krb5 commit [krb5-1.14]: Guess Samba client mutual flag using ap_options

Fri Sep 2 17:04:36 EDT 2016

https://github.com/krb5/krb5/commit/5a95d589db802c7fb3a2d69c8f987d8c4cee0657
commit 5a95d589db802c7fb3a2d69c8f987d8c4cee0657
Author: Andreas Schneider <asn at cryptomilk.org>
Date:   Thu Aug 25 10:41:33 2016 +0200

    Guess Samba client mutual flag using ap_options
    
    To work correctly with older Samba clients, we should guess the mutual
    flag based on the ap_options from the AP-REQ and not set it
    unconditionally.  Found by the Samba torture testsuite.
    
    [ghudson at mit.edu: edited comments and commit message]
    
    (cherry picked from commit 7919818c0eec534828521aed01b89aa72e5e7e81)
    
    ticket: 8486
    version_fixed: 1.14.4

 src/lib/gssapi/krb5/accept_sec_context.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index b7fffeb..580d08c 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle,
             goto fail;
         }
 
-        gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+        /* Use ap_options from the request to guess the mutual flag. */
+        gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+        if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED)
+            gss_flags |= GSS_C_MUTUAL_FLAG;
     } else {
         /* gss krb5 v1 */
 
