diff options
| author | Tom Yu <tlyu@mit.edu> | 2010-12-10 01:06:26 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2010-12-10 01:06:26 +0000 |
| commit | 96f83b4084af2acd9ff3f7a3304efb22c9e05171 (patch) | |
| tree | 648aecdfdfb2f663d75ef71f0448ddf4d57b3b76 /src/include | |
| parent | 168f7bfc5927ab8bf6faad3e08ad8f32a99ee2fb (diff) | |
| download | krb5-96f83b4084af2acd9ff3f7a3304efb22c9e05171.tar.gz krb5-96f83b4084af2acd9ff3f7a3304efb22c9e05171.tar.xz krb5-96f83b4084af2acd9ff3f7a3304efb22c9e05171.zip | |
handle MS PACs that lack server checksum
target_version 1.9
tags: pullup
Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum. If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed. Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute(). Add trace
points to indicate where this behavior occurs.
Thanks to Helmut Grohne for help with analysis. This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925
This change should also get backported to krb5-1.8.x.
ticket: 6839
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24564 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/k5-trace.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index 3efe0e401..1bd4b4451 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -194,6 +194,12 @@ TRACE(c, (c, "Negotiating for enctypes in authenticator: {etypes}", \ etypes)) +#define TRACE_MSPAC_NOSRVCKSUM(c) \ + TRACE(c, (c, "MS PAC lacks a server checksum. "\ + "Apple Open Directory bug?")) +#define TRACE_MSPAC_DISCARD_UNVERF(c) \ + TRACE(c, (c, "Filtering out unverified MS PAC")) + #define TRACE_PREAUTH_COOKIE(c, len, data) \ TRACE(c, (c, "Received cookie: {lenstr}", (size_t) len, data)) #define TRACE_PREAUTH_ENC_TS_KEY_GAK(c, keyblock) \ |