[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:115070812924583] No mention of deviation from MS-KILE regarding non-gssapi
From: Andrew Bartlett <abartlet () samba ! org>
Date: 2015-07-08 21:38:42
Message-ID: 1436391522.5272.118.camel () jesse
[Download RAW message or body]
On Wed, 2015-07-08 at 21:30 +0000, Tarun Chopra wrote:
> Hello Andrew
>
> We have created a case; 115070812924583, to track your inquiry and Sreekanth \
> (lopped in Cc) will be assisting you further.
Thanks,
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet@samba.org]
> Sent: Wednesday, July 8, 2015 2:10 PM
> To: Interoperability Documentation Help
> Cc: cifs-protocol@lists.samba.org
> Subject: No mention of deviation from MS-KILE regarding non-gssapi or absent \
> checksums in AP-REQ
> RFC 4121 4.1.1 says that the checksum MUST be provided in the AP-REQ packet from \
> the client to the application server in the initial GSSAPI exchange (eg, the input \
> to accept_sec_context).
> "The authenticator in the KRB_AP_REQ message MUST include the optional sequence \
> number and the checksum field. The checksum field is used to convey service \
> flags, channel bindings, and optional delegation information."
> In order for Samba to interoperate with a "Huawei Unified Storage System
> S5500 V3" we found that we not only had to allow a krb5 checksum (that Samba \
> erroneously produced for many years), but also no checksum entirely.
> Tests (patches to Samba's own fake gssapi implementation) show that Windows also \
> accepts this.
> This deviation from RFC4121 isn't documented in MS-KILE. Can you please explain \
> what is going on here?
> As context, allowing no checksum caused a DoS in MIT krb5 due to a NULL pointer \
> de-reference in http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt
> I don't see this as a security issue, as despite the name the checksum is being \
> re-used simply as an opaque data field, in an authenticated packet.
As further context, see proposed patches to heimdal and samba at:
https://github.com/heimdal/heimdal/pull/134
https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/allow-no-krb5-checksum
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic