svn rev #23766: trunk/src/kdc/

Fri Mar 5 12:45:46 EST 2010

http://src.mit.edu/fisheye/changelog/krb5/?cs=23766
Commit By: ghudson
Log Message:
ticket: 6676
subject: Ignore improperly encoded signedpath AD elements
target_version: 1.8.1
tags: pullup

We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath().  For better interoperability, treat such
tickets as unsigned, rather than invalid.



Changed Files:
U   trunk/src/kdc/kdc_authdata.c
Modified: trunk/src/kdc/kdc_authdata.c
===================================================================

--- trunk/src/kdc/kdc_authdata.c	2010-03-05 04:18:51 UTC (rev 23765)
+++ trunk/src/kdc/kdc_authdata.c	2010-03-05 17:45:46 UTC (rev 23766)
@@ -934,8 +934,12 @@
     enc_sp.length = sp_authdata[0]->length;
 
     code = decode_krb5_ad_signedpath(&enc_sp, &sp);
-    if (code != 0)
+    if (code != 0) {
+        /* Treat an invalid signedpath authdata element as a missing one, since
+         * we believe MS is using the same number for something else. */
+        code = 0;
         goto cleanup;
+    }
 
     code = verify_ad_signedpath_checksum(context,
                                          krbtgt,


