[15933] in Kerberos-V5-bugs
[krbdev.mit.edu #8659] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Tue Apr 3 15:09:08 2018
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8659@krbdev.mit.edu>
Message-ID: <rt-8659-48373.1.97718611995036@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8659'":;
Date: Tue, 3 Apr 2018 15:03:45 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Be more careful asking for AS key in SPAKE client
Asking for the AS key too early can result in password prompts in
situations where SPAKE won't proceed, such as when the KDC offers only
second factor types not supported by the client.
In spake_prep_questions(), decode the received message and make sure
it's a challenge with a supported group and second factor type
(SF-NONE at the moment). Save the decoded message and use it in
spake_process(). Do not retrieve the AS key at the beginning of
spake_process(); instead do so in process_challenge() after checking
the challenge group and factor types.
Move contains_sf_none() earlier in the file so that it can be used by
spake_prep_questions() without a prototype.
https://github.com/krb5/krb5/commit/f240f1b0d324312be8aa59ead7cfbe0c329ed064
Author: Greg Hudson <ghudson@mit.edu>
Commit: f240f1b0d324312be8aa59ead7cfbe0c329ed064
Branch: master
src/plugins/preauth/spake/spake_client.c | 109 ++++++++++++++++++------------
1 files changed, 65 insertions(+), 44 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs