[cifs-protocol] [REG:115070812924583] No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ

Andrew Bartlett abartlet at samba.org
Wed Jul 8 21:38:42 UTC 2015 

On Wed, 2015-07-08 at 21:30 +0000, Tarun Chopra wrote:
> Hello Andrew
> 
> We have created a case; 115070812924583, to track your inquiry and Sreekanth (lopped in Cc) will be assisting you further.

Thanks,

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> Sent: Wednesday, July 8, 2015 2:10 PM
> To: Interoperability Documentation Help
> Cc: cifs-protocol at lists.samba.org
> Subject: No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
> 
> RFC 4121 4.1.1 says that the checksum MUST be provided in the AP-REQ packet from the client to the application server in the initial GSSAPI exchange (eg, the input to accept_sec_context). 
> 
> "The authenticator in the KRB_AP_REQ message MUST include the optional  sequence number and the checksum field.  The checksum field is used  to convey service flags, channel bindings, and optional delegation  information."
> 
> In order for Samba to interoperate with a "Huawei Unified Storage System
> S5500 V3" we found that we not only had to allow a krb5 checksum (that Samba erroneously produced for many years), but also no checksum entirely.
> 
> Tests (patches to Samba's own fake gssapi implementation) show that Windows also accepts this.
> 
> This deviation from RFC4121 isn't documented in MS-KILE.  Can you please explain what is going on here?
> 
> As context, allowing no checksum caused a DoS in MIT krb5 due to a NULL pointer de-reference in http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt 
> 
> I don't see this as a security issue, as despite the name the checksum is being re-used simply as an opaque data field, in an authenticated packet. 

As further context, see proposed patches to heimdal and samba at:

https://github.com/heimdal/heimdal/pull/134
https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/allow-no-krb5-checksum

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list