From c65c7ace38244ae9228f55a24b96e0c3e8bac10d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Tue, 9 Sep 2003 10:40:12 +0000 Subject: [PATCH] (spnego_reply): SPNEGO doesn't include gss wrapping on SubsequentContextToken like the Kerberos 5 mech does. Lets check for it anyway. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12801 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/gssapi/init_sec_context.c | 17 ++++++++--------- lib/gssapi/krb5/init_sec_context.c | 17 ++++++++--------- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c index f4fcc3a45..d1546182d 100644 --- a/lib/gssapi/init_sec_context.c +++ b/lib/gssapi/init_sec_context.c @@ -621,17 +621,19 @@ spnego_reply const u_char *p; size_t len, taglen; + output_token->length = 0; + output_token->value = NULL; + + /* + * SPNEGO doesn't include gss wrapping on SubsequentContextToken + * like the Kerberos 5 mech does. But lets check for it anyway. + */ + mech_len = gssapi_krb5_get_mech (input_token->value, input_token->length, &p); if (mech_len < 0) { - /* - * When using GSS-SPNEGO in LDAP, Microsoft ldap server sends - * token that doesn't have GSS-API wrapping, so, if the - * GSS-API header isn't there, just ignore it and hope that - * whole token is a NegotiationToken->NegTokenTarg message. - */ indata.data = input_token->value; indata.length = input_token->length; } else if (mech_len == GSS_KRB5_MECHANISM->length @@ -660,9 +662,6 @@ spnego_reply } else return GSS_S_BAD_MECH; - output_token->length = 0; - output_token->value = NULL; - ret = der_match_tag_and_length((const char *)indata.data, indata.length - taglen, CONTEXT, CONS, 1, &len, &taglen); diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index f4fcc3a45..d1546182d 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -621,17 +621,19 @@ spnego_reply const u_char *p; size_t len, taglen; + output_token->length = 0; + output_token->value = NULL; + + /* + * SPNEGO doesn't include gss wrapping on SubsequentContextToken + * like the Kerberos 5 mech does. But lets check for it anyway. + */ + mech_len = gssapi_krb5_get_mech (input_token->value, input_token->length, &p); if (mech_len < 0) { - /* - * When using GSS-SPNEGO in LDAP, Microsoft ldap server sends - * token that doesn't have GSS-API wrapping, so, if the - * GSS-API header isn't there, just ignore it and hope that - * whole token is a NegotiationToken->NegTokenTarg message. - */ indata.data = input_token->value; indata.length = input_token->length; } else if (mech_len == GSS_KRB5_MECHANISM->length @@ -660,9 +662,6 @@ spnego_reply } else return GSS_S_BAD_MECH; - output_token->length = 0; - output_token->value = NULL; - ret = der_match_tag_and_length((const char *)indata.data, indata.length - taglen, CONTEXT, CONS, 1, &len, &taglen);