[20059] in Kerberos_V5_Development
off-list: Current semantics for channel-bindings in GSSAPI
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Tue Mar 10 11:39:38 2020
MIME-Version: 1.0
In-Reply-To: <73d92c4b-ac14-b6ed-40ca-3c2ddc89dcc9@samba.org>
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 10 Mar 2020 16:38:13 +0100
Message-ID: <CAC-fF8QqkmKY9CqyOqxuc461JbiP78GmMnV4O28PngwJCstmsg@mail.gmail.com>
To: Stefan Metzmacher <metze@samba.org>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Off-list.
Please see below, I think this is a bug, is it a security one?
<iboukris> ghudson, simo: finally tested omitting the checksum
altogether, it doesn't work as expected
<iboukris> without the checksum, it works in level=1 even if
KERB_AP_OPTIONS_CBT is set
<iboukris> more surprisingly, it works even if level=2
<iboukris> i wonder if that's a bug
<iboukris> that's the diff: git diff
<iboukris> diff --git a/src/lib/krb5/krb/mk_req_ext.c
b/src/lib/krb5/krb/mk_req_ext.c
<iboukris> index 21a36bea5..ff7149274 100644
<iboukris> --- a/src/lib/krb5/krb/mk_req_ext.c
<iboukris> +++ b/src/lib/krb5/krb/mk_req_ext.c
<iboukris> @@ -295,7 +295,7 @@ generate_authenticator(krb5_context
context, krb5_authenticator *authent,
<iboukris> int client_aware_cb;
<iboukris>
<iboukris> authent->client = client;
<iboukris> - authent->checksum = cksum;
<iboukris> + authent->checksum = NULL;//cksum;
<iboukris> if (key) {
<ghudson> I don't think it's necessarily an important bug, because
only authenticators generated that way can be leveraged by an
attacker, and we think only certain SMB clients do that.
<ghudson> But, it seems like we should diverge from that behavior from
level=2, if only because it's hard not to (under the current design).
<ghudson> That is, it would be a complete lie to report the
channel-bound ret_flag if no checksum is provided, and if we don't do
that, the application has no idea that there was no checksum.
<iboukris> ghudson: yeah, per MS doc i think this might be a bug
<iboukris> DWORD value: 2 indicates enabled, always. All clients must
provide channel binding information. The server rejects authentication
requests from clients that do not do so.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
