From: Greg Hudson Date: Fri, 5 Mar 2010 17:45:46 +0000 (+0000) Subject: Ignore improperly encoded signedpath AD elements X-Git-Tag: krb5-1.9-beta1~324 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f58cc5a2589e1589ff17c0057ff5da97cac834d7;p=krb5.git Ignore improperly encoded signedpath AD elements We have some reason to believe Microsoft and Heimdal are both using the authdata value 142 for different purposes, leading to failures in verify_ad_signedpath(). For better interoperability, treat such tickets as unsigned, rather than invalid. ticket: 6676 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 50975580c..b5de64de2 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context context, enc_sp.length = sp_authdata[0]->length; code = decode_krb5_ad_signedpath(&enc_sp, &sp); - if (code != 0) + if (code != 0) { + /* Treat an invalid signedpath authdata element as a missing one, since + * we believe MS is using the same number for something else. */ + code = 0; goto cleanup; + } code = verify_ad_signedpath_checksum(context, krbtgt,