[31061] in CVS-changelog-for-Kerberos-V5


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

krb5 commit: Fix verification of RODC-issued PAC KDC signature

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Sep 26 15:11:49 2021

Date: Sun, 26 Sep 2021 15:11:41 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202109261911.18QJBfIC026100@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/b5efdddd503020c2b64ccf9c30bb09117035f3ce
commit b5efdddd503020c2b64ccf9c30bb09117035f3ce
Author: Isaac Boukris <iboukris@gmail.com>
Date:   Tue Aug 10 17:50:35 2021 +0300

    Fix verification of RODC-issued PAC KDC signature
    
    Per [MS-PAC] 2.8, PAC_SIGNATURE_DATA may contain an RODCIdentifier
    following the checksum.  In k5_pac_verify_kdc_checksum(), do not
    assume that the checksum spans the remainder of the buffer; instead,
    look up the checksum length by its type.
    
    [ghudson@mit.edu: edited commit message and comment; reordered code
    for clarity]
    
    ticket: 9031 (new)

 src/lib/krb5/krb/pac.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 950beda..46705d2 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -596,6 +596,7 @@ k5_pac_verify_kdc_checksum(krb5_context context,
     krb5_checksum checksum;
     krb5_boolean valid;
     krb5_octet *p;
+    size_t cksumlen;
 
     ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
                                &privsvr_checksum);
@@ -615,11 +616,19 @@ k5_pac_verify_kdc_checksum(krb5_context context,
 
     p = (krb5_octet *)privsvr_checksum.data;
     checksum.checksum_type = load_32_le(p);
-    checksum.length = privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH;
-    checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
     if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
         return KRB5KRB_AP_ERR_INAPP_CKSUM;
 
+    /* There may be an RODCIdentifier trailer (see [MS-PAC] 2.8), so look up
+     * the length of the checksum by its type. */
+    ret = krb5_c_checksum_length(context, checksum.checksum_type, &cksumlen);
+    if (ret)
+        return ret;
+    if (cksumlen > privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH)
+        return KRB5_BAD_MSIZE;
+    checksum.length = cksumlen;
+    checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
+
     server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
     server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
 
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[31061] in CVS-changelog-for-Kerberos-V5

krb5 commit: Fix verification of RODC-issued PAC KDC signature

daemon@ATHENA.MIT.EDU (Greg Hudson)Sun Sep 26 15:11:49 2021

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Sep 26 15:11:49 2021