Ticket History #6484: work around Heimdal not using subkey in TGS-REP

# Thu May 07 16:35:29 2009 hartmans (Sam Hartman) - Ticket created

From:	hartmans@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 871B

Heimdal at least up through 1.2 incorrectly encrypts the TGS response
in the session key not the subkey when a subkey is supplied. See RFC
4120 page 35. Work around this by trying decryption using the session
key after the subkey fails.

* decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for
TGS and now needs to take keyusage
* gc_via_tkt: pass in session key and appropriate usage if subkey
fails.

Note that the dead code to process AS responses in decode_kdc_rep is
not removed by this commit. That will be removed as FAST TGS client
support is integrated post 1.7.

https://github.com/krb5/krb5/commit/56e9c98f2871f78130baf3f7c63ce2abe76e02f6
Commit By: hartmans
Revision: 22325
Changed Files:
U trunk/src/include/k5-int.h
U trunk/src/lib/krb5/krb/decode_kdc.c
U trunk/src/lib/krb5/krb/gc_via_tkt.c
U trunk/src/lib/krb5/libkrb5.exports

# Thu May 07 16:35:29 2009 hartmans (Sam Hartman) - Requestor hartmans (Sam Hartman) added

# Thu May 07 16:35:29 2009 hartmans (Sam Hartman) - Status changed from 'new' to 'review'

# Thu May 07 16:35:29 2009 hartmans (Sam Hartman) - Tags pullup added

# Thu May 07 16:35:29 2009 hartmans (Sam Hartman) - Target_Version 1.7 added

# Mon May 11 16:56:54 2009 tlyu (Taylor Yu) - Version_Fixed 1.7 added

# Mon May 11 16:56:54 2009 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 1.3KiB

pull up r22325 from trunk
------------------------------------------------------------------------
r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines
Changed paths:
M /trunk/src/include/k5-int.h
M /trunk/src/lib/krb5/krb/decode_kdc.c
M /trunk/src/lib/krb5/krb/gc_via_tkt.c
M /trunk/src/lib/krb5/libkrb5.exports

Subject: Try decrypting using session key if subkey fails in tgs rep handling
ticket: 6484
Tags: pullup
Target_Version: 1.7

Heimdal at least up through 1.2 incorrectly encrypts the TGS response
in the session key not the subkey when a subkey is supplied. See RFC
4120 page 35. Work around this by trying decryption using the session
key after the subkey fails.

* decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for
TGS and now needs to take keyusage
* gc_via_tkt: pass in session key and appropriate usage if subkey
fails.

Note that the dead code to process AS responses in decode_kdc_rep is
not removed by this commit. That will be removed as FAST TGS client
support is integrated post 1.7.

https://github.com/krb5/krb5/commit/3ed57da7e3beff1e3841f0744292476ba729fe67
Commit By: tlyu
Revision: 22340
Changed Files:
U branches/krb5-1-7/src/include/k5-int.h
U branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c
U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c
U branches/krb5-1-7/src/lib/krb5/libkrb5.exports

# Tue May 12 16:57:39 2009 tlyu (Taylor Yu) - Subject changed from '[no subject]' to 'work around Heimdal not using subkey in TGS-REP'

# Tue May 12 16:57:39 2009 tlyu (Taylor Yu) - Component krb5-kdc added

# Wed Dec 16 18:02:53 2015 tlyu (Taylor Yu) - CustomField pullup deleted

# Sun Sep 24 20:39:54 2017 ghudson@mit.edu (Greg Hudson) - Status changed from 'review' to 'resolved'