krb5 commit: Fix verification of RODC-issued PAC KDC signature

Sun Sep 26 15:11:41 EDT 2021

https://github.com/krb5/krb5/commit/b5efdddd503020c2b64ccf9c30bb09117035f3ce
commit b5efdddd503020c2b64ccf9c30bb09117035f3ce
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Tue Aug 10 17:50:35 2021 +0300

    Fix verification of RODC-issued PAC KDC signature
    
    Per [MS-PAC] 2.8, PAC_SIGNATURE_DATA may contain an RODCIdentifier
    following the checksum.  In k5_pac_verify_kdc_checksum(), do not
    assume that the checksum spans the remainder of the buffer; instead,
    look up the checksum length by its type.
    
    [ghudson at mit.edu: edited commit message and comment; reordered code
    for clarity]
    
    ticket: 9031 (new)

 src/lib/krb5/krb/pac.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 950beda..46705d2 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -596,6 +596,7 @@ k5_pac_verify_kdc_checksum(krb5_context context,
     krb5_checksum checksum;
     krb5_boolean valid;
     krb5_octet *p;
+    size_t cksumlen;
 
     ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
                                &privsvr_checksum);
@@ -615,11 +616,19 @@ k5_pac_verify_kdc_checksum(krb5_context context,
 
     p = (krb5_octet *)privsvr_checksum.data;
     checksum.checksum_type = load_32_le(p);
-    checksum.length = privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH;
-    checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
     if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
         return KRB5KRB_AP_ERR_INAPP_CKSUM;
 
+    /* There may be an RODCIdentifier trailer (see [MS-PAC] 2.8), so look up
+     * the length of the checksum by its type. */
+    ret = krb5_c_checksum_length(context, checksum.checksum_type, &cksumlen);
+    if (ret)
+        return ret;
+    if (cksumlen > privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH)
+        return KRB5_BAD_MSIZE;
+    checksum.length = cksumlen;
+    checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
+
     server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
     server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
 
