Allow missing authenticator checksum with GSSAPI

Some SMB client implementations omit the authenticator checksum. To interoperate with these clients, a server needs to allow missing checksums and assume no flags are requested. This is being documented in MS-KILE as well, as Microsoft does the same. [ghudson@mit.edu: edited and reformatted comment; edited commit message summary] ticket: 8227 (new)
krb5 · Aug 4, 2015 · 0e60d5c · 0e60d5c
1 parent 7746bed
commit 0e60d5c
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -670,13 +670,15 @@ kg_accept_krb5(minor_status, context_handle,
 #endif
 
     if (authdat->checksum == NULL) {
-        /* missing checksum counts as "inappropriate type" */
-        code = KRB5KRB_AP_ERR_INAPP_CKSUM;
-        major_status = GSS_S_FAILURE;
-        goto fail;
-    }
-
-    if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
+        /*
+         * Some SMB client implementations use handcrafted GSSAPI code that
+         * does not provide a checksum.  MS-KILE documents that the Microsoft
+         * implementation considers a missing checksum acceptable; the server
+         * assumes all flags are unset in this case, and does not check channel
+         * bindings.
+         */
+        gss_flags = 0;
+    } else if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
         /* Samba does not send 0x8003 GSS-API checksums */
         krb5_boolean valid;
         krb5_key subkey;