[30131] in CVS-changelog-for-Kerberos-V5
krb5 commit: Always use AS-REP enctype in PKINIT client
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Mar 19 20:01:35 2018
Date: Mon, 19 Mar 2018 20:01:21 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201803200001.w2K01LMX027539@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/0a9bd34b97ebf794b6ddbeb17c274623b445cca4
commit 0a9bd34b97ebf794b6ddbeb17c274623b445cca4
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Feb 13 16:33:33 2018 -0500
Always use AS-REP enctype in PKINIT client
The get_etype() callback originally only returned the AS-REP enctype
for PKINIT, but was changed for encrypted challenge to sometimes
return the enctype from etype-info. (Encrypted challenge no longer
uses the callback; PKINIT is currently the only known consumer.) Make
sure to always return the AS-REP enctype if an AS-REP has been
received, so that the PKINIT clpreauth module uses the correct enctype
even if the KDC sends a different enctype in etype-info in violation
of RFC 4120.
ticket: 8642
src/include/krb5/clpreauth_plugin.h | 7 +++----
src/lib/krb5/krb/preauth2.c | 6 +++++-
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/include/krb5/clpreauth_plugin.h b/src/include/krb5/clpreauth_plugin.h
index 0106734..e47607c 100644
--- a/src/include/krb5/clpreauth_plugin.h
+++ b/src/include/krb5/clpreauth_plugin.h
@@ -84,10 +84,9 @@ typedef struct krb5_clpreauth_callbacks_st {
int vers;
/*
- * Get the enctype expected to be used to encrypt the encrypted portion of
- * the AS_REP packet. When handling a PREAUTH_REQUIRED error, this
- * typically comes from etype-info2. When handling an AS reply, it is
- * initialized from the AS reply itself.
+ * If an AS-REP has been received, return the enctype of the AS-REP
+ * encrypted part. Otherwise return the enctype chosen from etype-info, or
+ * the first requested enctype if no etype-info was received.
*/
krb5_enctype (*get_etype)(krb5_context context, krb5_clpreauth_rock rock);
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 6b96fa1..243a208 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -428,7 +428,11 @@ grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size,
static krb5_enctype
get_etype(krb5_context context, krb5_clpreauth_rock rock)
{
- return ((krb5_init_creds_context)rock)->etype;
+ krb5_init_creds_context ctx = (krb5_init_creds_context)rock;
+
+ if (ctx->reply != NULL)
+ return ctx->reply->enc_part.enctype;
+ return ctx->etype;
}
static krb5_keyblock *
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
