2004-02-05 Jeffrey Altman <jaltman@mit.edu>

    * gssapiP_krb5.h:  remove KG_IMPLFLAGS macro

    * init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS
      macro with previous macro definition

    * accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS
      macro with new definition.  As per 1964 the INTEG and CONF flags
      are supposed to indicate the availability of the services in
      the client.  By applying the previous definition of KG_IMPLFLAGS
      the INTEG and CONF flags are always on.  This can be a problem
      because some clients such as Microsoft's Kerberos SSPI allow
      CONF and INTEG to be used independently.  By forcing the flags
      on, we would end up with inconsist state with the client.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16022 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index f29dfe00c0089efdec3ab118c253a6978d5d2fa5..95d98cd5370d608984c2b7ed2e858cd677aed508 100644 (file)
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,19 @@
+2004-02-05  Jeffrey Altman <jaltman@mit.edu>
+
+    * gssapiP_krb5.h:  remove KG_IMPLFLAGS macro
+
+    * init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS
+      macro with previous macro definition
+
+    * accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS
+      macro with new definition.  As per 1964 the INTEG and CONF flags
+      are supposed to indicate the availability of the services in 
+      the client.  By applying the previous definition of KG_IMPLFLAGS
+      the INTEG and CONF flags are always on.  This can be a problem
+      because some clients such as Microsoft's Kerberos SSPI allow
+      CONF and INTEG to be used independently.  By forcing the flags
+      on, we would end up with inconsist state with the client.
+
 2004-01-27  Ken Raeburn  <raeburn@mit.edu>
 
        * init_sec_context.c (make_gss_checksum) [CFX_EXERCISE]: Don't

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 6ab291b1b50c8f871bae5598ecb096b5cad35626..daff47ffb9c401d400d288d2d56ce073ad125489 100644 (file)
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -611,7 +611,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    ctx->mech_used = (gss_OID) mech_used;
    ctx->auth_context = auth_context;
    ctx->initiate = 0;
-   ctx->gss_flags = KG_IMPLFLAGS(gss_flags);
+   ctx->gss_flags = (GSS_C_TRANS_FLAG |
+                    ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
+                            GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+                            GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
    ctx->seed_init = 0;
    ctx->big_endian = bigend;
 

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index c6d8769e1b61abc6e3314443c89422a2abd850a6..04c9c59f581571629e9da3a519a5da370e39c089 100644 (file)
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -85,11 +85,6 @@
 #define        KG_TOK_WRAP_MSG         0x0201
 #define KG_TOK_DEL_CTX         0x0102
 
-#define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \
-                        GSS_C_TRANS_FLAG | \
-                        ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
-                                GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)))
-
 #define KG2_TOK_INITIAL                0x0101
 #define KG2_TOK_RESPONSE       0x0202
 #define KG2_TOK_MIC            0x0303

diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 2dd320cd834d066b976f3e029c79b863bf39119a..544316e0afe33fc7769132a3f054b1ed40c2229f 100644 (file)
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -507,7 +507,10 @@ new_connection(
    krb5_auth_con_setflags(context, ctx->auth_context,
                          KRB5_AUTH_CONTEXT_DO_SEQUENCE);
    ctx->initiate = 1;
-   ctx->gss_flags = KG_IMPLFLAGS(req_flags);
+   ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
+                     GSS_C_TRANS_FLAG | 
+                     ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+                                     GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
    ctx->seed_init = 0;
    ctx->big_endian = 0;  /* all initiators do little-endian, as per spec */
    ctx->seqstate = 0;