From f58cc5a2589e1589ff17c0057ff5da97cac834d7 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 5 Mar 2010 17:45:46 +0000 Subject: [PATCH] Ignore improperly encoded signedpath AD elements We have some reason to believe Microsoft and Heimdal are both using the authdata value 142 for different purposes, leading to failures in verify_ad_signedpath(). For better interoperability, treat such tickets as unsigned, rather than invalid. ticket: 6676 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/kdc_authdata.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 50975580c..b5de64de2 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context context, enc_sp.length = sp_authdata[0]->length; code = decode_krb5_ad_signedpath(&enc_sp, &sp); - if (code != 0) + if (code != 0) { + /* Treat an invalid signedpath authdata element as a missing one, since + * we believe MS is using the same number for something else. */ + code = 0; goto cleanup; + } code = verify_ad_signedpath_checksum(context, krbtgt, -- 2.26.2