From: Andreas Schneider <asn@cryptomilk.org>
Date: Thu, 25 Aug 2016 08:41:33 +0000 (+0200)
Subject: Guess Samba client mutual flag using ap_options
X-Git-Tag: krb5-1.15-beta1~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7919818c0eec534828521aed01b89aa72e5e7e81;p=thirdparty%2Fkrb5.git

Guess Samba client mutual flag using ap_options

To work correctly with older Samba clients, we should guess the mutual
flag based on the ap_options from the AP-REQ and not set it
unconditionally.  Found by the Samba torture testsuite.

[ghudson@mit.edu: edited comments and commit message]

ticket: 8486 (new)
target_version: 1.14-next
tags: pullup
---

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index b7fffeb3c7..580d08cbf5 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle,
             goto fail;
         }
 
-        gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+        /* Use ap_options from the request to guess the mutual flag. */
+        gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+        if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED)
+            gss_flags |= GSS_C_MUTUAL_FLAG;
     } else {
         /* gss krb5 v1 */