|
|
|
1 |
From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001 |
2 |
From: Andrew Bartlett <abartlet@samba.org> |
3 |
Date: Fri, 26 Jun 2015 19:14:56 +1200 |
4 |
Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum |
5 |
at all |
6 |
|
7 |
This was seen in the wild, with a real NAS against the AD DC |
8 |
|
9 |
Signed-off-by: Andrew Bartlett <abartlet@samba.org> |
10 |
--- |
11 |
.../heimdal/lib/gssapi/krb5/accept_sec_context.c | 21 ++++++++++++--------- |
12 |
1 file changed, 12 insertions(+), 9 deletions(-) |
13 |
|
14 |
diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c |
15 |
index 5a00e12..137f10a 100644 |
16 |
--- a/lib/gssapi/krb5/accept_sec_context.c |
17 |
+++ b/lib/gssapi/krb5/accept_sec_context.c |
18 |
@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, |
19 |
return ret; |
20 |
} |
21 |
|
22 |
- if (authenticator->cksum == NULL) { |
23 |
- krb5_free_authenticator(context, &authenticator); |
24 |
- *minor_status = 0; |
25 |
- return GSS_S_BAD_BINDINGS; |
26 |
- } |
27 |
- |
28 |
- if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { |
29 |
+ if (authenticator->cksum != NULL |
30 |
+ && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { |
31 |
ret = _gsskrb5_verify_8003_checksum(minor_status, |
32 |
input_chan_bindings, |
33 |
authenticator->cksum, |
34 |
@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, |
35 |
if (ret) { |
36 |
return ret; |
37 |
} |
38 |
- } else { |
39 |
+ } else if (authenticator->cksum != NULL) { |
40 |
krb5_crypto crypto; |
41 |
|
42 |
kret = krb5_crypto_init(context, |
43 |
@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, |
44 |
ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; |
45 |
if (ap_options & AP_OPTS_MUTUAL_REQUIRED) |
46 |
ctx->flags |= GSS_C_MUTUAL_FLAG; |
47 |
- } |
48 |
+ } else { |
49 |
+ /* |
50 |
+ * Windows also accepts no checksum, and some clients send |
51 |
+ * this, so here also ap_options to guess the mutual flag. |
52 |
+ */ |
53 |
+ ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; |
54 |
+ if (ap_options & AP_OPTS_MUTUAL_REQUIRED) |
55 |
+ ctx->flags |= GSS_C_MUTUAL_FLAG; |
56 |
+ } |
57 |
} |
58 |
|
59 |
if(ctx->flags & GSS_C_MUTUAL_FLAG) { |
60 |
-- |
61 |
2.1.4 |
62 |
|