krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used causing sshd to fail
Luke Howard
lukeh at padl.com
Thu Jul 1 18:09:51 EDT 2010
Here you go.
Index: pac.c
===================================================================
--- pac.c (revision 24022)
+++ pac.c (working copy)
@@ -520,6 +520,7 @@
krb5_data checksum_data;
krb5_boolean valid;
krb5_octet *p;
+ krb5_keyblock key = *server;
ret = k5_pac_locate_buffer(context, pac,
PAC_SERVER_CHECKSUM, &checksum_data);
@@ -556,7 +557,10 @@
return ret;
}
- ret = krb5_c_verify_checksum(context, server,
+ if (checksum.checksum_type == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+ key.enctype = ENCTYPE_ARCFOUR_HMAC;
+
+ ret = krb5_c_verify_checksum(context, &key,
KRB5_KEYUSAGE_APP_DATA_CKSUM,
&pac_data, &checksum, &valid);
@@ -582,6 +586,7 @@
krb5_checksum checksum;
krb5_boolean valid;
krb5_octet *p;
+ krb5_keyblock key = *privsvr;
ret = k5_pac_locate_buffer(context, pac,
PAC_PRIVSVR_CHECKSUM, &privsvr_checksum);
@@ -607,7 +612,10 @@
server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
- ret = krb5_c_verify_checksum(context, privsvr,
+ if (checksum.checksum_type == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+ key.enctype = ENCTYPE_ARCFOUR_HMAC;
+
+ ret = krb5_c_verify_checksum(context, &key,
KRB5_KEYUSAGE_APP_DATA_CKSUM,
&server_checksum, &checksum, &valid);
if (ret != 0)
More information about the krbdev
mailing list