(spnego_reply): SPNEGO doesn't include gss wrapping on

SubsequentContextToken like the Kerberos 5 mech does. Lets check for it anyway. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12801 ec53bebd-3082-4978-b11e-865c3cabbd6b
2003-09-09 10:40:12 +00:00
parent 2754625103
commit c65c7ace38
2 changed files with 16 additions and 18 deletions
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -621,17 +621,19 @@ spnego_reply
    const u_char *p;
    size_t len, taglen;

+    output_token->length = 0;
+    output_token->value  = NULL;
+
+    /*
+     * SPNEGO doesn't include gss wrapping on SubsequentContextToken
+     * like the Kerberos 5 mech does. But lets check for it anyway.
+     */
+    
    mech_len = gssapi_krb5_get_mech (input_token->value,
 				     input_token->length,
 				     &p);

    if (mech_len < 0) {
-	/*
-	 * When using GSS-SPNEGO in LDAP, Microsoft ldap server sends
-	 * token that doesn't have GSS-API wrapping, so, if the
-	 * GSS-API header isn't there, just ignore it and hope that
-	 * whole token is a NegotiationToken->NegTokenTarg message.
-	 */
 	indata.data = input_token->value;
 	indata.length = input_token->length;
    } else if (mech_len == GSS_KRB5_MECHANISM->length
@@ -660,9 +662,6 @@ spnego_reply
    } else
 	return GSS_S_BAD_MECH;

-    output_token->length = 0;
-    output_token->value  = NULL;
-
    ret = der_match_tag_and_length((const char *)indata.data,
 				   indata.length - taglen,
 				   CONTEXT, CONS, 1, &len, &taglen);