svn rev #22340: branches/krb5-1-7/src/ include/ lib/krb5/ lib/krb5/krb/

Mon May 11 16:56:53 EDT 2009

http://src.mit.edu/fisheye/changelog/krb5/?cs=22340
Commit By: tlyu
Log Message:
ticket: 6484
version_fixed: 1.7

pull up r22325 from trunk
 ------------------------------------------------------------------------
 r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines
 Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/lib/krb5/krb/decode_kdc.c
    M /trunk/src/lib/krb5/krb/gc_via_tkt.c
    M /trunk/src/lib/krb5/libkrb5.exports

 Subject: Try decrypting using session key if subkey fails in tgs rep handling
 ticket: 6484
 Tags: pullup
 Target_Version: 1.7

 Heimdal at least up through 1.2 incorrectly encrypts the TGS response
 in the session key not the subkey when a subkey is supplied.  See RFC
 4120 page 35.  Work around this by trying decryption using the session
 key after the subkey fails.

 * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for
   TGS and now needs to take keyusage
 * gc_via_tkt: pass in session key and appropriate usage if subkey
   fails.

 Note that the dead code to process AS responses in decode_kdc_rep is
 not removed by this commit.  That will be removed as FAST TGS client
 support is integrated post 1.7.


Changed Files:
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c
U   branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c
U   branches/krb5-1-7/src/lib/krb5/libkrb5.exports
Modified: branches/krb5-1-7/src/include/k5-int.h
===================================================================

--- branches/krb5-1-7/src/include/k5-int.h	2009-05-11 20:56:50 UTC (rev 22339)
+++ branches/krb5-1-7/src/include/k5-int.h	2009-05-11 20:56:53 UTC (rev 22340)
@@ -2644,10 +2644,10 @@
 		 * in with the subkey needed to decrypt the TGS
 		 * response. Otherwise it will be set to null.
 		 */
-krb5_error_code krb5_decode_kdc_rep
+krb5_error_code krb5int_decode_tgs_rep
 	(krb5_context,
 		krb5_data *,
-	  const krb5_keyblock *,
+	 const krb5_keyblock *, krb5_keyusage,
 		krb5_kdc_rep ** );
 krb5_error_code krb5int_find_authdata
 (krb5_context context, krb5_authdata *const * ticket_authdata,

Modified: branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c
===================================================================
--- branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c	2009-05-11 20:56:50 UTC (rev 22339)
+++ branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c	2009-05-11 20:56:53 UTC (rev 22340)
@@ -43,17 +43,15 @@
  */
 
 krb5_error_code
-krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep)
+krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key,
+		       krb5_keyusage usage, krb5_kdc_rep **dec_rep)
 {
     krb5_error_code retval;
     krb5_kdc_rep *local_dec_rep;
-    krb5_keyusage usage;
 
     if (krb5_is_as_rep(enc_rep)) {
-	usage = KRB5_KEYUSAGE_AS_REP_ENCPART;
 	retval = decode_krb5_as_rep(enc_rep, &local_dec_rep);
     } else if (krb5_is_tgs_rep(enc_rep)) {
-	usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY;
 	retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep);
     } else {
 	return KRB5KRB_AP_ERR_MSG_TYPE;

Modified: branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c
===================================================================
--- branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c	2009-05-11 20:56:50 UTC (rev 22339)
+++ branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c	2009-05-11 20:56:53 UTC (rev 22340)
@@ -290,9 +290,17 @@
 	goto error_4;
     }
 
-    if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response,
-				      subkey, &dec_rep)))
-	goto error_4;
+    /* Unfortunately, Heimdal at least up through 1.2  encrypts using
+       the session key not the subsession key.  So we try both. */
+    if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response,
+				      subkey,
+					 KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) {
+	    if ((krb5int_decode_tgs_rep(context, &tgsrep.response,
+				      &tkt->keyblock,
+					KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0)
+		retval = 0;
+	    else goto error_4;
+    }
 
     if (dec_rep->msg_type != KRB5_TGS_REP) {
 	retval = KRB5KRB_AP_ERR_MSG_TYPE;

Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports
===================================================================
--- branches/krb5-1-7/src/lib/krb5/libkrb5.exports	2009-05-11 20:56:50 UTC (rev 22339)
+++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports	2009-05-11 20:56:53 UTC (rev 22340)
@@ -185,7 +185,6 @@
 krb5_create_secure_file
 krb5_crypto_us_timeofday
 krb5_decode_authdata_container
-krb5_decode_kdc_rep
 krb5_decode_ticket
 krb5_decrypt_tkt_part
 krb5_default_pwd_prompt1


