS_S_DEFECTIVE_TOKEN; -- 2.47.3