svn rev #24934: trunk/src/lib/krb5/krb/
tsitkova@MIT.EDU
tsitkova at MIT.EDU
Mon May 16 14:36:56 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=24934
Commit By: tsitkova
Log Message:
In mk_rd_cred if recv_subkey in the authentication context is NULL and the decryption with the session key fails, do not try to decrypt the message with the session key again.
Changed Files:
U trunk/src/lib/krb5/krb/rd_cred.c
Modified: trunk/src/lib/krb5/krb/rd_cred.c
===================================================================
--- trunk/src/lib/krb5/krb/rd_cred.c 2011-05-16 14:13:39 UTC (rev 24933)
+++ trunk/src/lib/krb5/krb/rd_cred.c 2011-05-16 18:36:55 UTC (rev 24934)
@@ -1,4 +1,29 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/krb/rd_cred.c - definition of krb5_rd_cred() */
+/*
+ * Copyright 1994-2009 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
#include "k5-int.h"
#include "cleanup.h"
#include "auth_con.h"
@@ -17,7 +42,7 @@
krb5_key pkey, krb5_cred_enc_part *pcredenc)
{
krb5_cred_enc_part * ppart = NULL;
- krb5_error_code retval;
+ krb5_error_code retval = 0;
krb5_data scratch;
scratch.length = pcred->enc_part.ciphertext.length;
@@ -38,7 +63,6 @@
goto cleanup;
*pcredenc = *ppart;
- retval = 0;
cleanup:
if (ppart != NULL) {
@@ -57,9 +81,9 @@
krb5_key pkey, krb5_replay_data *replaydata,
krb5_creds ***pppcreds)
{
- krb5_error_code retval;
- krb5_cred * pcred;
- krb5_int32 ncreds;
+ krb5_error_code retval = 0;
+ krb5_cred * pcred = NULL;
+ krb5_int32 ncreds = 0;
krb5_int32 i = 0;
krb5_cred_enc_part encpart;
@@ -160,21 +184,16 @@
/*
* This functions takes as input an KRB_CRED message, validates it, and
- * outputs the nonce and an array of the forwarded credentials.
+ * outputs the array of the forwarded credentials and replay cache information
*/
krb5_error_code KRB5_CALLCONV
krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
krb5_data *pcreddata, krb5_creds ***pppcreds,
krb5_replay_data *outdata)
{
- krb5_error_code retval;
- krb5_key key;
+ krb5_error_code retval = 0;
krb5_replay_data replaydata;
- /* Get key */
- if ((key = auth_context->recv_subkey) == NULL)
- key = auth_context->key;
-
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
(outdata == NULL))
@@ -185,19 +204,19 @@
(auth_context->rcache == NULL))
return KRB5_RC_REQUIRED;
-
/*
- * If decrypting with the first key we try fails, perhaps the
- * credentials are stored in the session key so try decrypting with
- * that.
+ * If decrypting with the subsession key fails, perhaps the
+ * credentials are stored in the session key so try decrypting with that.
*/
- if ((retval = krb5_rd_cred_basic(context, pcreddata, key,
- &replaydata, pppcreds))) {
- if ((retval = krb5_rd_cred_basic(context, pcreddata,
- auth_context->key,
- &replaydata, pppcreds))) {
- return retval;
- }
+ if (auth_context->recv_subkey == NULL ||
+ (retval = krb5_rd_cred_basic(context, pcreddata,
+ auth_context->recv_subkey,
+ &replaydata, pppcreds))) {
+ retval = krb5_rd_cred_basic(context, pcreddata,
+ auth_context->key,
+ &replaydata, pppcreds);
+ if (retval)
+ return retval;
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
More information about the cvs-krb5
mailing list