[29623] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.14]: Guess Samba client mutual flag using
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Sep 2 17:10:50 2016
Date: Fri, 2 Sep 2016 17:04:36 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201609022104.u82L4a36024020@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/5a95d589db802c7fb3a2d69c8f987d8c4cee0657
commit 5a95d589db802c7fb3a2d69c8f987d8c4cee0657
Author: Andreas Schneider <asn@cryptomilk.org>
Date: Thu Aug 25 10:41:33 2016 +0200
Guess Samba client mutual flag using ap_options
To work correctly with older Samba clients, we should guess the mutual
flag based on the ap_options from the AP-REQ and not set it
unconditionally. Found by the Samba torture testsuite.
[ghudson@mit.edu: edited comments and commit message]
(cherry picked from commit 7919818c0eec534828521aed01b89aa72e5e7e81)
ticket: 8486
version_fixed: 1.14.4
src/lib/gssapi/krb5/accept_sec_context.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index b7fffeb..580d08c 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle,
goto fail;
}
- gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ /* Use ap_options from the request to guess the mutual flag. */
+ gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED)
+ gss_flags |= GSS_C_MUTUAL_FLAG;
} else {
/* gss krb5 v1 */
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
