[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ASN.1 BITSTRING and NegTokenInit.reqFlags


Heimdal's NegTokenInit.reqFlags is unconditionally set to NULL in
lib/gssapi/spnego/init_sec_context.c:spnego_initial. It seems this
causes AD to think that it should do whatever it wants which is to use
both integrity and confidentiality. If you then don't use integrity on
LDAP SASL buffers, AD will simply not respond and the LDAP operation
will timeout. If you don't use confidentiality on LDAP SASL buffers,
AD will return encrypted responses.

It seems the last time I looked into this the ultimate source of the
issue was that ASN.1 BITSTRING fields where not encoded in the way AD
wanted. Is this still an issue? If not, has there been any thought to
getting the NegTokenInit.reqFlags included properly so we can turn off
integrity and confidentiality if desired?

Currently it's not a big deal because I can simply add integrity if the
cred is SPNEGO and I would be happy to provide a fix for this when I
migrate from 0.7.2 to the latest Heimdal (assuming BITSTRINGs are encoded
ok now).


Michael B Allen
PHP Active Directory SPNEGO SSO