2004-02-05 Jeffrey Altman <jaltman@mit.edu>

    * gssapiP_krb5.h:  remove KG_IMPLFLAGS macro

    * init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS
      macro with previous macro definition

    * accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS
      macro with new definition.  As per 1964 the INTEG and CONF flags
      are supposed to indicate the availability of the services in
      the client.  By applying the previous definition of KG_IMPLFLAGS
      the INTEG and CONF flags are always on.  This can be a problem
      because some clients such as Microsoft's Kerberos SSPI allow
      CONF and INTEG to be used independently.  By forcing the flags
      on, we would end up with inconsist state with the client.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16022 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 24 insertions, 7 deletions

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index f29dfe0..95d98cd 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,19 @@
+2004-02-05  Jeffrey Altman <jaltman@mit.edu>
+
+    * gssapiP_krb5.h:  remove KG_IMPLFLAGS macro
+
+    * init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS
+      macro with previous macro definition
+
+    * accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS
+      macro with new definition.  As per 1964 the INTEG and CONF flags
+      are supposed to indicate the availability of the services in 
+      the client.  By applying the previous definition of KG_IMPLFLAGS
+      the INTEG and CONF flags are always on.  This can be a problem
+      because some clients such as Microsoft's Kerberos SSPI allow
+      CONF and INTEG to be used independently.  By forcing the flags
+      on, we would end up with inconsist state with the client.
+
 2004-01-27  Ken Raeburn  <raeburn@mit.edu>
 
 	* init_sec_context.c (make_gss_checksum) [CFX_EXERCISE]: Don't
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 6ab291b..daff47f 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -611,7 +611,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    ctx->mech_used = (gss_OID) mech_used;
    ctx->auth_context = auth_context;
    ctx->initiate = 0;
-   ctx->gss_flags = KG_IMPLFLAGS(gss_flags);
+   ctx->gss_flags = (GSS_C_TRANS_FLAG |
+                    ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
+                            GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+                            GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
    ctx->seed_init = 0;
    ctx->big_endian = bigend;
 
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index c6d8769..04c9c59 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -85,11 +85,6 @@
 #define	KG_TOK_WRAP_MSG		0x0201
 #define KG_TOK_DEL_CTX		0x0102
 
-#define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \
-			 GSS_C_TRANS_FLAG | \
-			 ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
-				 GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)))
-
 #define KG2_TOK_INITIAL		0x0101
 #define KG2_TOK_RESPONSE	0x0202
 #define KG2_TOK_MIC		0x0303
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 2dd320c..544316e 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -507,7 +507,10 @@ new_connection(
    krb5_auth_con_setflags(context, ctx->auth_context,
 			  KRB5_AUTH_CONTEXT_DO_SEQUENCE);
    ctx->initiate = 1;
-   ctx->gss_flags = KG_IMPLFLAGS(req_flags);
+   ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
+                     GSS_C_TRANS_FLAG | 
+                     ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+                                     GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
    ctx->seed_init = 0;
    ctx->big_endian = 0;  /* all initiators do little-endian, as per spec */
    ctx->seqstate = 0;