[cifs-protocol] No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
Andrew Bartlett
abartlet at samba.org
Wed Jul 8 21:10:25 UTC 2015
RFC 4121 4.1.1 says that the checksum MUST be provided in the AP-REQ
packet from the client to the application server in the initial GSSAPI
exchange (eg, the input to accept_sec_context).
"The authenticator in the KRB_AP_REQ message MUST include the optional
sequence number and the checksum field. The checksum field is used
to convey service flags, channel bindings, and optional delegation
information."
In order for Samba to interoperate with a "Huawei Unified Storage System
S5500 V3" we found that we not only had to allow a krb5 checksum (that
Samba erroneously produced for many years), but also no checksum
entirely.
Tests (patches to Samba's own fake gssapi implementation) show that
Windows also accepts this.
This deviation from RFC4121 isn't documented in MS-KILE. Can you please
explain what is going on here?
As context, allowing no checksum caused a DoS in MIT krb5 due to a NULL
pointer de-reference in
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt
I don't see this as a security issue, as despite the name the checksum
is being re-used simply as an opaque data field, in an authenticated
packet.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list