From 986b8487d69c85e2118d58b23642aacf4964d02e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 24 Jan 2012 10:31:54 +0100
Subject: [PATCH] s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in
 gensec_gse_have_feature()

metze
---
 source3/librpc/crypto/gse.c | 50 +++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 5bd2740a5ad8..f0b389e508ec 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -77,6 +77,8 @@ struct gse_context {
 
 	gss_cred_id_t delegated_cred_handle;
 
+	gss_krb5_lucid_context_v1_t *lucid;
+
 	/* gensec_gse only */
 	krb5_context k5ctx;
 	krb5_ccache ccache;
@@ -621,6 +623,36 @@ done:
 	return errstr;
 }
 
+static NTSTATUS gse_init_lucid(struct gse_context *gse_ctx)
+{
+	OM_uint32 maj_stat, min_stat;
+	void *ptr = NULL;
+
+	if (gse_ctx->lucid) {
+		return NT_STATUS_OK;
+	}
+
+	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
+						     &gse_ctx->gssapi_context,
+						     1, &ptr);
+	if (maj_stat != GSS_S_COMPLETE) {
+		DEBUG(0,("gse_init_lucid: %s\n",
+			gse_errstr(talloc_tos(), maj_stat, min_stat)));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	gse_ctx->lucid = (gss_krb5_lucid_context_v1_t *)ptr;
+
+	if (gse_ctx->lucid->version != 1) {
+		DEBUG(0,("gse_init_lucid: lucid version[%d] != 1\n",
+			gse_ctx->lucid->version));
+		gss_krb5_free_lucid_sec_context(&min_stat, gse_ctx->lucid);
+		gse_ctx->lucid = NULL;
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	return NT_STATUS_OK;
+}
+
 static DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
 				     struct gse_context *gse_ctx)
 {
@@ -1139,6 +1171,24 @@ static bool gensec_gse_have_feature(struct gensec_security *gensec_security,
 	if (feature & GENSEC_FEATURE_DCE_STYLE) {
 		return gse_ctx->gss_got_flags & GSS_C_DCE_STYLE;
 	}
+	if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
+		NTSTATUS status;
+
+		if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
+			return false;
+		}
+
+		status = gse_init_lucid(gse_ctx);
+		if (!NT_STATUS_IS_OK(status)) {
+			return false;
+		}
+
+		if (gse_ctx->lucid->protocol == 1) {
+			return true;
+		}
+
+		return false;
+	}
 	/* We can always do async (rather than strict request/reply) packets.  */
 	if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
 		return true;
-- 
2.34.1