From 3ce5ddc67c2209f9e4a8bb694fd3eb45d8208350 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 15 Apr 2009 20:07:48 +0000
Subject: [PATCH] pull up r22185 from trunk

 ------------------------------------------------------------------------
 r22185 | ghudson | 2009-04-08 12:39:33 -0400 (Wed, 08 Apr 2009) | 8 lines
 Changed paths:
    M /trunk/src/lib/gssapi/generic/gssapi.hin
    M /trunk/src/lib/gssapi/krb5/init_sec_context.c

 ticket: 6203
 tags: pullup
 target_version: 1.7

 Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
 which requests delegation only if the ok-as-delegate ticket flag is
 set.

ticket: 6203
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22255 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/gssapi/generic/gssapi.hin      |  1 +
 src/lib/gssapi/krb5/init_sec_context.c | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/lib/gssapi/generic/gssapi.hin b/src/lib/gssapi/generic/gssapi.hin
index d33a0b505..422b4dbef 100644
--- a/src/lib/gssapi/generic/gssapi.hin
+++ b/src/lib/gssapi/generic/gssapi.hin
@@ -141,6 +141,7 @@ typedef int             gss_cred_usage_t;
 #define GSS_C_ANON_FLAG         64
 #define GSS_C_PROT_READY_FLAG   128
 #define GSS_C_TRANS_FLAG        256
+#define GSS_C_DELEG_POLICY_FLAG 32768
 
 /*
  * Credential usage options
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index e7742216e..0f1294834 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -208,7 +208,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
         if (code) {
             /* don't fail here; just don't accept/do the delegation
                request */
-            data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
+            data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG |
+                                      GSS_C_DELEG_POLICY_FLAG);
 
             data->checksum_data.length = 24;
         } else {
@@ -494,6 +495,14 @@ new_connection(
 
     ctx->krb_times = k_cred->times;
 
+    /*
+     * GSS_C_DELEG_POLICY_FLAG means to delegate only if the
+     * ok-as-delegate ticket flag is set.
+     */
+    if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
+        && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
+        ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
+
     if (default_mech) {
         mech_type = (gss_OID) gss_mech_krb5;
     }
-- 
2.26.2