krb5 commit: Allow missing authenticator checksum with GSSAPI
Greg Hudson
ghudson at mit.edu
Tue Aug 4 18:42:33 EDT 2015
https://github.com/krb5/krb5/commit/0e60d5ce041607cfc7659a8d3198d0f3f8958245
commit 0e60d5ce041607cfc7659a8d3198d0f3f8958245
Author: Simo Sorce <simo at redhat.com>
Date: Tue Aug 4 14:04:14 2015 -0400
Allow missing authenticator checksum with GSSAPI
Some SMB client implementations omit the authenticator checksum. To
interoperate with these clients, a server needs to allow missing
checksums and assume no flags are requested. This is being documented
in MS-KILE as well, as Microsoft does the same.
[ghudson at mit.edu: edited and reformatted comment; edited commit
message summary]
ticket: 8227 (new)
src/lib/gssapi/krb5/accept_sec_context.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 014d24b..44ff65a 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -670,13 +670,15 @@ kg_accept_krb5(minor_status, context_handle,
#endif
if (authdat->checksum == NULL) {
- /* missing checksum counts as "inappropriate type" */
- code = KRB5KRB_AP_ERR_INAPP_CKSUM;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
+ /*
+ * Some SMB client implementations use handcrafted GSSAPI code that
+ * does not provide a checksum. MS-KILE documents that the Microsoft
+ * implementation considers a missing checksum acceptable; the server
+ * assumes all flags are unset in this case, and does not check channel
+ * bindings.
+ */
+ gss_flags = 0;
+ } else if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
/* Samba does not send 0x8003 GSS-API checksums */
krb5_boolean valid;
krb5_key subkey;
More information about the cvs-krb5
mailing list