krb5 commit: Allow missing authenticator checksum with GSSAPI

Greg Hudson ghudson at mit.edu
Tue Aug 4 18:42:33 EDT 2015


https://github.com/krb5/krb5/commit/0e60d5ce041607cfc7659a8d3198d0f3f8958245
commit 0e60d5ce041607cfc7659a8d3198d0f3f8958245
Author: Simo Sorce <simo at redhat.com>
Date:   Tue Aug 4 14:04:14 2015 -0400

    Allow missing authenticator checksum with GSSAPI
    
    Some SMB client implementations omit the authenticator checksum.  To
    interoperate with these clients, a server needs to allow missing
    checksums and assume no flags are requested.  This is being documented
    in MS-KILE as well, as Microsoft does the same.
    
    [ghudson at mit.edu: edited and reformatted comment; edited commit
    message summary]
    
    ticket: 8227 (new)

 src/lib/gssapi/krb5/accept_sec_context.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 014d24b..44ff65a 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -670,13 +670,15 @@ kg_accept_krb5(minor_status, context_handle,
 #endif
 
     if (authdat->checksum == NULL) {
-        /* missing checksum counts as "inappropriate type" */
-        code = KRB5KRB_AP_ERR_INAPP_CKSUM;
-        major_status = GSS_S_FAILURE;
-        goto fail;
-    }
-
-    if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
+        /*
+         * Some SMB client implementations use handcrafted GSSAPI code that
+         * does not provide a checksum.  MS-KILE documents that the Microsoft
+         * implementation considers a missing checksum acceptable; the server
+         * assumes all flags are unset in this case, and does not check channel
+         * bindings.
+         */
+        gss_flags = 0;
+    } else if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
         /* Samba does not send 0x8003 GSS-API checksums */
         krb5_boolean valid;
         krb5_key subkey;


More information about the cvs-krb5 mailing list