svn rev #24569: branches/krb5-1-9/src/ include/ lib/krb5/krb/
tlyu@MIT.EDU
tlyu at MIT.EDU
Tue Dec 14 18:10:36 EST 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24569
Commit By: tlyu
Log Message:
ticket: 6839
version_fixed: 1.9
status: resolved
pull up r24564 from trunk
------------------------------------------------------------------------
r24564 | tlyu | 2010-12-09 20:06:26 -0500 (Thu, 09 Dec 2010) | 18 lines
ticket: 6839
subject: handle MS PACs that lack server checksum
target_version 1.9
tags: pullup
Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum. If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed. Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute(). Add trace
points to indicate where this behavior occurs.
Thanks to Helmut Grohne for help with analysis. This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925
This change should also get backported to krb5-1.8.x.
Changed Files:
U branches/krb5-1-9/src/include/k5-trace.h
U branches/krb5-1-9/src/lib/krb5/krb/pac.c
Modified: branches/krb5-1-9/src/include/k5-trace.h
===================================================================
--- branches/krb5-1-9/src/include/k5-trace.h 2010-12-14 18:46:46 UTC (rev 24568)
+++ branches/krb5-1-9/src/include/k5-trace.h 2010-12-14 23:10:36 UTC (rev 24569)
@@ -194,6 +194,12 @@
TRACE(c, (c, "Negotiating for enctypes in authenticator: {etypes}", \
etypes))
+#define TRACE_MSPAC_NOSRVCKSUM(c) \
+ TRACE(c, (c, "MS PAC lacks a server checksum. "\
+ "Apple Open Directory bug?"))
+#define TRACE_MSPAC_DISCARD_UNVERF(c) \
+ TRACE(c, (c, "Filtering out unverified MS PAC"))
+
#define TRACE_PREAUTH_COOKIE(c, len, data) \
TRACE(c, (c, "Received cookie: {lenstr}", (size_t) len, data))
#define TRACE_PREAUTH_ENC_TS_KEY_GAK(c, keyblock) \
Modified: branches/krb5-1-9/src/lib/krb5/krb/pac.c
===================================================================
--- branches/krb5-1-9/src/lib/krb5/krb/pac.c 2010-12-14 18:46:46 UTC (rev 24568)
+++ branches/krb5-1-9/src/lib/krb5/krb/pac.c 2010-12-14 23:10:36 UTC (rev 24569)
@@ -637,8 +637,17 @@
return EINVAL;
ret = k5_pac_verify_server_checksum(context, pac, server);
- if (ret != 0)
+ if (ret == ENOENT) {
+ /*
+ * Apple Mac OS X Server Open Directory KDC (at least 10.6)
+ * appears to provide a PAC that lacks a server checksum.
+ */
+ TRACE_MSPAC_NOSRVCKSUM(context);
+ pac->verified = FALSE;
return ret;
+ } else if (ret != 0) {
+ return ret;
+ }
if (privsvr != NULL) {
ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
@@ -802,6 +811,16 @@
key,
NULL);
+ /*
+ * If the server checksum is not found, return success to
+ * krb5int_authdata_verify() to work around an apparent Open
+ * Directory bug. Non-verified PACs won't be returned by
+ * mspac_get_attribute().
+ */
+ if (code == ENOENT && !pacctx->pac->verified) {
+ code = 0;
+ }
+
#if 0
/*
* Now, we could return 0 and just set pac->verified to FALSE.
@@ -977,6 +996,12 @@
if (*more != -1 || pacctx->pac == NULL)
return ENOENT;
+ /* If it didn't verify, pretend it didn't exist. */
+ if (!pacctx->pac->verified) {
+ TRACE_MSPAC_DISCARD_UNVERF(kcontext);
+ return ENOENT;
+ }
+
code = mspac_attr2type(attribute, &type);
if (code != 0)
return code;
More information about the cvs-krb5
mailing list