From: Tom Yu <tlyu@mit.edu> Date: Tue, 14 Dec 2010 23:25:13 +0000 (+0000) Subject: handle MS PACs that lack server checksum X-Git-Tag: krb5-1.8.4-final~10 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=e48a0cd64c74b253527cb172d4b8e5325352d0e7;p=krb5.git handle MS PACs that lack server checksum backport r24564 from trunk ------------------------------------------------------------------------ r24564 | tlyu | 2010-12-09 20:06:26 -0500 (Thu, 09 Dec 2010) | 18 lines ticket: 6839 subject: handle MS PACs that lack server checksum target_version 1.9 tags: pullup Apple Mac OS X Server's Open Directory KDC issues MS PAC like authorization data that lacks a server checksum. If this checksum is missing, mark the PAC as unverfied, but allow krb5int_authdata_verify() to succeed. Filter out the unverified PAC in subsequent calls to krb5_authdata_get_attribute(). Add trace points to indicate where this behavior occurs. Thanks to Helmut Grohne for help with analysis. This bug is also Debian Bug #604925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925 This change should also get backported to krb5-1.8.x. ticket: 6843 version_fixed: 1.8.4 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24574 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index abec59b02..50b29690f 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -684,8 +684,16 @@ krb5_pac_verify(krb5_context context, return EINVAL; ret = k5_pac_verify_server_checksum(context, pac, server); - if (ret != 0) + if (ret == ENOENT) { + /* + * Apple Mac OS X Server Open Directory KDC (at least 10.6) + * appears to provide a PAC that lacks a server checksum. + */ + pac->verified = FALSE; + return ret; + } else if (ret != 0) { return ret; + } if (privsvr != NULL) { ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); @@ -1094,6 +1102,16 @@ mspac_verify(krb5_context kcontext, key, NULL); + /* + * If the server checksum is not found, return success to + * krb5int_authdata_verify() to work around an apparent Open + * Directory bug. Non-verified PACs won't be returned by + * mspac_get_attribute(). + */ + if (code == ENOENT && !pacctx->pac->verified) { + code = 0; + } + #if 0 /* * Now, we could return 0 and just set pac->verified to FALSE. @@ -1269,6 +1287,11 @@ mspac_get_attribute(krb5_context kcontext, if (*more != -1 || pacctx->pac == NULL) return ENOENT; + /* If it didn't verify, pretend it didn't exist. */ + if (!pacctx->pac->verified) { + return ENOENT; + } + code = mspac_attr2type(attribute, &type); if (code != 0) return code;