diff options
| author | Shawn Emery <Shawn.Emery@Sun.COM> | 2009-12-28 00:12:26 -0700 |
|---|---|---|
| committer | Shawn Emery <Shawn.Emery@Sun.COM> | 2009-12-28 00:12:26 -0700 |
| commit | d7bec57c3803769d0e8bf1960016b866617d455c (patch) | |
| tree | 4e740e8144d77832538e4e1106f548241fc2920a /usr/src/uts/common/gssapi | |
| parent | 0c35404fb68510fa79a18fcd7581fe676bad4882 (diff) | |
| download | illumos-gate-d7bec57c3803769d0e8bf1960016b866617d455c.tar.gz | |
6885561 Unable to verify PAC server's signature in Windows 2008 domain w/ 2003 domain functional level
Diffstat (limited to 'usr/src/uts/common/gssapi')
| -rw-r--r-- | usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c | 16 | ||||
| -rw-r--r-- | usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c | 11 |
2 files changed, 16 insertions, 11 deletions
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c index d776c3b18a..4eda66bbf3 100644 --- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c +++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c @@ -1,10 +1,8 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * lib/crypto/keyhash_provider/hmac_md5.c * @@ -75,13 +73,19 @@ k5_hmac_md5_hash (krb5_context context, } bzero(&ks, sizeof(krb5_keyblock)); - ds.length = key->length; + /* + * Solaris Kerberos: The digest length is that of MD5_CKSUM_LENGTH not the key + * length, as keys can be of varying lengths but should not affect the digest + * length. The signing key is the digest and therefore is also the same + * length, MD5_CKSUM_LENGTH. + */ + ds.length = MD5_CKSUM_LENGTH; ds.data = MALLOC(ds.length); if (ds.data == NULL) return (ENOMEM); - ks.contents = (void *) ds.data; - ks.length = key->length; + ks.length = MD5_CKSUM_LENGTH; + #ifdef _KERNEL if (key->kef_key.ck_data == NULL) { ret = init_key_kef(krb5_enctypes_list[i].kef_cipher_mt, diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c index 7a448bab08..834c35a63f 100644 --- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c +++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c @@ -1,9 +1,8 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ - /* * Copyright (C) 1998 by the FundsXpress, INC. * @@ -84,9 +83,11 @@ krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, if (krb5_enctypes_list[e2].etype == key->enctype) break; - if ((e1 == krb5_enctypes_length) || - (e2 == krb5_enctypes_length) || - (krb5_enctypes_list[e1].enc != krb5_enctypes_list[e2].enc)) { + /* + * Solaris Kerberos: The actual key encryption type could be + * arbitrary, so the checksum enc type doesn't need to be the same. + */ + if ((e1 == krb5_enctypes_length) || (e2 == krb5_enctypes_length)) { ret = KRB5_BAD_ENCTYPE; goto cleanup; } |