svn rev #22358: trunk/src/kdc/
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed May 20 13:44:38 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22358
Commit By: ghudson
Log Message:
Add a comment to the r22168 change since it's not obvious why we're
decrypting authdata that way.
Changed Files:
U trunk/src/kdc/kdc_authdata.c
Modified: trunk/src/kdc/kdc_authdata.c
===================================================================
--- trunk/src/kdc/kdc_authdata.c 2009-05-20 02:05:53 UTC (rev 22357)
+++ trunk/src/kdc/kdc_authdata.c 2009-05-20 17:44:37 UTC (rev 22358)
@@ -398,6 +398,17 @@
if (scratch.data == NULL)
return ENOMEM;
+ /*
+ * RFC 4120 requires authdata in the TGS body to be encrypted in
+ * the subkey with usage 5 if a subkey is present, and in the TGS
+ * session key with key usage 4 if it is not. Prior to krb5 1.7,
+ * we got this wrong, always decrypting the authorization data
+ * with the TGS session key and usage 4. For the sake of
+ * conservatism, try the decryption the old way (wrong if
+ * client_key is a subkey) first, and then try again the right way
+ * (in the case where client_key is a subkey) if the first way
+ * fails.
+ */
code = krb5_c_decrypt(context,
enc_tkt_request->session,
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
More information about the cvs-krb5
mailing list