krb5 commit: Check for keys in encrypted timestamp/challenge
Greg Hudson
ghudson at MIT.EDU
Fri May 3 16:16:19 EDT 2013
https://github.com/krb5/krb5/commit/9593d1311fa5e6e841c429653ad35a63d17c2fdd
commit 9593d1311fa5e6e841c429653ad35a63d17c2fdd
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Apr 26 15:51:05 2013 -0400
Check for keys in encrypted timestamp/challenge
Encrypted timestamp and encrypted challenge cannot succeed if the
client has no long-term key matching the request enctypes, so do not
offer them in that case.
ticket: 7630
src/kdc/kdc_preauth_ec.c | 7 ++++++-
src/kdc/kdc_preauth_encts.c | 6 +++++-
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index 7acd99a..720fefa 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -40,7 +40,12 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
krb5_kdcpreauth_edata_respond_fn respond, void *arg)
{
krb5_keyblock *armor_key = cb->fast_armor(context, rock);
- (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
+
+ /* Encrypted challenge only works with FAST, and requires a client key. */
+ if (armor_key == NULL || !cb->have_client_keys(context, rock))
+ (*respond)(arg, ENOENT, NULL);
+ else
+ (*respond)(arg, 0, NULL);
}
static void
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index 83c6bf1..65f7c36 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -36,7 +36,11 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
{
krb5_keyblock *armor_key = cb->fast_armor(context, rock);
- (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
+ /* Encrypted timestamp must not be used with FAST, and requires a key. */
+ if (armor_key != NULL || !cb->have_client_keys(context, rock))
+ (*respond)(arg, ENOENT, NULL);
+ else
+ (*respond)(arg, 0, NULL);
}
static void
More information about the cvs-krb5
mailing list