From c5d277848861135a1535f33678b35c678e8441da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 4 Dec 2003 11:16:38 +0000
Subject: [PATCH] add AcceptorSubkey (but no code understand it yet) ignore
 unknown token flags

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13181 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/cfx.c      | 23 +++++++++++------------
 lib/gssapi/krb5/cfx.c | 23 +++++++++++------------
 2 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/lib/gssapi/cfx.c b/lib/gssapi/cfx.c
index cfa90922f..c3f92ca21 100644
--- a/lib/gssapi/cfx.c
+++ b/lib/gssapi/cfx.c
@@ -40,6 +40,7 @@ RCSID("$Id$");
 
 #define SentByAcceptor	(1 << 0)
 #define Sealed		(1 << 1)
+#define AcceptorSubkey	(1 << 2)
 
 static krb5_error_code
 wrap_length_cfx(krb5_crypto crypto,
@@ -416,6 +417,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 {
     krb5_crypto crypto;
     gss_cfx_wrap_token token;
+    u_char token_flags;
     krb5_error_code ret;
     unsigned usage;
     krb5_data data;
@@ -438,12 +440,10 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    /* Reject unknown flags */
-    if (token->Flags & ~(SentByAcceptor | Sealed)) {
-	return GSS_S_DEFECTIVE_TOKEN;
-    }
+    /* Ignore unknown flags */
+    token_flags = token->Flags & (SentByAcceptor | Sealed | AcceptorSubkey);
 
-    if (token->Flags & SentByAcceptor) {
+    if (token_flags & SentByAcceptor) {
 	if ((context_handle->more_flags & LOCAL) == 0)
 	    return GSS_S_DEFECTIVE_TOKEN;
     }
@@ -453,7 +453,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
     }
 
     if (conf_state != NULL) {
-	*conf_state = (token->Flags & Sealed) ? 1 : 0;
+	*conf_state = (token_flags & Sealed) ? 1 : 0;
     }
 
     ec  = (token->EC[0]  << 8) | token->EC[1];
@@ -507,7 +507,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    if (token->Flags & Sealed) {
+    if (token_flags & Sealed) {
 	ret = krb5_decrypt(gssapi_krb5_context, crypto, usage,
 	    p, len, &data);
 	if (ret != 0) {
@@ -710,6 +710,7 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
 {
     krb5_crypto crypto;
     gss_cfx_mic_token token;
+    u_char token_flags;
     krb5_error_code ret;
     unsigned usage;
     OM_uint32 seq_number_lo, seq_number_hi;
@@ -730,12 +731,10 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
 	return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    /* Reject unknown flags */
-    if (token->Flags & ~(SentByAcceptor)) {
-	return GSS_S_DEFECTIVE_TOKEN;
-    }
+    /* Ignore unknown flags */
+    token_flags = token->Flags & SentByAcceptor;
 
-    if (token->Flags & SentByAcceptor) {
+    if (token_flags & SentByAcceptor) {
 	if ((context_handle->more_flags & LOCAL) == 0)
 	    return GSS_S_DEFECTIVE_TOKEN;
     }
diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c
index cfa90922f..c3f92ca21 100644
--- a/lib/gssapi/krb5/cfx.c
+++ b/lib/gssapi/krb5/cfx.c
@@ -40,6 +40,7 @@ RCSID("$Id$");
 
 #define SentByAcceptor	(1 << 0)
 #define Sealed		(1 << 1)
+#define AcceptorSubkey	(1 << 2)
 
 static krb5_error_code
 wrap_length_cfx(krb5_crypto crypto,
@@ -416,6 +417,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 {
     krb5_crypto crypto;
     gss_cfx_wrap_token token;
+    u_char token_flags;
     krb5_error_code ret;
     unsigned usage;
     krb5_data data;
@@ -438,12 +440,10 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    /* Reject unknown flags */
-    if (token->Flags & ~(SentByAcceptor | Sealed)) {
-	return GSS_S_DEFECTIVE_TOKEN;
-    }
+    /* Ignore unknown flags */
+    token_flags = token->Flags & (SentByAcceptor | Sealed | AcceptorSubkey);
 
-    if (token->Flags & SentByAcceptor) {
+    if (token_flags & SentByAcceptor) {
 	if ((context_handle->more_flags & LOCAL) == 0)
 	    return GSS_S_DEFECTIVE_TOKEN;
     }
@@ -453,7 +453,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
     }
 
     if (conf_state != NULL) {
-	*conf_state = (token->Flags & Sealed) ? 1 : 0;
+	*conf_state = (token_flags & Sealed) ? 1 : 0;
     }
 
     ec  = (token->EC[0]  << 8) | token->EC[1];
@@ -507,7 +507,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    if (token->Flags & Sealed) {
+    if (token_flags & Sealed) {
 	ret = krb5_decrypt(gssapi_krb5_context, crypto, usage,
 	    p, len, &data);
 	if (ret != 0) {
@@ -710,6 +710,7 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
 {
     krb5_crypto crypto;
     gss_cfx_mic_token token;
+    u_char token_flags;
     krb5_error_code ret;
     unsigned usage;
     OM_uint32 seq_number_lo, seq_number_hi;
@@ -730,12 +731,10 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
 	return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    /* Reject unknown flags */
-    if (token->Flags & ~(SentByAcceptor)) {
-	return GSS_S_DEFECTIVE_TOKEN;
-    }
+    /* Ignore unknown flags */
+    token_flags = token->Flags & SentByAcceptor;
 
-    if (token->Flags & SentByAcceptor) {
+    if (token_flags & SentByAcceptor) {
 	if ((context_handle->more_flags & LOCAL) == 0)
 	    return GSS_S_DEFECTIVE_TOKEN;
     }