[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/2] _gsasl_gssapi_server_step: avoid empty challenge
From: |
Simon Josefsson |
Subject: |
Re: [PATCH 2/2] _gsasl_gssapi_server_step: avoid empty challenge |
Date: |
Tue, 18 Oct 2011 15:31:13 +0200 |
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux) |
Andreas Oberritter <address@hidden> writes:
> - advance to step 2 immediately, if step 1 completes
> (maj_stat == GSS_S_COMPLETE) without any output data.
When is this needed?
The spec (RFC 4752) says:
The server passes the initial client response to
GSS_Accept_sec_context as input_token, setting input_context_handle
to 0 (initially), chan_binding of NULL, and a suitable
acceptor_cred_handle (see below). If GSS_Accept_sec_context returns
GSS_S_CONTINUE_NEEDED, the server returns the generated output_token
to the client in challenge and passes the resulting response to
another call to GSS_Accept_sec_context, repeating the actions in this
paragraph.
I think your patches alters the logic compared to the spec. If it is
needed, we may want to bring it up on the SASL/KITTEN list for
confirmation.
Thanks,
/Simon
> Signed-off-by: Andreas Oberritter <address@hidden>
> ---
> lib/gssapi/server.c | 7 +++++--
> 1 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/lib/gssapi/server.c b/lib/gssapi/server.c
> index edc62d7..9d8ff13 100644
> --- a/lib/gssapi/server.c
> +++ b/lib/gssapi/server.c
> @@ -174,8 +174,11 @@ _gsasl_gssapi_server_step (Gsasl_session * sctx,
> if (maj_stat == GSS_S_COMPLETE)
> state->step++;
>
> - res = GSASL_NEEDS_MORE;
> - break;
> + if (maj_stat == GSS_S_CONTINUE_NEEDED || *output_len) {
> + res = GSASL_NEEDS_MORE;
> + break;
> + }
> + /* fall through */
>
> case 2:
> memset (tmp, 0xFF, 4);