From 1a7ec40448dfccf224e238b9391d60894568a85c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Tue, 7 Nov 2006 17:40:01 +0000
Subject: [PATCH] (init_auth): There is no OID wrapping on the reply token.
 From Andrew Bartlett

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18934 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/krb5/init_sec_context.c | 49 ++++++++++++++++++------------
 1 file changed, 29 insertions(+), 20 deletions(-)

diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index 95f10f3bc..feaefd7f3 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -549,18 +549,18 @@ failure:
 
 static OM_uint32
 repl_mutual
-           (OM_uint32 * minor_status,
-	    gsskrb5_ctx ctx,
-            const gss_OID mech_type,
-            OM_uint32 req_flags,
-            OM_uint32 time_req,
-            const gss_channel_bindings_t input_chan_bindings,
-            const gss_buffer_t input_token,
-            gss_OID * actual_mech_type,
-            gss_buffer_t output_token,
-            OM_uint32 * ret_flags,
-            OM_uint32 * time_rec
-           )
+(OM_uint32 * minor_status,
+ gsskrb5_ctx ctx,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
 {
     OM_uint32 ret;
     krb5_error_code kret;
@@ -574,13 +574,22 @@ repl_mutual
     if (actual_mech_type)
 	*actual_mech_type = GSS_KRB5_MECHANISM;
 
-    ret = _gsskrb5_decapsulate (minor_status, input_token, &indata,
-				   "\x02\x00", GSS_KRB5_MECHANISM);
-    if (ret) {
-	/* XXX - Handle AP_ERROR */
-	return ret;
+    if (ctx->flags & GSS_C_DCE_STYLE) {
+	/* There is no OID wrapping. */
+	indata.length	= input_token->length;
+	indata.data	= input_token->value;
+    } else {
+	ret = _gsskrb5_decapsulate (minor_status,
+				    input_token,
+				    &indata,
+				    "\x02\x00",
+				    GSS_KRB5_MECHANISM);
+	if (ret) {
+	    /* XXX - Handle AP_ERROR */
+	    return ret;
+	}
     }
-    
+
     kret = krb5_rd_rep (_gsskrb5_context,
 			ctx->auth_context,
 			&indata,
@@ -610,8 +619,8 @@ repl_mutual
     *minor_status = 0;
     if (time_rec) {
 	ret = _gsskrb5_lifetime_left(minor_status,
-				   ctx->lifetime,
-				   time_rec);
+				     ctx->lifetime,
+				     time_rec);
     } else {
 	ret = GSS_S_COMPLETE;
     }