From 044c1c6b6346ebaf8f472ef297b36e52dfef42fd Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Wed, 1 Jan 2020 22:32:46 +1100
Subject: [PATCH] gss: don't generate mechListMIC in SPNEGO if it is safe to
 omit it

---
 lib/gssapi/spnego/accept_sec_context.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c
index b4384fd25..0e0cc9d2b 100644
--- a/lib/gssapi/spnego/accept_sec_context.c
+++ b/lib/gssapi/spnego/accept_sec_context.c
@@ -494,6 +494,16 @@ acceptor_complete(OM_uint32 * minor_status,
 	    *get_mic = 1;
 	}
 
+	/*
+	 * Change from previous versions: do not generate a MIC if not
+	 * necessary. This conforms to RFC4178 s.5 ("if the accepted
+	 * mechanism is the most preferred mechanism of both the initiator
+	 * and acceptor, then the MIC token exchange... is OPTIONAL"),
+	 * and is consistent with MIT and Windows behavior.
+	 */
+	if (ctx->flags.safe_omit)
+	    *get_mic = 0;
+
 	if (verify_mic && mic == NULL && ctx->flags.safe_omit) {
 	    /*
 	     * Peer is old and didn't send a mic while we expected