Don't reject AP-REQs based on PACs

back-port r24640 from trunk

 ------------------------------------------------------------------------
 r24640 | ghudson | 2011-02-16 18:34:37 -0500 (Wed, 16 Feb 2011) | 14 lines

 ticket: 6870
 subject: Don't reject AP-REQs based on PACs
 target_version: 1.9.1
 tags: pullup

 Experience has shown that it was a mistake to fail AP-REQ verification
 based on failure to verify the signature of PAC authdata contained in
 the ticket.  We've had two rounds of interoperability issues with the
 hmac-md5 checksum code, an interoperability issue OSX generating
 unsigned PACs, and another problem where PACs are copied by older KDCs
 from a cross-realm TGT into the service ticket.  If a PAC signature
 cannot be verified, just don't mark it as verified and continue on
 with the AP exchange.

ticket: 6877
version_fixed: 1.8.4
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24671 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 50b29690f1e87eccf01632941036b87d613cefc6..d89c380e31e6c209851720f4895f9673862d5891 100644 (file)
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -684,16 +684,8 @@ krb5_pac_verify(krb5_context context,
         return EINVAL;
 
     ret = k5_pac_verify_server_checksum(context, pac, server);
-    if (ret == ENOENT) {
-        /*
-         * Apple Mac OS X Server Open Directory KDC (at least 10.6)
-         * appears to provide a PAC that lacks a server checksum.
-         */
-        pac->verified = FALSE;
-        return ret;
-    } else if (ret != 0) {
+    if (ret != 0)
         return ret;
-    }
 
     if (privsvr != NULL) {
         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
@@ -1095,35 +1087,18 @@ mspac_verify(krb5_context kcontext,
     if (pacctx->pac == NULL)
         return EINVAL;
 
-    code = krb5_pac_verify(kcontext,
-                           pacctx->pac,
+    code = krb5_pac_verify(kcontext, pacctx->pac,
                            req->ticket->enc_part2->times.authtime,
-                           req->ticket->enc_part2->client,
-                           key,
-                           NULL);
+                           req->ticket->enc_part2->client, key, NULL);
 
     /*
-     * If the server checksum is not found, return success to
-     * krb5int_authdata_verify() to work around an apparent Open
-     * Directory bug.  Non-verified PACs won't be returned by
-     * mspac_get_attribute().
+     * If the above verification failed, don't fail the whole authentication,
+     * just don't mark the PAC as verified.  A checksum mismatch can occur if
+     * the PAC was copied from a cross-realm TGT by an ignorant KDC, and Apple
+     * Mac OS X Server Open Directory (as of 10.6) generates PACs with no
+     * server checksum at all.
      */
-    if (code == ENOENT && !pacctx->pac->verified) {
-        code = 0;
-    }
-
-#if 0
-    /*
-     * Now, we could return 0 and just set pac->verified to FALSE.
-     * Thoughts?
-     */
-    if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
-        assert(pacctx->pac->verified == FALSE);
-        code = 0;
-    }
-#endif
-
-    return code;
+    return 0;
 }
 
 static void