gss: don't generate mechListMIC in SPNEGO if it is safe to omit it

2020-01-01 22:32:46 +11:00
parent 4fb6a6adc9
commit 044c1c6b63
1 changed files with 10 additions and 0 deletions
--- a/lib/gssapi/spnego/accept_sec_context.c
+++ b/lib/gssapi/spnego/accept_sec_context.c
@@ -494,6 +494,16 @@ acceptor_complete(OM_uint32 * minor_status,
 	    *get_mic = 1;
 	}

+	/*
+	 * Change from previous versions: do not generate a MIC if not
+	 * necessary. This conforms to RFC4178 s.5 ("if the accepted
+	 * mechanism is the most preferred mechanism of both the initiator
+	 * and acceptor, then the MIC token exchange... is OPTIONAL"),
+	 * and is consistent with MIT and Windows behavior.
+	 */
+	if (ctx->flags.safe_omit)
+	    *get_mic = 0;
+
 	if (verify_mic && mic == NULL && ctx->flags.safe_omit) {
 	    /*
 	     * Peer is old and didn't send a mic while we expected