Suppressing conf/integ flags in krb5 GSS tokens

Nico Williams nico at
Mon Jun 1 00:03:18 EDT 2015

On Sun, May 31, 2015 at 01:59:24PM -0400, Greg Hudson wrote:
> Comments?

Heimdal's SPNEGO implementation neither checks the the GSS_C_INTEG_FLAG
ret_flag, nor requests it as a req_flag.  Heimdal's SPNEGO discovers
integrity support by calling gss_get_mic(): if it returns GSS_S_UNAVAIL,
then integrity support is not provided, otherwise it is.  Heimdal also
assumes that if a MIC is received then integrity support must be

I believe calling GSS_GetMIC() and GSS_VerifyMIC() even when
GSS_C_INTEG_FLAG is not set in ret_flags is perfectly permissible in

Disabling the MIC in SPNEGO when GSS_C_INTEG_FLAG is not set in
ret_flags, combined with the new cred options, is likely (I think) to
fail to interop with Microsoft's SPNEGO when used in the application
protocol in question.  It ought to fail to interop, but who know,
perhaps MSFT's SPNEGO will not require the MIC in this protocol because
it's running over TLS, but I'd not bet on it.  The Heimdal approach
seems better.


More information about the krbdev mailing list