View | Details | Raw Unified | Return to bug 38827 | Differences between
and this patch

Collapse All | Expand All

(-)heimdal-1.6~git20120403+dfsg1.orig/debian/patches/98_allow-no-checksum.patch (+62 lines)
Line 0 Link Here
1 
From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001
2 
From: Andrew Bartlett <abartlet@samba.org>
3 
Date: Fri, 26 Jun 2015 19:14:56 +1200
4 
Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum
5 
 at all
6 

            

            

              7
              
This was seen in the wild, with a real NAS against the AD DC

            

            

              8
              

            

            

              9
              
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

            

            

              10
              
---

            

            

              11
              
 .../heimdal/lib/gssapi/krb5/accept_sec_context.c    | 21 ++++++++++++---------

            

            

              12
              
 1 file changed, 12 insertions(+), 9 deletions(-)

            

            

              13
              

            

            

              14
              
diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c

            

            

              15
              
index 5a00e12..137f10a 100644

            

            

              16
              
--- a/lib/gssapi/krb5/accept_sec_context.c

            

            

              17
              
+++ b/lib/gssapi/krb5/accept_sec_context.c

            

            

              18
              
@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,

            

            

              19
              
 	    return ret;

            

            

              20
              
 	}

            

            

              21
              
 

            

            

              22
              
-	if (authenticator->cksum == NULL) {

            

            

              23
              
-	    krb5_free_authenticator(context, &authenticator);

            

            

              24
              
-	    *minor_status = 0;

            

            

              25
              
-	    return GSS_S_BAD_BINDINGS;

            

            

              26
              
-	}

            

            

              27
              
-

            

            

              28
              
-        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {

            

            

              29
              
+        if (authenticator->cksum != NULL

            

            

              30
              
+	    && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {

            

            

              31
              
             ret = _gsskrb5_verify_8003_checksum(minor_status,

            

            

              32
              
 						input_chan_bindings,

            

            

              33
              
 						authenticator->cksum,

            

            

              34
              
@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,

            

            

              35
              
 	    if (ret) {

            

            

              36
              
 		return ret;

            

            

              37
              
 	    }

            

            

              38
              
-        } else {

            

            

              39
              
+        } else if (authenticator->cksum != NULL) {

            

            

              40
              
 	    krb5_crypto crypto;

            

            

              41
              
 

            

            

              42
              
 	    kret = krb5_crypto_init(context,

            

            

              43
              
@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,

            

            

              44
              
  	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;

            

            

              45
              
 	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)

            

            

              46
              
 		ctx->flags |= GSS_C_MUTUAL_FLAG;

            

            

              47
              
-        }

            

            

              48
              
+        } else {

            

            

              49
              
+	    /*

            

            

              50
              
+	     * Windows also accepts no checksum, and some clients send

            

            

              51
              
+	     * this, so here also ap_options to guess the mutual flag.

            

            

              52
              
+	     */

            

            

              53
              
+ 	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;

            

            

              54
              
+	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)

            

            

              55
              
+		ctx->flags |= GSS_C_MUTUAL_FLAG;

            

            

              56
              
+	}

            

            

              57
              
     }

            

            

              58
              
 

            

            

              59
              
     if(ctx->flags & GSS_C_MUTUAL_FLAG) {

            

            

              60
              
-- 

            

            

              61
              
2.1.4

            

            

              62
              

            



(-)samba-4.2.2.orig/debian/patches/series
      (+1 lines)




  

    
      
            Line 10000
          
      
      
        Link Here
      
    
  

            

              
              
              10000
              
98_allow-no-checksum.patch

            






  

  Return to bug 38827