Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error
Andrew Bartlett
abartlet at samba.org
Sun Mar 20 08:15:20 UTC 2016
On Sat, 2016-03-19 at 10:05 +0200, Alexander Bokovoy wrote:
> Sending non-empty output token is required by GSSAPI processing
> regardless of the state we are in, see closing paragraphs of 2.2.2
> in RFC 2743:
> ----------------------------
> The output_token result, when non-NULL, provides a context-level
> token
> to be returned to the context initiator to continue a multi-step
> context
> establishment sequence. As noted with GSS_Init_sec_context(), any
> returned token should be transferred to the context's peer (in this
> case, the context initiator), independent of the value of the
> accompanying returned major_status.
> ----------------------------
Thanks! Sounds like we should pass it on, but not adjust the status
variable. I do wonder if the rest of gensec (and callers) expects
that, but it of course should also be adjusted.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list