diff options
author | Luke Howard <lukeh@padl.com> | 2009-08-18 13:05:02 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2009-08-18 13:05:02 +0000 |
commit | 6b3866979f1396dd93772ed4ffeca401d2fbcb04 (patch) | |
tree | 8a013ebbdc8eb0778a1cb6a7ce1944c3c17a98fe | |
parent | 846a287d124fc2fb8b3f5b94a64f8709fde41205 (diff) | |
download | krb5-6b3866979f1396dd93772ed4ffeca401d2fbcb04.zip krb5-6b3866979f1396dd93772ed4ffeca401d2fbcb04.tar.gz krb5-6b3866979f1396dd93772ed4ffeca401d2fbcb04.tar.bz2 |
Allow unkeyed checksums for all non-newer enctypes
Return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN if S4U2Self client/server principals do not match
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22536 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/kdc/kdc_util.c | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 7ea8a70..c29e1cb 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1865,15 +1865,9 @@ verify_s4u_x509_user_checksum(krb5_context context, krb5_data *data; krb5_boolean valid = FALSE; - switch (key->enctype) { - case ENCTYPE_ARCFOUR_HMAC: - case ENCTYPE_ARCFOUR_HMAC_EXP: - break; - default: - if (!krb5_c_is_keyed_cksum(req->cksum.checksum_type)) - return KRB5KRB_AP_ERR_INAPP_CKSUM; - break; - } + if (enctype_requires_etype_info_2(key->enctype) && + !krb5_c_is_keyed_cksum(req->cksum.checksum_type)) + return KRB5KRB_AP_ERR_INAPP_CKSUM; if (req->user_id.nonce != kdc_req_nonce) return KRB5KRB_AP_ERR_MODIFIED; @@ -1958,6 +1952,11 @@ kdc_process_s4u2self_rep(krb5_context context, else enctype = tgs_session->enctype; + /* + * Owing to a bug in Windows, unkeyed checksums were used for older + * enctypes, including rc4-hmac. A forthcoming workaround for this + * includes the checksum bytes in the encrypted padata. + */ if ((req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) && enctype_requires_etype_info_2(enctype) == FALSE) { padata.length = req_s4u_user->cksum.length + rep_s4u_user.cksum.length; @@ -2118,10 +2117,18 @@ kdc_process_s4u2self_req(krb5_context context, krb5_free_pa_for_user(context, for_user); } + /* + * We really want to do this comparison after name canonicalization, + * but we don't have a good interface to do that yet (without looking + * up the server principal and decoding KRB5_TL_SVR_REFERRAL_DATA). + * + * The comparison below will work with existing Windows and MIT + * client implementations. + */ if (!krb5_principal_compare_flags(context, request->server, client_princ, KRB5_PRINCIPAL_COMPARE_ENTERPRISE)) { *status = "INVALID_S4U2SELF_REQUEST"; - return KRB5KDC_ERR_POLICY; + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error code */ } /* |