svn rev #21602: branches/mskrb-integ/src/lib/ gssapi/krb5/ krb5/krb/

lhoward@MIT.EDU lhoward at MIT.EDU
Fri Dec 26 17:15:19 EST 2008 

http://src.mit.edu/fisheye/changelog/krb5/?cs=21602
Commit By: lhoward
Log Message:
krb5_rd_req() now sets AP_OPTS_USE_SUBKEY if an acceptor subkey was
negotiated by RFC 4537; AP_OPTS_ETYPE_NEGOTIATION is always set if RFC
4537 was used. This allows an application to distinguish the case where
RFC 4537 was used but the enctype was not upgraded.

(Previously, AP_OPTS_USE_SUBKEY was never be set by krb5_rd_req().)



Changed Files:
U   branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c
U   branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c
Modified: branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c	2008-12-26 12:06:54 UTC (rev 21601)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c	2008-12-26 22:15:18 UTC (rev 21602)
@@ -904,7 +904,7 @@
         int cfx_generate_subkey;
 
         if (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) ||
-	    (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION))
+	    (ap_req_options & AP_OPTS_USE_SUBKEY))
             cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY;
         else
             cfx_generate_subkey = 0;

Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c	2008-12-26 12:06:54 UTC (rev 21601)
+++ branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c	2008-12-26 22:15:18 UTC (rev 21602)
@@ -480,9 +480,11 @@
    	if ((retval = krb5_copy_ticket(context, req->ticket, ticket)))
 	    goto cleanup;
     if (ap_req_options) {
-    	*ap_req_options = req->ap_options;
+    	*ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK;
+	if (rfc4537_etypes_len != 0)
+	    *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION;
 	if ((*auth_context)->negotiated_etype != (*auth_context)->keyblock->enctype)
-	    *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION;
+	    *ap_req_options |= AP_OPTS_USE_SUBKEY;
     }
 
     retval = 0;

More information about the cvs-krb5 mailing list