From 8c3c97bdf6c06200418f1a85aa22beaa441c6b23 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Oct 2024 14:44:56 +0200
Subject: [PATCH] gsskrb5: let GSS_C_DCE_STYLE imply GSS_C_MUTUAL_FLAG as
 acceptor

Windows clients forget GSS_C_MUTUAL_FLAG in some situations where they
use GSS_C_DCE_STYLE, in the assumption that GSS_C_MUTUAL_FLAG is
implied.

Both Windows and MIT as server already imply GSS_C_MUTUAL_FLAG
when GSS_C_DCE_STYLE is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15740

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 lib/gssapi/krb5/8003.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/gssapi/krb5/8003.c b/lib/gssapi/krb5/8003.c
index 74ff349ab..340a9194a 100644
--- a/lib/gssapi/krb5/8003.c
+++ b/lib/gssapi/krb5/8003.c
@@ -239,6 +239,16 @@ _gsskrb5_verify_8003_checksum(
     _gss_mg_decode_le_uint32(p, flags);
     p += 4;
 
+    /*
+     * Sometimes Windows clients forget
+     * to set GSS_C_MUTUAL_FLAG together
+     * with GSS_C_DCE_STYLE, but
+     * DCE_STYLE implies mutual authentication
+     */
+    if (*flags & GSS_C_DCE_STYLE) {
+	*flags |= GSS_C_MUTUAL_FLAG;
+    }
+
     if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
 	if(cksum->checksum.length < 28) {
 	    *minor_status = 0;