krb5 commit: Remove support for no-flags SAM-2 preauth
Greg Hudson
ghudson at mit.edu
Wed May 29 19:18:53 EDT 2019
https://github.com/krb5/krb5/commit/c30e0af224ef3716513744fd86aec3eeea90abf9
commit c30e0af224ef3716513744fd86aec3eeea90abf9
Author: Robbie Harwood <rharwood at redhat.com>
Date: Wed Apr 17 17:07:46 2019 -0400
Remove support for no-flags SAM-2 preauth
When neither the send-encrypted-sad nor the use-sad-as-key flag is set
in the SAM-2 challenge, the protocol calls for the AS key to be
combined with the string-to-key of the SAD using a key combination
method which has only been implemented for DES and 3DES enctypes.
Rather than extending key combination, remove support for this case.
[ghudson at mit.edu: rewrote commit message, added comment]
ticket: 8812 (new)
src/lib/krb5/krb/preauth_sam2.c | 40 ++++++++++----------------------------
1 files changed, 11 insertions(+), 29 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c
index c7484c4..fda86be 100644
--- a/src/lib/krb5/krb/preauth_sam2.c
+++ b/src/lib/krb5/krb/preauth_sam2.c
@@ -211,38 +211,20 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
/* Get encryption key to be used for checksum and sam_response */
if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) {
/* Retain as_key from above gak_fct call. */
-
- if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
- /* as_key = combine_key (as_key, string_to_key(SAD)) */
- krb5_keyblock tmp_kb;
-
- retval = krb5_c_string_to_key(context, sc2b->sam_etype,
- &response_data, salt, &tmp_kb);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
-
- /* This should be a call to the crypto library some day */
- /* key types should already match the sam_etype */
- retval = krb5int_c_combine_keys(context, &ctx->as_key, &tmp_kb,
- &ctx->as_key);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
- krb5_free_keyblock_contents(context, &tmp_kb);
- }
-
if (defsalt.length)
free(defsalt.data);
+ if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
+ /*
+ * If no flags are set, the protocol calls for us to combine the
+ * initial reply key with the SAD, using a method which is only
+ * specified for DES and 3DES enctypes. We no longer support this
+ * case.
+ */
+ krb5_free_sam_challenge_2(context, sc2);
+ krb5_free_sam_challenge_2_body(context, sc2b);
+ return(KRB5_SAM_UNSUPPORTED);
+ }
} else {
/* as_key = string_to_key(SAD) */
More information about the cvs-krb5
mailing list