search for: gss_wrap

...s_accept_sec_context returns GSS_S_COMPLETE with a zero-length output token. Dovecot currently sends this to the client as a zero-length continuation response, but this is incorrect according to RFC 4752: what it ought to do instead is proceed straight to the security layer negotiations, and send a gss_wrap packet. The second is that Cyrus sends an empty authz identity; that is, the security layer negotiation packet, when gss_unwrapped, is exactly 4 bytes long. Dovecot objects to this, but in RFC 4422 this is explicitly allowed, and means the authz identity is identical to the authn identity. I beli...

...uffer_desc outbuf; + char ret[4]; + + /* The clients return data should be empty here */ + + ret[0] = 0x01; /* Only authentication, no integrity or confidentiality protection (yet?) */ + ret[1] = 0xFF; + ret[2] = 0xFF; + ret[3] = 0xFF; + + inbuf.length = 4; + inbuf.value = ret; + + major_status = gss_wrap(&minor_status, request->gss_ctx, 0, + GSS_C_QOP_DEFAULT, + &inbuf, NULL, &outbuf); + + if (GSS_ERROR(major_status)) { + auth_request_log_gss_error(&request->auth_request, major_status, GSS_C_GSS_CODE, + "sending security layer negotiation"); + auth...

..._cred_by_oid.c Compiling heimdal/lib/gssapi/mech/gss_canonicalize_name.c Compiling heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c Compiling heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c Compiling heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c Compiling heimdal/lib/gssapi/mech/gss_wrap_size_limit.c Compiling heimdal/lib/gssapi/mech/gss_names.c Compiling heimdal/lib/gssapi/mech/gss_verify.c Compiling heimdal/lib/gssapi/mech/gss_display_name.c Compiling heimdal/lib/gssapi/mech/gss_duplicate_oid.c Compiling heimdal/lib/gssapi/mech/gss_display_status.c Compiling heimdal/lib/gssapi/me...