GSSAPI forwarded credentials must be encrypted in session key

When IAKERB support was added, the krb5_mk_req checksum function gained access to the send subkey. This caused GSSAPI forwarded credentials to be encrypted in the subkey, which violates RFC 4121 section 4.1.1 and is not accepted by Microsoft's implementation. Temporarily null out the send subkey in the auth context so that krb5_mk_ncred uses the session key instead. ticket: 6768 target_version: 1.8.4 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24399 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2010-10-01 03:45:43 +0000
committer: Greg Hudson <ghudson@mit.edu> 2010-10-01 03:45:43 +0000
commit: bb441175c30679eb913a839b87478b96923bbaae (patch)
tree: 768dac7e21addb64aada458af4d5e54d51982cf1 /src/lib/gssapi
parent: 3e668d20274d528775f7d9c10caff946c10760e2 (diff)
download: krb5-bb441175c30679eb913a839b87478b96923bbaae.tar.gz
krb5-bb441175c30679eb913a839b87478b96923bbaae.tar.xz
krb5-bb441175c30679eb913a839b87478b96923bbaae.zip
1 files changed, 11 insertions, 3 deletions
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 19586b9be..8e27b6d41 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -270,9 +270,7 @@ struct gss_checksum_data {
     krb5_gss_ctx_ext_t exts;
 };
 
-#ifdef CFX_EXERCISE
 #include "../../krb5/krb/auth_con.h"
-#endif
 static krb5_error_code KRB5_CALLCONV
 make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
                    void *cksum_data, krb5_data **out)
@@ -284,6 +282,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
     krb5_data credmsg;
     unsigned int junk;
     krb5_data *finished = NULL;
+    krb5_key send_subkey;
 
     data->checksum_data.data = 0;
     credmsg.data = 0;
@@ -299,13 +298,22 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
 
         assert(data->cred->name != NULL);
 
+        /*
+         * RFC 4121 4.1.1 specifies forwarded credentials must be encrypted in
+         * the session key, but krb5_fwd_tgt_creds will use the send subkey if
+         * it's set in the auth context.  Null out the send subkey temporarily.
+         */
+        send_subkey = auth_context->send_subkey;
+        auth_context->send_subkey = NULL;
+
         code = krb5_fwd_tgt_creds(context, auth_context, 0,
                                   data->cred->name->princ, data->ctx->there->princ,
                                   data->cred->ccache, 1,
                                   &credmsg);
 
-        /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
+        /* Turn KRB5_AUTH_CONTEXT_DO_TIME back on and reset the send subkey. */
         krb5_auth_con_setflags(context, auth_context, con_flags);
+        auth_context->send_subkey = send_subkey;
 
         if (code) {
             /* don't fail here; just don't accept/do the delegation
author	Greg Hudson <ghudson@mit.edu>	2010-10-01 03:45:43 +0000
committer	Greg Hudson <ghudson@mit.edu>	2010-10-01 03:45:43 +0000
commit	bb441175c30679eb913a839b87478b96923bbaae (patch)
tree	768dac7e21addb64aada458af4d5e54d51982cf1 /src/lib/gssapi
parent	3e668d20274d528775f7d9c10caff946c10760e2 (diff)
download	krb5-bb441175c30679eb913a839b87478b96923bbaae.tar.gz krb5-bb441175c30679eb913a839b87478b96923bbaae.tar.xz krb5-bb441175c30679eb913a839b87478b96923bbaae.zip