[29535] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Change KDC error for encrypted timestamp preauth

daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Aug 8 19:25:35 2016

Date: Mon, 8 Aug 2016 19:25:31 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201608082325.u78NPVgs015508@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/2653d69e0705a925597dff10083a24a77e2a20af
commit 2653d69e0705a925597dff10083a24a77e2a20af
Author: Andreas Schneider <asn@samba.org>
Date:   Mon Aug 8 18:03:55 2016 +0200

    Change KDC error for encrypted timestamp preauth
    
    When encrypted timestamp pre-authentication fails, respond with error
    code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for
    consistency with other Kerberos implementations.
    
    [ghudson@mit.edu: clarified commit message and comment]
    
    ticket: 8471 (new)

 src/kdc/kdc_preauth_encts.c |   16 ++++------------
 1 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index 65f7c36..e80dc12 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     krb5_key_data *             client_key;
     krb5_int32                  start;
     krb5_timestamp              timenow;
-    krb5_error_code             decrypt_err = 0;
 
     scratch.data = (char *)pa->contents;
     scratch.length = pa->length;
@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         goto cleanup;
 
     start = 0;
-    decrypt_err = 0;
     while (1) {
         if ((retval = krb5_dbe_search_enctype(context, rock->client,
                                               &start, enc_data->enctype,
@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         krb5_free_keyblock_contents(context, &key);
         if (retval == 0)
             break;
-        else
-            decrypt_err = retval;
     }
 
     if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
@@ -119,14 +115,10 @@ cleanup:
     krb5_free_data_contents(context, &enc_ts_data);
     if (pa_enc)
         free(pa_enc);
-    /*
-     * If we get NO_MATCHING_KEY and decryption previously failed, and
-     * we failed to find any other keys of the correct enctype after
-     * that failed decryption, it probably means that the password was
-     * incorrect.
-     */
-    if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
-        retval = decrypt_err;
+    /* If we get NO_MATCHING_KEY, it probably means that the password was
+     * incorrect. */
+    if (retval == KRB5_KDB_NO_MATCHING_KEY)
+        retval = KRB5KDC_ERR_PREAUTH_FAILED;
 
     (*respond)(arg, retval, NULL, NULL, NULL);
 }
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post