[15958] in Kerberos_V5_Development
Re: krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used
daemon@ATHENA.MIT.EDU (Luke Howard)
Thu Jul 1 18:10:01 2010
Mime-Version: 1.0 (Apple Message framework v1078)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <ldveifmvoxg.fsf@cathode-dark-space.mit.edu>
Date: Fri, 2 Jul 2010 00:09:51 +0200
Message-Id: <35173B7D-81B1-4646-A74F-9897475B8BDC@padl.com>
To: Tom Yu <tlyu@mit.edu>
Cc: krbdev@mit.edu, "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Here you go.
Index: pac.c
===================================================================
--- pac.c (revision 24022)
+++ pac.c (working copy)
@@ -520,6 +520,7 @@
krb5_data checksum_data;
krb5_boolean valid;
krb5_octet *p;
+ krb5_keyblock key = *server;
ret = k5_pac_locate_buffer(context, pac,
PAC_SERVER_CHECKSUM, &checksum_data);
@@ -556,7 +557,10 @@
return ret;
}
- ret = krb5_c_verify_checksum(context, server,
+ if (checksum.checksum_type == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+ key.enctype = ENCTYPE_ARCFOUR_HMAC;
+
+ ret = krb5_c_verify_checksum(context, &key,
KRB5_KEYUSAGE_APP_DATA_CKSUM,
&pac_data, &checksum, &valid);
@@ -582,6 +586,7 @@
krb5_checksum checksum;
krb5_boolean valid;
krb5_octet *p;
+ krb5_keyblock key = *privsvr;
ret = k5_pac_locate_buffer(context, pac,
PAC_PRIVSVR_CHECKSUM, &privsvr_checksum);
@@ -607,7 +612,10 @@
server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
- ret = krb5_c_verify_checksum(context, privsvr,
+ if (checksum.checksum_type == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+ key.enctype = ENCTYPE_ARCFOUR_HMAC;
+
+ ret = krb5_c_verify_checksum(context, &key,
KRB5_KEYUSAGE_APP_DATA_CKSUM,
&server_checksum, &checksum, &valid);
if (ret != 0)
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev