[krbdev.mit.edu #7883] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Mar 19 17:36:41 EDT 2014
Try compatible keys in rd_req_dec "any" path
When we go to decrypt a ticket using a keytab, we have two code paths.
In the first (traditional) one, we try to read an entry that exactly
matches the principal name, enctype, and kvno from the ticket, and then
attempt to decrypt the ticket using the entry's key. The keytab
routines helpfully return an entry so long as it's of a key type that's
compatible with the ticket being decrypted, fixing up the enctype in the
entry structure while doing so, allowing us to decrypt a DES-CBC-CRC
ticket with a DES-CBC-MD5 key.
In the second code path, we try the key of every entry which loosely
matches the principal name from the ticket and which exactly matches its
enctype, meaning that the ticket/keytab pair above won't work if the
principal name is one which suggests we shouldn't be matching entries
exactly.
This change modifies the "any" path to also try to decrypt the ticket
with compatible keys.
[ghudson at mit.edu: avoid stuffing too much logic in one conditional]
https://github.com/krb5/krb5/commit/4f99c75eb6b1a53d78b26648e39309261e37755c
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 4f99c75eb6b1a53d78b26648e39309261e37755c
Branch: master
src/lib/krb5/krb/rd_req_dec.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
More information about the krb5-bugs
mailing list