[krbdev.mit.edu #8659] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Apr 3 15:03:45 EDT 2018
Be more careful asking for AS key in SPAKE client
Asking for the AS key too early can result in password prompts in
situations where SPAKE won't proceed, such as when the KDC offers only
second factor types not supported by the client.
In spake_prep_questions(), decode the received message and make sure
it's a challenge with a supported group and second factor type
(SF-NONE at the moment). Save the decoded message and use it in
spake_process(). Do not retrieve the AS key at the beginning of
spake_process(); instead do so in process_challenge() after checking
the challenge group and factor types.
Move contains_sf_none() earlier in the file so that it can be used by
spake_prep_questions() without a prototype.
https://github.com/krb5/krb5/commit/f240f1b0d324312be8aa59ead7cfbe0c329ed064
Author: Greg Hudson <ghudson at mit.edu>
Commit: f240f1b0d324312be8aa59ead7cfbe0c329ed064
Branch: master
src/plugins/preauth/spake/spake_client.c | 109 ++++++++++++++++++------------
1 files changed, 65 insertions(+), 44 deletions(-)
More information about the krb5-bugs
mailing list