Heimdal at least up through 1.2 incorrectly encrypts the TGS response
in the session key not the subkey when a subkey is supplied. See RFC
4120 page 35. Work around this by trying decryption using the session
key after the subkey fails.
* decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for
TGS and now needs to take keyusage
* gc_via_tkt: pass in session key and appropriate usage if subkey
fails.
Note that the dead code to process AS responses in decode_kdc_rep is
not removed by this commit. That will be removed as FAST TGS client
support is integrated post 1.7.
ticket: 6484
Tags: pullup
Target_Version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22325
dc483132-0cff-0310-8789-
dd5450dbe970
* in with the subkey needed to decrypt the TGS
* response. Otherwise it will be set to null.
*/
-krb5_error_code krb5_decode_kdc_rep
+krb5_error_code krb5int_decode_tgs_rep
(krb5_context,
krb5_data *,
- const krb5_keyblock *,
+ const krb5_keyblock *, krb5_keyusage,
krb5_kdc_rep ** );
krb5_error_code krb5int_find_authdata
(krb5_context context, krb5_authdata *const * ticket_authdata,
*/
krb5_error_code
-krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep)
+krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key,
+ krb5_keyusage usage, krb5_kdc_rep **dec_rep)
{
krb5_error_code retval;
krb5_kdc_rep *local_dec_rep;
- krb5_keyusage usage;
if (krb5_is_as_rep(enc_rep)) {
- usage = KRB5_KEYUSAGE_AS_REP_ENCPART;
retval = decode_krb5_as_rep(enc_rep, &local_dec_rep);
} else if (krb5_is_tgs_rep(enc_rep)) {
- usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY;
retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep);
} else {
return KRB5KRB_AP_ERR_MSG_TYPE;
goto error_4;
}
- if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response,
- subkey, &dec_rep)))
- goto error_4;
+ /* Unfortunately, Heimdal at least up through 1.2 encrypts using
+ the session key not the subsession key. So we try both. */
+ if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response,
+ subkey,
+ KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) {
+ if ((krb5int_decode_tgs_rep(context, &tgsrep.response,
+ &tkt->keyblock,
+ KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0)
+ retval = 0;
+ else goto error_4;
+ }
if (dec_rep->msg_type != KRB5_TGS_REP) {
retval = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_create_secure_file
krb5_crypto_us_timeofday
krb5_decode_authdata_container
-krb5_decode_kdc_rep
krb5_decode_ticket
krb5_decrypt_tkt_part
krb5_default_pwd_prompt1