[30822] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Omit PA_FOR_USER if we can't compute its checksum

daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 8 12:11:23 2020

Date: Mon, 8 Jun 2020 12:10:55 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202006081610.058GAtI2003453@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/03f122bdb22cfa53c7d855ed929c9541e56365e0
commit 03f122bdb22cfa53c7d855ed929c9541e56365e0
Author: Isaac Boukris <iboukris@gmail.com>
Date:   Sat Jun 6 11:03:37 2020 +0200

    Omit PA_FOR_USER if we can't compute its checksum
    
    OpenSSL in FIPS mode will refuse to perform hmac-md5.  Omit the legacy
    PA_FOR_USER element in this case rather than failing out.
    
    [ghudson@mit.edu: minor code and comment edits; wrote commit message]
    
    ticket: 8912 (new)

 src/lib/krb5/krb/s4u_creds.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 504eb55..1f0ab85 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -536,6 +536,13 @@ krb5_get_self_cred_from_kdc(krb5_context context,
         if (s4u_user.user_id.user != NULL && s4u_user.user_id.user->length) {
             code = build_pa_for_user(context, tgtptr, &s4u_user.user_id,
                                      &in_padata[1]);
+            /*
+             * If we couldn't compute the hmac-md5 checksum, send only the
+             * KRB5_PADATA_S4U_X509_USER; this will still work against modern
+             * Windows and MIT KDCs.
+             */
+            if (code == KRB5_CRYPTO_INTERNAL)
+                code = 0;
             if (code != 0) {
                 krb5_free_pa_data(context, in_padata);
                 goto cleanup;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post