From: Tom Yu Date: Mon, 11 May 2009 20:56:53 +0000 (+0000) Subject: pull up r22325 from trunk X-Git-Tag: krb5-1.7-beta2~4 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=3ed57da7e3beff1e3841f0744292476ba729fe67;p=krb5.git pull up r22325 from trunk ------------------------------------------------------------------------ r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/lib/krb5/krb/decode_kdc.c M /trunk/src/lib/krb5/krb/gc_via_tkt.c M /trunk/src/lib/krb5/libkrb5.exports Subject: Try decrypting using session key if subkey fails in tgs rep handling ticket: 6484 Tags: pullup Target_Version: 1.7 Heimdal at least up through 1.2 incorrectly encrypts the TGS response in the session key not the subkey when a subkey is supplied. See RFC 4120 page 35. Work around this by trying decryption using the session key after the subkey fails. * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for TGS and now needs to take keyusage * gc_via_tkt: pass in session key and appropriate usage if subkey fails. Note that the dead code to process AS responses in decode_kdc_rep is not removed by this commit. That will be removed as FAST TGS client support is integrated post 1.7. ticket: 6484 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22340 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/k5-int.h b/src/include/k5-int.h index ca6769c11..eb4e2faec 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -2644,10 +2644,10 @@ krb5_error_code krb5int_send_tgs * in with the subkey needed to decrypt the TGS * response. Otherwise it will be set to null. */ -krb5_error_code krb5_decode_kdc_rep +krb5_error_code krb5int_decode_tgs_rep (krb5_context, krb5_data *, - const krb5_keyblock *, + const krb5_keyblock *, krb5_keyusage, krb5_kdc_rep ** ); krb5_error_code krb5int_find_authdata (krb5_context context, krb5_authdata *const * ticket_authdata, diff --git a/src/lib/krb5/krb/decode_kdc.c b/src/lib/krb5/krb/decode_kdc.c index a75bbf266..689e2a241 100644 --- a/src/lib/krb5/krb/decode_kdc.c +++ b/src/lib/krb5/krb/decode_kdc.c @@ -43,17 +43,15 @@ */ krb5_error_code -krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep) +krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, + krb5_keyusage usage, krb5_kdc_rep **dec_rep) { krb5_error_code retval; krb5_kdc_rep *local_dec_rep; - krb5_keyusage usage; if (krb5_is_as_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); } else if (krb5_is_tgs_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); } else { return KRB5KRB_AP_ERR_MSG_TYPE; diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index e8dbd97fe..83c8026fc 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -290,9 +290,17 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, goto error_4; } - if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response, - subkey, &dec_rep))) - goto error_4; + /* Unfortunately, Heimdal at least up through 1.2 encrypts using + the session key not the subsession key. So we try both. */ + if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, + subkey, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { + if ((krb5int_decode_tgs_rep(context, &tgsrep.response, + &tkt->keyblock, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) + retval = 0; + else goto error_4; + } if (dec_rep->msg_type != KRB5_TGS_REP) { retval = KRB5KRB_AP_ERR_MSG_TYPE; diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 45e5002f0..bd50fddb5 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -185,7 +185,6 @@ krb5_copy_ticket krb5_create_secure_file krb5_crypto_us_timeofday krb5_decode_authdata_container -krb5_decode_kdc_rep krb5_decode_ticket krb5_decrypt_tkt_part krb5_default_pwd_prompt1