[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.8-rc3




rd_req.c will try and verify a PAC form a Microsoft W2k3 AD KDC
if present, by calling the new pac.c. This tries to vErify the
checksums of the PAC.

The checksum of the PAC may be encrypted in the session key, or
the server's key depending on  f KDC_OPT_ENC_TKT_IN SKEY
was set in the ap_req_options.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp

Says about the PAC_SERVER_CHECKSUM:
   "For the server's checksum, the key used to generate the signature should be
    the same key used to encrypt the ticket. Thus, if the enc_tkt_in_skey option
    is used, the session key from the  server's TGT should be used. "

The code was not checking if this was the case and always using the
skey and thus would fail to decrypt PAC_SERVER_CHECKSUM.


Suggested fix:

--- ,rd_req.c	Thu Jan  4 05:27:20 2007
+++ rd_req.c	Mon Jan 15 15:44:18 2007
@@ -855,7 +855,8 @@
  				  pac,
  				  o->ticket->ticket.authtime,
  				  o->ticket->client,
-				  &o->ticket->ticket.key,
+				(o->ap_req_options & KDC_OPT_ENC_TKT_IN_SKEY) ?
+				  &o->ticket->ticket.key : o->keyblock,
  				  NULL);
  	    krb5_pac_free(context, pac);
  	    if (ret)


Love Hörnquist Åstrand wrote:
> Hello
> 
> I've just created a heimdal 0.8-rc3 snapshot.
> 
> ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.8-rc3.tar.ga
> ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.8-rc3.dmg
> 
> Basicly what needs to happen before release is fixing (text) error message
> for GSS-API mech-glue layer and testing on more platforms.
> 
> Testing is mostly automated and very simple to set up, please read
> here if you want to contribute.
> 
> http://www.pdc.kth.se/heimdal/help/#buildfarm
> 
> Love
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444