third_party/heimdal: Import lorikeet-heimdal-202410161454 (commit 0d61538a16b5051c820...

gsskrb5: let GSS_C_DCE_STYLE imply GSS_C_MUTUAL_FLAG as acceptor

Windows clients forget GSS_C_MUTUAL_FLAG in some situations where they
use GSS_C_DCE_STYLE, in the assumption that GSS_C_MUTUAL_FLAG is
implied.

Both Windows and MIT as server already imply GSS_C_MUTUAL_FLAG
when GSS_C_DCE_STYLE is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15740
PR: https://github.com/heimdal/heimdal/pull/1266

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 16 19:05:15 UTC 2024 on atb-devel-224

(cherry picked from commit ce10b28566eb7b3e26a1e404b278d3d761ac183e)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Nov  7 09:21:35 UTC 2024 on atb-devel-224

diff --git a/third_party/heimdal/lib/gssapi/krb5/8003.c b/third_party/heimdal/lib/gssapi/krb5/8003.c
index 74ff349ab7b3575cd61d7b11d0ae5761c33d04d0..340a9194a3b75c1d17ba4424849eb6b1d07d986e 100644 (file)
--- a/third_party/heimdal/lib/gssapi/krb5/8003.c
+++ b/third_party/heimdal/lib/gssapi/krb5/8003.c
@@ -239,6 +239,16 @@ _gsskrb5_verify_8003_checksum(
     _gss_mg_decode_le_uint32(p, flags);
     p += 4;
 
+    /*
+     * Sometimes Windows clients forget
+     * to set GSS_C_MUTUAL_FLAG together
+     * with GSS_C_DCE_STYLE, but
+     * DCE_STYLE implies mutual authentication
+     */
+    if (*flags & GSS_C_DCE_STYLE) {
+       *flags |= GSS_C_MUTUAL_FLAG;
+    }
+
     if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
        if(cksum->checksum.length < 28) {
            *minor_status = 0;