From 96f83b4084af2acd9ff3f7a3304efb22c9e05171 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Fri, 10 Dec 2010 01:06:26 +0000
Subject: handle MS PACs that lack server checksum

target_version 1.9
tags: pullup

Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum.  If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed.  Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute().  Add trace
points to indicate where this behavior occurs.

Thanks to Helmut Grohne for help with analysis.  This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925

This change should also get backported to krb5-1.8.x.

ticket: 6839

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24564 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/include/k5-trace.h | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/include')

diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 3efe0e401..1bd4b4451 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -194,6 +194,12 @@
     TRACE(c, (c, "Negotiating for enctypes in authenticator: {etypes}", \
               etypes))
 
+#define TRACE_MSPAC_NOSRVCKSUM(c) \
+    TRACE(c, (c, "MS PAC lacks a server checksum.  "\
+              "Apple Open Directory bug?"))
+#define TRACE_MSPAC_DISCARD_UNVERF(c) \
+    TRACE(c, (c, "Filtering out unverified MS PAC"))
+
 #define TRACE_PREAUTH_COOKIE(c, len, data) \
     TRACE(c, (c, "Received cookie: {lenstr}", (size_t) len, data))
 #define TRACE_PREAUTH_ENC_TS_KEY_GAK(c, keyblock) \
-- 
cgit