backport r24564 from trunk
------------------------------------------------------------------------
r24564 | tlyu | 2010-12-09 20:06:26 -0500 (Thu, 09 Dec 2010) | 18 lines
ticket: 6839
subject: handle MS PACs that lack server checksum
target_version 1.9
tags: pullup
Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum. If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed. Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute(). Add trace
points to indicate where this behavior occurs.
Thanks to Helmut Grohne for help with analysis. This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925
This change should also get backported to krb5-1.8.x.
ticket: 6843
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24574
dc483132-0cff-0310-8789-
dd5450dbe970
return EINVAL;
ret = k5_pac_verify_server_checksum(context, pac, server);
- if (ret != 0)
+ if (ret == ENOENT) {
+ /*
+ * Apple Mac OS X Server Open Directory KDC (at least 10.6)
+ * appears to provide a PAC that lacks a server checksum.
+ */
+ pac->verified = FALSE;
+ return ret;
+ } else if (ret != 0) {
return ret;
+ }
if (privsvr != NULL) {
ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
key,
NULL);
+ /*
+ * If the server checksum is not found, return success to
+ * krb5int_authdata_verify() to work around an apparent Open
+ * Directory bug. Non-verified PACs won't be returned by
+ * mspac_get_attribute().
+ */
+ if (code == ENOENT && !pacctx->pac->verified) {
+ code = 0;
+ }
+
#if 0
/*
* Now, we could return 0 and just set pac->verified to FALSE.
if (*more != -1 || pacctx->pac == NULL)
return ENOENT;
+ /* If it didn't verify, pretend it didn't exist. */
+ if (!pacctx->pac->verified) {
+ return ENOENT;
+ }
+
code = mspac_attr2type(attribute, &type);
if (code != 0)
return code;
projects / krb5.git / commitdiff