svn rev #23809: branches/krb5-1-8/src/kdc/
tlyu@MIT.EDU
tlyu at MIT.EDU
Mon Mar 15 19:50:52 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=23809
Commit By: tlyu
Log Message:
ticket: 6676
version_fixed: 1.8.1
status: resolved
pull up r23766 from trunk
------------------------------------------------------------------------
r23766 | ghudson | 2010-03-05 12:45:46 -0500 (Fri, 05 Mar 2010) | 10 lines
ticket: 6676
subject: Ignore improperly encoded signedpath AD elements
target_version: 1.8.1
tags: pullup
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath(). For better interoperability, treat such
tickets as unsigned, rather than invalid.
Changed Files:
U branches/krb5-1-8/src/kdc/kdc_authdata.c
Modified: branches/krb5-1-8/src/kdc/kdc_authdata.c
===================================================================
--- branches/krb5-1-8/src/kdc/kdc_authdata.c 2010-03-15 23:50:49 UTC (rev 23808)
+++ branches/krb5-1-8/src/kdc/kdc_authdata.c 2010-03-15 23:50:52 UTC (rev 23809)
@@ -934,8 +934,12 @@
enc_sp.length = sp_authdata[0]->length;
code = decode_krb5_ad_signedpath(&enc_sp, &sp);
- if (code != 0)
+ if (code != 0) {
+ /* Treat an invalid signedpath authdata element as a missing one, since
+ * we believe MS is using the same number for something else. */
+ code = 0;
goto cleanup;
+ }
code = verify_ad_signedpath_checksum(context,
krbtgt,
More information about the cvs-krb5
mailing list