[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[mechglue] No initial response at all if no responseToken

I may have mentioned this before but in the mechglue-branch I noticed that
the spnego/accept_sec_context.c will set require_response = 0 if there
is no responseToken possibly resulting in an empty output_buffer. From
reading RFC4178 I think there must be a response to the inital
NegTokenInit since the initiator needs to check the supportedMech to
determine if it should request-mic.

My fix was to set require_response to initialToken:

        } else
            verify_mic = get_mic = FALSE;
        if (ctx->mech_flags & GSS_C_DCE_STYLE)
            require_response = (negResult != accept_completed);
            require_response = initialToken; <---

Also, from observing IIS and SMB authentications, under the said condition
an empty responseToken is sent (0x04 0x00 for octect string of length
0). To mimic this behavior I just removed the mech_token->legnth !=
0 in spnego/accept_sec_context.c:send_accept.

    if (mech_token != GSS_C_NO_BUFFER) { <---
        ALLOC(resp.responseToken, 1);
        if (resp.responseToken == NULL) {