svn rev #24574: branches/krb5-1-8/src/lib/krb5/krb/

tlyu@MIT.EDU tlyu at MIT.EDU
Tue Dec 14 18:25:13 EST 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=24574
Commit By: tlyu
Log Message:
ticket: 6843
subject: handle MS PACs that lack server checksum
version_fixed: 1.8.4
status: resolved

backport r24564 from trunk

 ------------------------------------------------------------------------
 r24564 | tlyu | 2010-12-09 20:06:26 -0500 (Thu, 09 Dec 2010) | 18 lines

 ticket: 6839
 subject: handle MS PACs that lack server checksum
 target_version 1.9
 tags: pullup

 Apple Mac OS X Server's Open Directory KDC issues MS PAC like
 authorization data that lacks a server checksum.  If this checksum is
 missing, mark the PAC as unverfied, but allow
 krb5int_authdata_verify() to succeed.  Filter out the unverified PAC
 in subsequent calls to krb5_authdata_get_attribute().  Add trace
 points to indicate where this behavior occurs.

 Thanks to Helmut Grohne for help with analysis.  This bug is also
 Debian Bug #604925:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925

 This change should also get backported to krb5-1.8.x.


Changed Files:
U   branches/krb5-1-8/src/lib/krb5/krb/pac.c
Modified: branches/krb5-1-8/src/lib/krb5/krb/pac.c
===================================================================
--- branches/krb5-1-8/src/lib/krb5/krb/pac.c	2010-12-14 23:10:52 UTC (rev 24573)
+++ branches/krb5-1-8/src/lib/krb5/krb/pac.c	2010-12-14 23:25:13 UTC (rev 24574)
@@ -684,8 +684,16 @@
         return EINVAL;
 
     ret = k5_pac_verify_server_checksum(context, pac, server);
-    if (ret != 0)
+    if (ret == ENOENT) {
+        /*
+         * Apple Mac OS X Server Open Directory KDC (at least 10.6)
+         * appears to provide a PAC that lacks a server checksum.
+         */
+        pac->verified = FALSE;
         return ret;
+    } else if (ret != 0) {
+        return ret;
+    }
 
     if (privsvr != NULL) {
         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
@@ -1094,6 +1102,16 @@
                            key,
                            NULL);
 
+    /*
+     * If the server checksum is not found, return success to
+     * krb5int_authdata_verify() to work around an apparent Open
+     * Directory bug.  Non-verified PACs won't be returned by
+     * mspac_get_attribute().
+     */
+    if (code == ENOENT && !pacctx->pac->verified) {
+        code = 0;
+    }
+
 #if 0
     /*
      * Now, we could return 0 and just set pac->verified to FALSE.
@@ -1269,6 +1287,11 @@
     if (*more != -1 || pacctx->pac == NULL)
         return ENOENT;
 
+    /* If it didn't verify, pretend it didn't exist. */
+    if (!pacctx->pac->verified) {
+        return ENOENT;
+    }
+
     code = mspac_attr2type(attribute, &type);
     if (code != 0)
         return code;

More information about the cvs-krb5 mailing list