From 8570124fc92b0dbf8f6e1a816a4a13915a5f3357 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 7 Apr 2004 14:20:03 +0000
Subject: [PATCH] add _gss_spnego_require_mechlist_mic for compatibility with
 MS SPNEGO

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13691 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/compat.c      | 40 +++++++++++++++++++++++++++++++++++++++-
 lib/gssapi/krb5/compat.c | 40 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/lib/gssapi/compat.c b/lib/gssapi/compat.c
index fc57f17b1..26e91937a 100644
--- a/lib/gssapi/compat.c
+++ b/lib/gssapi/compat.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -120,3 +120,41 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
 
     return 0;
 }
+
+/*
+ * For compatability with the Windows SPNEGO implementation, the
+ * default is to ignore the mechListMIC unless the initiator specified
+ * GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, CFX or configured in krb5.conf
+ * with the option
+ * 	[gssapi]require_mechlist_mic=target-principal-pattern.
+ * The option is valid for both initiator and acceptor.
+ */
+OM_uint32
+_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
+				 gss_ctx_id_t ctx,
+				 krb5_boolean *require_mic)
+{
+    OM_uint32 ret;
+    int is_cfx = 0;
+
+    if (ctx->flags & GSS_C_EXPECTING_MECH_LIST_MIC_FLAG) {
+	/* initiator insisted on mechListMIC */
+	*require_mic = TRUE;
+    } else {
+	gsskrb5_is_cfx(ctx, &is_cfx);
+	if (is_cfx) {
+	    /* CFX session key was used */
+	    *require_mic = TRUE;
+	} else {
+	    *require_mic = FALSE;
+	    ret = check_compat(minor_status, ctx->target, 
+			       "require_mechlist_mic",
+			       require_mic, TRUE);
+	    if (ret)
+		return ret;
+	}
+    }
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
diff --git a/lib/gssapi/krb5/compat.c b/lib/gssapi/krb5/compat.c
index fc57f17b1..26e91937a 100644
--- a/lib/gssapi/krb5/compat.c
+++ b/lib/gssapi/krb5/compat.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -120,3 +120,41 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
 
     return 0;
 }
+
+/*
+ * For compatability with the Windows SPNEGO implementation, the
+ * default is to ignore the mechListMIC unless the initiator specified
+ * GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, CFX or configured in krb5.conf
+ * with the option
+ * 	[gssapi]require_mechlist_mic=target-principal-pattern.
+ * The option is valid for both initiator and acceptor.
+ */
+OM_uint32
+_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
+				 gss_ctx_id_t ctx,
+				 krb5_boolean *require_mic)
+{
+    OM_uint32 ret;
+    int is_cfx = 0;
+
+    if (ctx->flags & GSS_C_EXPECTING_MECH_LIST_MIC_FLAG) {
+	/* initiator insisted on mechListMIC */
+	*require_mic = TRUE;
+    } else {
+	gsskrb5_is_cfx(ctx, &is_cfx);
+	if (is_cfx) {
+	    /* CFX session key was used */
+	    *require_mic = TRUE;
+	} else {
+	    *require_mic = FALSE;
+	    ret = check_compat(minor_status, ctx->target, 
+			       "require_mechlist_mic",
+			       require_mic, TRUE);
+	    if (ret)
+		return ret;
+	}
+    }
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+