rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Guess Samba client mutual flag using ap_option

Browse Source 
Resolves: #1370980
This commit is contained in:
Robbie Harwood 2016-08-29 17:44:22 +00:00
parent 1dd613afe8
commit 10d34c1413
2 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
krb5-1.14.4-samba-client-mutual-flag.patch Normal file
View File

@ -0,0 +1,37 @@
From dcb523a4201dc882b2c466824ee1913eaed2e30d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Thu, 25 Aug 2016 10:41:33 +0200
Subject: [PATCH] Guess Samba client mutual flag using ap_options
To work correctly with older Samba clients, we should guess the mutual
flag based on the ap_options from the AP-REQ and not set it
unconditionally. Found by the Samba torture testsuite.
[ghudson@mit.edu: edited comments and commit message]
ticket: 8486 (new)
target_version: 1.14-next
tags: pullup
---
src/lib/gssapi/krb5/accept_sec_context.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index b7fffeb..580d08c 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle,
goto fail;
}
- gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ /* Use ap_options from the request to guess the mutual flag. */
+ gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED)
+ gss_flags |= GSS_C_MUTUAL_FLAG;
} else {
/* gss krb5 v1 */
--
2.9.3

8
krb5.spec
View File

@ -13,7 +13,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.14.3
Release: 6%{?dist}
Release: 7%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -68,6 +68,7 @@ Patch166: krb5-1.14.4-SNI-HTTP-Host.patch
Patch167: krb5-1.15-otp-preauth-prompt-type.patch
Patch168: krb5-1.15-improve-bad-password-inference.patch
Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch
Patch170: krb5-1.14.4-samba-client-mutual-flag.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -281,6 +282,7 @@ ln NOTICE LICENSE
%patch167 -p1 -b .otp-preauth-prompt-type
%patch168 -p1 -b .improve-bad-password-inference
%patch169 -p1 -b .kdc-error-encrypted-timestamp
%patch170 -p1 -b .samba-client-mutual-flag
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -750,6 +752,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-7
- Guess Samba client mutual flag using ap_option
- Resolves: #1370980
* Thu Aug 25 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-6
- Fix KDC return code and set prompt types for OTP client preauth
- Resolves: #1370072