oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Better support for "non-standard" GSS mechs

Browse Source 
If an initial security context token doesn't have a standard header per
RFC2743 then try all mechanisms until one succeeds or all fail.

We still try to guess NTLMSSP, raw Kerberos, and SPNEGO, from tasting
the initial security context token.
This commit is contained in:
Nicolas Williams
2020-04-16 22:53:22 -05:00
committed by Nico Williams
parent 4199118c76
commit 92c288994a
4 changed files with 133 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -373,6 +373,13 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
GSS_KRB5_MECHANISM);
if (ret) {
/* Could be a raw AP-REQ (check for APPLICATION tag) */
if (input_token_buffer->length == 0 ||
((const uint8_t *)input_token_buffer->value)[0] != 0x6E) {
*minor_status = ASN1_MISPLACED_FIELD;
return GSS_S_DEFECTIVE_TOKEN;
}
/* Assume that there is no OID wrapping. */
indata.length = input_token_buffer->length;
indata.data = input_token_buffer->value;