[27733] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Check for keys in encrypted timestamp/challenge

daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri May 3 16:16:26 2013

Date: Fri, 3 May 2013 16:16:19 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201305032016.r43KGJqa003447@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/9593d1311fa5e6e841c429653ad35a63d17c2fdd
commit 9593d1311fa5e6e841c429653ad35a63d17c2fdd
Author: Greg Hudson <ghudson@mit.edu>
Date:   Fri Apr 26 15:51:05 2013 -0400

    Check for keys in encrypted timestamp/challenge
    
    Encrypted timestamp and encrypted challenge cannot succeed if the
    client has no long-term key matching the request enctypes, so do not
    offer them in that case.
    
    ticket: 7630

 src/kdc/kdc_preauth_ec.c    |    7 ++++++-
 src/kdc/kdc_preauth_encts.c |    6 +++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index 7acd99a..720fefa 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -40,7 +40,12 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
          krb5_kdcpreauth_edata_respond_fn respond, void *arg)
 {
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
-    (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
+
+    /* Encrypted challenge only works with FAST, and requires a client key. */
+    if (armor_key == NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
 }
 
 static void
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index 83c6bf1..65f7c36 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -36,7 +36,11 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
 {
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
 
-    (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
+    /* Encrypted timestamp must not be used with FAST, and requires a key. */
+    if (armor_key != NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
 }
 
 static void
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post