Remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is no longer in rfc2478bis
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14584 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Luke Howard
@@ -4,6 +4,14 @@
|
|||||||
KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
|
KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
|
||||||
growing indefinitely as no key is found with KEYTYPE_NULL
|
growing indefinitely as no key is found with KEYTYPE_NULL
|
||||||
|
|
||||||
|
* compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is
|
||||||
|
no longer used (however the mechListMIC behaviour is broken,
|
||||||
|
rfc2478bis support requires the code in the mechglue branch)
|
||||||
|
|
||||||
|
* init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
|
||||||
|
|
||||||
|
* gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
|
||||||
|
|
||||||
2005-01-05 Luke Howard <lukeh@padl.com>
|
2005-01-05 Luke Howard <lukeh@padl.com>
|
||||||
|
|
||||||
* 8003.c: use symbolic name for checksum type
|
* 8003.c: use symbolic name for checksum type
|
||||||
|
|||||||
@@ -124,8 +124,7 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
|
|||||||
/*
|
/*
|
||||||
* For compatability with the Windows SPNEGO implementation, the
|
* For compatability with the Windows SPNEGO implementation, the
|
||||||
* default is to ignore the mechListMIC unless the initiator specified
|
* default is to ignore the mechListMIC unless the initiator specified
|
||||||
* GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, CFX or configured in krb5.conf
|
* CFX or configured in krb5.conf with the option
|
||||||
* with the option
|
|
||||||
* [gssapi]require_mechlist_mic=target-principal-pattern.
|
* [gssapi]require_mechlist_mic=target-principal-pattern.
|
||||||
* The option is valid for both initiator and acceptor.
|
* The option is valid for both initiator and acceptor.
|
||||||
*/
|
*/
|
||||||
@@ -137,10 +136,6 @@ _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
|
|||||||
OM_uint32 ret;
|
OM_uint32 ret;
|
||||||
int is_cfx = 0;
|
int is_cfx = 0;
|
||||||
|
|
||||||
if (ctx->flags & GSS_C_EXPECTING_MECH_LIST_MIC_FLAG) {
|
|
||||||
/* initiator insisted on mechListMIC */
|
|
||||||
*require_mic = TRUE;
|
|
||||||
} else {
|
|
||||||
gsskrb5_is_cfx(ctx, &is_cfx);
|
gsskrb5_is_cfx(ctx, &is_cfx);
|
||||||
if (is_cfx) {
|
if (is_cfx) {
|
||||||
/* CFX session key was used */
|
/* CFX session key was used */
|
||||||
@@ -153,7 +148,6 @@ _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
|
|||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
*minor_status = 0;
|
*minor_status = 0;
|
||||||
return GSS_S_COMPLETE;
|
return GSS_S_COMPLETE;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -116,14 +116,6 @@ typedef OM_uint32 gss_qop_t;
|
|||||||
#define GSS_C_PROT_READY_FLAG 128
|
#define GSS_C_PROT_READY_FLAG 128
|
||||||
#define GSS_C_TRANS_FLAG 256
|
#define GSS_C_TRANS_FLAG 256
|
||||||
|
|
||||||
/*
|
|
||||||
* GSS_C_EXPECTING_MECH_LIST_MIC_FLAG - Setting this flag causes the
|
|
||||||
* initiator to insist that the acceptor integrity protect the mechanism
|
|
||||||
* list when using SPNEGO. This can be forced on by setting the
|
|
||||||
* [gssapi]require_mechlist_mic option in krb5.conf.
|
|
||||||
*/
|
|
||||||
#define GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 0x10000
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Credential usage options
|
* Credential usage options
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -725,8 +725,8 @@ spnego_reply
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Verify the mechListMIC if GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
|
* Verify the mechListMIC if CFX was used; or if local policy
|
||||||
* was specified or CFX was used; or if local policy dictated so.
|
* dictated so.
|
||||||
*/
|
*/
|
||||||
ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle,
|
ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle,
|
||||||
&require_mic);
|
&require_mic);
|
||||||
|
|||||||
@@ -4,6 +4,14 @@
|
|||||||
KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
|
KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
|
||||||
growing indefinitely as no key is found with KEYTYPE_NULL
|
growing indefinitely as no key is found with KEYTYPE_NULL
|
||||||
|
|
||||||
|
* compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is
|
||||||
|
no longer used (however the mechListMIC behaviour is broken,
|
||||||
|
rfc2478bis support requires the code in the mechglue branch)
|
||||||
|
|
||||||
|
* init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
|
||||||
|
|
||||||
|
* gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
|
||||||
|
|
||||||
2005-01-05 Luke Howard <lukeh@padl.com>
|
2005-01-05 Luke Howard <lukeh@padl.com>
|
||||||
|
|
||||||
* 8003.c: use symbolic name for checksum type
|
* 8003.c: use symbolic name for checksum type
|
||||||
|
|||||||
@@ -124,8 +124,7 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
|
|||||||
/*
|
/*
|
||||||
* For compatability with the Windows SPNEGO implementation, the
|
* For compatability with the Windows SPNEGO implementation, the
|
||||||
* default is to ignore the mechListMIC unless the initiator specified
|
* default is to ignore the mechListMIC unless the initiator specified
|
||||||
* GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, CFX or configured in krb5.conf
|
* CFX or configured in krb5.conf with the option
|
||||||
* with the option
|
|
||||||
* [gssapi]require_mechlist_mic=target-principal-pattern.
|
* [gssapi]require_mechlist_mic=target-principal-pattern.
|
||||||
* The option is valid for both initiator and acceptor.
|
* The option is valid for both initiator and acceptor.
|
||||||
*/
|
*/
|
||||||
@@ -137,10 +136,6 @@ _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
|
|||||||
OM_uint32 ret;
|
OM_uint32 ret;
|
||||||
int is_cfx = 0;
|
int is_cfx = 0;
|
||||||
|
|
||||||
if (ctx->flags & GSS_C_EXPECTING_MECH_LIST_MIC_FLAG) {
|
|
||||||
/* initiator insisted on mechListMIC */
|
|
||||||
*require_mic = TRUE;
|
|
||||||
} else {
|
|
||||||
gsskrb5_is_cfx(ctx, &is_cfx);
|
gsskrb5_is_cfx(ctx, &is_cfx);
|
||||||
if (is_cfx) {
|
if (is_cfx) {
|
||||||
/* CFX session key was used */
|
/* CFX session key was used */
|
||||||
@@ -153,7 +148,6 @@ _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
|
|||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
*minor_status = 0;
|
*minor_status = 0;
|
||||||
return GSS_S_COMPLETE;
|
return GSS_S_COMPLETE;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -116,14 +116,6 @@ typedef OM_uint32 gss_qop_t;
|
|||||||
#define GSS_C_PROT_READY_FLAG 128
|
#define GSS_C_PROT_READY_FLAG 128
|
||||||
#define GSS_C_TRANS_FLAG 256
|
#define GSS_C_TRANS_FLAG 256
|
||||||
|
|
||||||
/*
|
|
||||||
* GSS_C_EXPECTING_MECH_LIST_MIC_FLAG - Setting this flag causes the
|
|
||||||
* initiator to insist that the acceptor integrity protect the mechanism
|
|
||||||
* list when using SPNEGO. This can be forced on by setting the
|
|
||||||
* [gssapi]require_mechlist_mic option in krb5.conf.
|
|
||||||
*/
|
|
||||||
#define GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 0x10000
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Credential usage options
|
* Credential usage options
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -725,8 +725,8 @@ spnego_reply
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Verify the mechListMIC if GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
|
* Verify the mechListMIC if CFX was used; or if local policy
|
||||||
* was specified or CFX was used; or if local policy dictated so.
|
* dictated so.
|
||||||
*/
|
*/
|
||||||
ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle,
|
ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle,
|
||||||
&require_mic);
|
&require_mic);
|
||||||
|
|||||||
Reference in New Issue
Block a user