From: Simo Sorce Date: Tue, 4 Aug 2015 18:04:14 +0000 (-0400) Subject: Allow missing authenticator checksum with GSSAPI X-Git-Tag: krb5-1.14-alpha1~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e60d5ce041607cfc7659a8d3198d0f3f8958245;p=thirdparty%2Fkrb5.git Allow missing authenticator checksum with GSSAPI Some SMB client implementations omit the authenticator checksum. To interoperate with these clients, a server needs to allow missing checksums and assume no flags are requested. This is being documented in MS-KILE as well, as Microsoft does the same. [ghudson@mit.edu: edited and reformatted comment; edited commit message summary] ticket: 8227 (new) --- diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 014d24bdae..44ff65a887 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -670,13 +670,15 @@ kg_accept_krb5(minor_status, context_handle, #endif if (authdat->checksum == NULL) { - /* missing checksum counts as "inappropriate type" */ - code = KRB5KRB_AP_ERR_INAPP_CKSUM; - major_status = GSS_S_FAILURE; - goto fail; - } - - if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) { + /* + * Some SMB client implementations use handcrafted GSSAPI code that + * does not provide a checksum. MS-KILE documents that the Microsoft + * implementation considers a missing checksum acceptable; the server + * assumes all flags are unset in this case, and does not check channel + * bindings. + */ + gss_flags = 0; + } else if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) { /* Samba does not send 0x8003 GSS-API checksums */ krb5_boolean valid; krb5_key subkey;