help-gsasl
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] _gsasl_gssapi_server_step: avoid empty challenge


From: Simon Josefsson
Subject: Re: [PATCH 2/2] _gsasl_gssapi_server_step: avoid empty challenge
Date: Tue, 18 Oct 2011 15:31:13 +0200
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux)

Andreas Oberritter <address@hidden> writes:

> - advance to step 2 immediately, if step 1 completes
>   (maj_stat == GSS_S_COMPLETE) without any output data.

When is this needed?

The spec (RFC 4752) says:

   The server passes the initial client response to
   GSS_Accept_sec_context as input_token, setting input_context_handle
   to 0 (initially), chan_binding of NULL, and a suitable
   acceptor_cred_handle (see below).  If GSS_Accept_sec_context returns
   GSS_S_CONTINUE_NEEDED, the server returns the generated output_token
   to the client in challenge and passes the resulting response to
   another call to GSS_Accept_sec_context, repeating the actions in this
   paragraph.

I think your patches alters the logic compared to the spec.  If it is
needed, we may want to bring it up on the SASL/KITTEN list for
confirmation.

Thanks,
/Simon


> Signed-off-by: Andreas Oberritter <address@hidden>
> ---
>  lib/gssapi/server.c |    7 +++++--
>  1 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/lib/gssapi/server.c b/lib/gssapi/server.c
> index edc62d7..9d8ff13 100644
> --- a/lib/gssapi/server.c
> +++ b/lib/gssapi/server.c
> @@ -174,8 +174,11 @@ _gsasl_gssapi_server_step (Gsasl_session * sctx,
>        if (maj_stat == GSS_S_COMPLETE)
>       state->step++;
>  
> -      res = GSASL_NEEDS_MORE;
> -      break;
> +      if (maj_stat == GSS_S_CONTINUE_NEEDED || *output_len) {
> +        res = GSASL_NEEDS_MORE;
> +        break;
> +      }
> +      /* fall through */
>  
>      case 2:
>        memset (tmp, 0xFF, 4);



reply via email to

[Prev in Thread] Current Thread [Next in Thread]