[30521] in CVS-changelog-for-Kerberos-V5
krb5 commit: Remove support for no-flags SAM-2 preauth
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 29 19:19:38 2019
Date: Wed, 29 May 2019 19:18:53 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201905292318.x4TNIrGc005670@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/c30e0af224ef3716513744fd86aec3eeea90abf9
commit c30e0af224ef3716513744fd86aec3eeea90abf9
Author: Robbie Harwood <rharwood@redhat.com>
Date: Wed Apr 17 17:07:46 2019 -0400
Remove support for no-flags SAM-2 preauth
When neither the send-encrypted-sad nor the use-sad-as-key flag is set
in the SAM-2 challenge, the protocol calls for the AS key to be
combined with the string-to-key of the SAD using a key combination
method which has only been implemented for DES and 3DES enctypes.
Rather than extending key combination, remove support for this case.
[ghudson@mit.edu: rewrote commit message, added comment]
ticket: 8812 (new)
src/lib/krb5/krb/preauth_sam2.c | 40 ++++++++++----------------------------
1 files changed, 11 insertions(+), 29 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c
index c7484c4..fda86be 100644
--- a/src/lib/krb5/krb/preauth_sam2.c
+++ b/src/lib/krb5/krb/preauth_sam2.c
@@ -211,38 +211,20 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
/* Get encryption key to be used for checksum and sam_response */
if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) {
/* Retain as_key from above gak_fct call. */
-
- if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
- /* as_key = combine_key (as_key, string_to_key(SAD)) */
- krb5_keyblock tmp_kb;
-
- retval = krb5_c_string_to_key(context, sc2b->sam_etype,
- &response_data, salt, &tmp_kb);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
-
- /* This should be a call to the crypto library some day */
- /* key types should already match the sam_etype */
- retval = krb5int_c_combine_keys(context, &ctx->as_key, &tmp_kb,
- &ctx->as_key);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
- krb5_free_keyblock_contents(context, &tmp_kb);
- }
-
if (defsalt.length)
free(defsalt.data);
+ if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
+ /*
+ * If no flags are set, the protocol calls for us to combine the
+ * initial reply key with the SAD, using a method which is only
+ * specified for DES and 3DES enctypes. We no longer support this
+ * case.
+ */
+ krb5_free_sam_challenge_2(context, sc2);
+ krb5_free_sam_challenge_2_body(context, sc2b);
+ return(KRB5_SAM_UNSUPPORTED);
+ }
} else {
/* as_key = string_to_key(SAD) */
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
