[15958] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used

daemon@ATHENA.MIT.EDU (Luke Howard)
Thu Jul 1 18:10:01 2010

Mime-Version: 1.0 (Apple Message framework v1078)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <ldveifmvoxg.fsf@cathode-dark-space.mit.edu>
Date: Fri, 2 Jul 2010 00:09:51 +0200
Message-Id: <35173B7D-81B1-4646-A74F-9897475B8BDC@padl.com>
To: Tom Yu <tlyu@mit.edu>
Cc: krbdev@mit.edu, "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

Here you go.

Index: pac.c
===================================================================
--- pac.c	(revision 24022)
+++ pac.c	(working copy)
@@ -520,6 +520,7 @@
     krb5_data checksum_data;
     krb5_boolean valid;
     krb5_octet *p;
+    krb5_keyblock key = *server;
 
     ret = k5_pac_locate_buffer(context, pac,
                                PAC_SERVER_CHECKSUM, &checksum_data);
@@ -556,7 +557,10 @@
         return ret;
     }
 
-    ret = krb5_c_verify_checksum(context, server,
+    if (checksum.checksum_type == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+        key.enctype = ENCTYPE_ARCFOUR_HMAC;
+
+    ret = krb5_c_verify_checksum(context, &key,
                                  KRB5_KEYUSAGE_APP_DATA_CKSUM,
                                  &pac_data, &checksum, &valid);
 
@@ -582,6 +586,7 @@
     krb5_checksum checksum;
     krb5_boolean valid;
     krb5_octet *p;
+    krb5_keyblock key = *privsvr;
 
     ret = k5_pac_locate_buffer(context, pac,
                                PAC_PRIVSVR_CHECKSUM, &privsvr_checksum);
@@ -607,7 +612,10 @@
     server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
     server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
 
-    ret = krb5_c_verify_checksum(context, privsvr,
+    if (checksum.checksum_type == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+        key.enctype = ENCTYPE_ARCFOUR_HMAC;
+
+    ret = krb5_c_verify_checksum(context, &key,
                                  KRB5_KEYUSAGE_APP_DATA_CKSUM,
                                  &server_checksum, &checksum, &valid);
     if (ret != 0)

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post