svn rev #22325: trunk/src/ include/ lib/krb5/ lib/krb5/krb/
hartmans@MIT.EDU
hartmans at MIT.EDU
Thu May 7 16:35:29 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22325
Commit By: hartmans
Log Message:
Subject: Try decrypting using session key if subkey fails in tgs rep handling
ticket: 6484
Tags: pullup
Target_Version: 1.7
Heimdal at least up through 1.2 incorrectly encrypts the TGS response
in the session key not the subkey when a subkey is supplied. See RFC
4120 page 35. Work around this by trying decryption using the session
key after the subkey fails.
* decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for
TGS and now needs to take keyusage
* gc_via_tkt: pass in session key and appropriate usage if subkey
fails.
Note that the dead code to process AS responses in decode_kdc_rep is
not removed by this commit. That will be removed as FAST TGS client
support is integrated post 1.7.
Changed Files:
U trunk/src/include/k5-int.h
U trunk/src/lib/krb5/krb/decode_kdc.c
U trunk/src/lib/krb5/krb/gc_via_tkt.c
U trunk/src/lib/krb5/libkrb5.exports
Modified: trunk/src/include/k5-int.h
===================================================================
--- trunk/src/include/k5-int.h 2009-05-07 20:35:19 UTC (rev 22324)
+++ trunk/src/include/k5-int.h 2009-05-07 20:35:28 UTC (rev 22325)
@@ -2613,10 +2613,10 @@
* in with the subkey needed to decrypt the TGS
* response. Otherwise it will be set to null.
*/
-krb5_error_code krb5_decode_kdc_rep
+krb5_error_code krb5int_decode_tgs_rep
(krb5_context,
krb5_data *,
- const krb5_keyblock *,
+ const krb5_keyblock *, krb5_keyusage,
krb5_kdc_rep ** );
krb5_error_code krb5int_find_authdata
(krb5_context context, krb5_authdata *const * ticket_authdata,
Modified: trunk/src/lib/krb5/krb/decode_kdc.c
===================================================================
--- trunk/src/lib/krb5/krb/decode_kdc.c 2009-05-07 20:35:19 UTC (rev 22324)
+++ trunk/src/lib/krb5/krb/decode_kdc.c 2009-05-07 20:35:28 UTC (rev 22325)
@@ -43,17 +43,15 @@
*/
krb5_error_code
-krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep)
+krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key,
+ krb5_keyusage usage, krb5_kdc_rep **dec_rep)
{
krb5_error_code retval;
krb5_kdc_rep *local_dec_rep;
- krb5_keyusage usage;
if (krb5_is_as_rep(enc_rep)) {
- usage = KRB5_KEYUSAGE_AS_REP_ENCPART;
retval = decode_krb5_as_rep(enc_rep, &local_dec_rep);
} else if (krb5_is_tgs_rep(enc_rep)) {
- usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY;
retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep);
} else {
return KRB5KRB_AP_ERR_MSG_TYPE;
Modified: trunk/src/lib/krb5/krb/gc_via_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/gc_via_tkt.c 2009-05-07 20:35:19 UTC (rev 22324)
+++ trunk/src/lib/krb5/krb/gc_via_tkt.c 2009-05-07 20:35:28 UTC (rev 22325)
@@ -290,9 +290,17 @@
goto error_4;
}
- if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response,
- subkey, &dec_rep)))
- goto error_4;
+ /* Unfortunately, Heimdal at least up through 1.2 encrypts using
+ the session key not the subsession key. So we try both. */
+ if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response,
+ subkey,
+ KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) {
+ if ((krb5int_decode_tgs_rep(context, &tgsrep.response,
+ &tkt->keyblock,
+ KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0)
+ retval = 0;
+ else goto error_4;
+ }
if (dec_rep->msg_type != KRB5_TGS_REP) {
retval = KRB5KRB_AP_ERR_MSG_TYPE;
Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports 2009-05-07 20:35:19 UTC (rev 22324)
+++ trunk/src/lib/krb5/libkrb5.exports 2009-05-07 20:35:28 UTC (rev 22325)
@@ -185,7 +185,6 @@
krb5_create_secure_file
krb5_crypto_us_timeofday
krb5_decode_authdata_container
-krb5_decode_kdc_rep
krb5_decode_ticket
krb5_decrypt_tkt_part
krb5_default_pwd_prompt1
More information about the cvs-krb5
mailing list