From eb293680a8aaaa5dd49c3a32d6177b64e5037d56 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 7 Dec 2021 10:41:40 +1100
Subject: [PATCH] gss: fix regression in non-8003 checksums

Samba3 sends an AP-REQ, rather than 8003, checksum in a Kerberos inital context
token. This regressed in #835 as we forgot to set the
KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag before processing the AP-REQ
checksum in this path.
---
 lib/gssapi/krb5/accept_sec_context.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c
index 171c143d1..f125573c1 100644
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -596,6 +596,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 		 * GSSAPI checksum here
 		 */
 
+		_krb5_crypto_set_flags(context, crypto, KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM);
 		kret = krb5_verify_checksum(context,
 					    crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
 					    authenticator->cksum);