diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/gssapi/krb5/ChangeLog | 16 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 5 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 5 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 5 |
4 files changed, 24 insertions, 7 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index f29dfe00c..95d98cd53 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,19 @@ +2004-02-05 Jeffrey Altman <jaltman@mit.edu> + + * gssapiP_krb5.h: remove KG_IMPLFLAGS macro + + * init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS + macro with previous macro definition + + * accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS + macro with new definition. As per 1964 the INTEG and CONF flags + are supposed to indicate the availability of the services in + the client. By applying the previous definition of KG_IMPLFLAGS + the INTEG and CONF flags are always on. This can be a problem + because some clients such as Microsoft's Kerberos SSPI allow + CONF and INTEG to be used independently. By forcing the flags + on, we would end up with inconsist state with the client. + 2004-01-27 Ken Raeburn <raeburn@mit.edu> * init_sec_context.c (make_gss_checksum) [CFX_EXERCISE]: Don't diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 6ab291b1b..daff47ffb 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -611,7 +611,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle, ctx->mech_used = (gss_OID) mech_used; ctx->auth_context = auth_context; ctx->initiate = 0; - ctx->gss_flags = KG_IMPLFLAGS(gss_flags); + ctx->gss_flags = (GSS_C_TRANS_FLAG | + ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); ctx->seed_init = 0; ctx->big_endian = bigend; diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index c6d8769e1..04c9c59f5 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -85,11 +85,6 @@ #define KG_TOK_WRAP_MSG 0x0201 #define KG_TOK_DEL_CTX 0x0102 -#define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \ - GSS_C_TRANS_FLAG | \ - ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \ - GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))) - #define KG2_TOK_INITIAL 0x0101 #define KG2_TOK_RESPONSE 0x0202 #define KG2_TOK_MIC 0x0303 diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 2dd320cd8..544316e0a 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -507,7 +507,10 @@ new_connection( krb5_auth_con_setflags(context, ctx->auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); ctx->initiate = 1; - ctx->gss_flags = KG_IMPLFLAGS(req_flags); + ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | + GSS_C_TRANS_FLAG | + ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); ctx->seed_init = 0; ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ ctx->seqstate = 0; |