svn rev #24460: branches/krb5-1-8/src/lib/gssapi/krb5/

tlyu@MIT.EDU tlyu at MIT.EDU
Fri Oct 15 17:42:26 EDT 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=24460
Commit By: tlyu
Log Message:
ticket: 6768
version_fixed: 1.8.4
target_version: 1.8.4
status: resolved

pull up r24399 from trunk

 ------------------------------------------------------------------------
 r24399 | ghudson | 2010-09-30 23:45:43 -0400 (Thu, 30 Sep 2010) | 12 lines

 ticket: 6768
 subject: GSSAPI forwarded credentials must be encrypted in session key
 target_version: 1.8.4
 tags: pullup

 When IAKERB support was added, the krb5_mk_req checksum function
 gained access to the send subkey.  This caused GSSAPI forwarded
 credentials to be encrypted in the subkey, which violates RFC 4121
 section 4.1.1 and is not accepted by Microsoft's implementation.
 Temporarily null out the send subkey in the auth context so that
 krb5_mk_ncred uses the session key instead.


Changed Files:
U   branches/krb5-1-8/src/lib/gssapi/krb5/init_sec_context.c
Modified: branches/krb5-1-8/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- branches/krb5-1-8/src/lib/gssapi/krb5/init_sec_context.c	2010-10-15 21:42:22 UTC (rev 24459)
+++ branches/krb5-1-8/src/lib/gssapi/krb5/init_sec_context.c	2010-10-15 21:42:25 UTC (rev 24460)
@@ -234,9 +234,7 @@
     krb5_data checksum_data;
 };
 
-#ifdef CFX_EXERCISE
 #include "../../krb5/krb/auth_con.h"
-#endif
 static krb5_error_code KRB5_CALLCONV
 make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
                    void *cksum_data, krb5_data **out)
@@ -247,6 +245,7 @@
     struct gss_checksum_data *data = cksum_data;
     krb5_data credmsg;
     unsigned int junk;
+    krb5_key send_subkey;
 
     data->checksum_data.data = 0;
     credmsg.data = 0;
@@ -262,13 +261,22 @@
 
         assert(data->cred->name != NULL);
 
+        /*
+         * RFC 4121 4.1.1 specifies forwarded credentials must be encrypted in
+         * the session key, but krb5_fwd_tgt_creds will use the send subkey if
+         * it's set in the auth context.  Null out the send subkey temporarily.
+         */
+        send_subkey = auth_context->send_subkey;
+        auth_context->send_subkey = NULL;
+
         code = krb5_fwd_tgt_creds(context, auth_context, 0,
                                   data->cred->name->princ, data->ctx->there->princ,
                                   data->cred->ccache, 1,
                                   &credmsg);
 
-        /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
+        /* Turn KRB5_AUTH_CONTEXT_DO_TIME back on and reset the send subkey. */
         krb5_auth_con_setflags(context, auth_context, con_flags);
+        auth_context->send_subkey = send_subkey;
 
         if (code) {
             /* don't fail here; just don't accept/do the delegation

More information about the cvs-krb5 mailing list