pull up r22325 from trunk

 ------------------------------------------------------------------------
 r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines
 Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/lib/krb5/krb/decode_kdc.c
    M /trunk/src/lib/krb5/krb/gc_via_tkt.c
    M /trunk/src/lib/krb5/libkrb5.exports

 Subject: Try decrypting using session key if subkey fails in tgs rep handling
 ticket: 6484
 Tags: pullup
 Target_Version: 1.7

 Heimdal at least up through 1.2 incorrectly encrypts the TGS response
 in the session key not the subkey when a subkey is supplied.  See RFC
 4120 page 35.  Work around this by trying decryption using the session
 key after the subkey fails.

 * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for
   TGS and now needs to take keyusage
 * gc_via_tkt: pass in session key and appropriate usage if subkey
   fails.

 Note that the dead code to process AS responses in decode_kdc_rep is
 not removed by this commit.  That will be removed as FAST TGS client
 support is integrated post 1.7.

ticket: 6484
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22340 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index ca6769c11ca88f1602f993df3e5d8b6292b7a96b..eb4e2faec15e2b3ed5b5f1ad49bb04c2903c1d44 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2644,10 +2644,10 @@ krb5_error_code krb5int_send_tgs
                 * in with the subkey needed to decrypt the TGS
                 * response. Otherwise it will be set to null.
                 */
-krb5_error_code krb5_decode_kdc_rep
+krb5_error_code krb5int_decode_tgs_rep
        (krb5_context,
                krb5_data *,
-         const krb5_keyblock *,
+        const krb5_keyblock *, krb5_keyusage,
                krb5_kdc_rep ** );
 krb5_error_code krb5int_find_authdata
 (krb5_context context, krb5_authdata *const * ticket_authdata,

diff --git a/src/lib/krb5/krb/decode_kdc.c b/src/lib/krb5/krb/decode_kdc.c
index a75bbf26652f6a8636c2ee2e61cd0e6968e1b922..689e2a2419d11348fb7135e00af4ca3902e2a370 100644 (file)
--- a/src/lib/krb5/krb/decode_kdc.c
+++ b/src/lib/krb5/krb/decode_kdc.c
@@ -43,17 +43,15 @@
  */
 
 krb5_error_code
-krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep)
+krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key,
+                      krb5_keyusage usage, krb5_kdc_rep **dec_rep)
 {
     krb5_error_code retval;
     krb5_kdc_rep *local_dec_rep;
-    krb5_keyusage usage;
 
     if (krb5_is_as_rep(enc_rep)) {
-       usage = KRB5_KEYUSAGE_AS_REP_ENCPART;
        retval = decode_krb5_as_rep(enc_rep, &local_dec_rep);
     } else if (krb5_is_tgs_rep(enc_rep)) {
-       usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY;
        retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep);
     } else {
        return KRB5KRB_AP_ERR_MSG_TYPE;

diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index e8dbd97fecacb69edcdb89dd93a4e1c22e298163..83c8026fcdafb181a207cdf17f86ce1aaa5043f8 100644 (file)
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -290,9 +290,17 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt,
        goto error_4;
     }
 
-    if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response,
-                                     subkey, &dec_rep)))
-       goto error_4;
+    /* Unfortunately, Heimdal at least up through 1.2  encrypts using
+       the session key not the subsession key.  So we try both. */
+    if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response,
+                                     subkey,
+                                        KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) {
+           if ((krb5int_decode_tgs_rep(context, &tgsrep.response,
+                                     &tkt->keyblock,
+                                       KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0)
+               retval = 0;
+           else goto error_4;
+    }
 
     if (dec_rep->msg_type != KRB5_TGS_REP) {
        retval = KRB5KRB_AP_ERR_MSG_TYPE;

diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 45e5002f099c3c82f6ca512d23fe971b4d6b7c3f..bd50fddb56b22990a0149f7a0c4e3e16ec56efca 100644 (file)
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -185,7 +185,6 @@ krb5_copy_ticket
 krb5_create_secure_file
 krb5_crypto_us_timeofday
 krb5_decode_authdata_container
-krb5_decode_kdc_rep
 krb5_decode_ticket
 krb5_decrypt_tkt_part
 krb5_default_pwd_prompt1