[29008] in CVS-changelog-for-Kerberos-V5
krb5 commit: Allow missing authenticator checksum with GSSAPI
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 4 18:42:38 2015
Date: Tue, 4 Aug 2015 18:42:33 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201508042242.t74MgXaF004716@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/0e60d5ce041607cfc7659a8d3198d0f3f8958245
commit 0e60d5ce041607cfc7659a8d3198d0f3f8958245
Author: Simo Sorce <simo@redhat.com>
Date: Tue Aug 4 14:04:14 2015 -0400
Allow missing authenticator checksum with GSSAPI
Some SMB client implementations omit the authenticator checksum. To
interoperate with these clients, a server needs to allow missing
checksums and assume no flags are requested. This is being documented
in MS-KILE as well, as Microsoft does the same.
[ghudson@mit.edu: edited and reformatted comment; edited commit
message summary]
ticket: 8227 (new)
src/lib/gssapi/krb5/accept_sec_context.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 014d24b..44ff65a 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -670,13 +670,15 @@ kg_accept_krb5(minor_status, context_handle,
#endif
if (authdat->checksum == NULL) {
- /* missing checksum counts as "inappropriate type" */
- code = KRB5KRB_AP_ERR_INAPP_CKSUM;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
+ /*
+ * Some SMB client implementations use handcrafted GSSAPI code that
+ * does not provide a checksum. MS-KILE documents that the Microsoft
+ * implementation considers a missing checksum acceptable; the server
+ * assumes all flags are unset in this case, and does not check channel
+ * bindings.
+ */
+ gss_flags = 0;
+ } else if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
/* Samba does not send 0x8003 GSS-API checksums */
krb5_boolean valid;
krb5_key subkey;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
