krb5 commit: Omit PA_FOR_USER if we can't compute its checksum
Greg Hudson
ghudson at mit.edu
Mon Jun 8 12:10:55 EDT 2020
https://github.com/krb5/krb5/commit/03f122bdb22cfa53c7d855ed929c9541e56365e0
commit 03f122bdb22cfa53c7d855ed929c9541e56365e0
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Jun 6 11:03:37 2020 +0200
Omit PA_FOR_USER if we can't compute its checksum
OpenSSL in FIPS mode will refuse to perform hmac-md5. Omit the legacy
PA_FOR_USER element in this case rather than failing out.
[ghudson at mit.edu: minor code and comment edits; wrote commit message]
ticket: 8912 (new)
src/lib/krb5/krb/s4u_creds.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 504eb55..1f0ab85 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -536,6 +536,13 @@ krb5_get_self_cred_from_kdc(krb5_context context,
if (s4u_user.user_id.user != NULL && s4u_user.user_id.user->length) {
code = build_pa_for_user(context, tgtptr, &s4u_user.user_id,
&in_padata[1]);
+ /*
+ * If we couldn't compute the hmac-md5 checksum, send only the
+ * KRB5_PADATA_S4U_X509_USER; this will still work against modern
+ * Windows and MIT KDCs.
+ */
+ if (code == KRB5_CRYPTO_INTERNAL)
+ code = 0;
if (code != 0) {
krb5_free_pa_data(context, in_padata);
goto cleanup;
More information about the cvs-krb5
mailing list