[cifs-protocol] [REG:115070812924583] No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
Andrew Bartlett
abartlet at samba.org
Wed Jul 8 21:38:42 UTC 2015
On Wed, 2015-07-08 at 21:30 +0000, Tarun Chopra wrote:
> Hello Andrew
>
> We have created a case; 115070812924583, to track your inquiry and Sreekanth (lopped in Cc) will be assisting you further.
Thanks,
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Wednesday, July 8, 2015 2:10 PM
> To: Interoperability Documentation Help
> Cc: cifs-protocol at lists.samba.org
> Subject: No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
>
> RFC 4121 4.1.1 says that the checksum MUST be provided in the AP-REQ packet from the client to the application server in the initial GSSAPI exchange (eg, the input to accept_sec_context).
>
> "The authenticator in the KRB_AP_REQ message MUST include the optional sequence number and the checksum field. The checksum field is used to convey service flags, channel bindings, and optional delegation information."
>
> In order for Samba to interoperate with a "Huawei Unified Storage System
> S5500 V3" we found that we not only had to allow a krb5 checksum (that Samba erroneously produced for many years), but also no checksum entirely.
>
> Tests (patches to Samba's own fake gssapi implementation) show that Windows also accepts this.
>
> This deviation from RFC4121 isn't documented in MS-KILE. Can you please explain what is going on here?
>
> As context, allowing no checksum caused a DoS in MIT krb5 due to a NULL pointer de-reference in http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt
>
> I don't see this as a security issue, as despite the name the checksum is being re-used simply as an opaque data field, in an authenticated packet.
As further context, see proposed patches to heimdal and samba at:
https://github.com/heimdal/heimdal/pull/134
https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/allow-no-krb5-checksum
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list