diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-04-26 15:51:05 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-05-03 16:11:28 -0400 |
commit | 9593d1311fa5e6e841c429653ad35a63d17c2fdd (patch) | |
tree | 364a5e741b812bba48242e5245bb03c6d256f0f9 /src/kdc | |
parent | e50482720a805ecd8c160e4a8f4a846e6327dca2 (diff) | |
download | krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.zip krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.tar.gz krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.tar.bz2 |
Check for keys in encrypted timestamp/challenge
Encrypted timestamp and encrypted challenge cannot succeed if the
client has no long-term key matching the request enctypes, so do not
offer them in that case.
ticket: 7630
Diffstat (limited to 'src/kdc')
-rw-r--r-- | src/kdc/kdc_preauth_ec.c | 7 | ||||
-rw-r--r-- | src/kdc/kdc_preauth_encts.c | 6 |
2 files changed, 11 insertions, 2 deletions
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c index 7acd99a..720fefa 100644 --- a/src/kdc/kdc_preauth_ec.c +++ b/src/kdc/kdc_preauth_ec.c @@ -40,7 +40,12 @@ ec_edata(krb5_context context, krb5_kdc_req *request, krb5_kdcpreauth_edata_respond_fn respond, void *arg) { krb5_keyblock *armor_key = cb->fast_armor(context, rock); - (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL); + + /* Encrypted challenge only works with FAST, and requires a client key. */ + if (armor_key == NULL || !cb->have_client_keys(context, rock)) + (*respond)(arg, ENOENT, NULL); + else + (*respond)(arg, 0, NULL); } static void diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c index 83c6bf1..65f7c36 100644 --- a/src/kdc/kdc_preauth_encts.c +++ b/src/kdc/kdc_preauth_encts.c @@ -36,7 +36,11 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request, { krb5_keyblock *armor_key = cb->fast_armor(context, rock); - (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL); + /* Encrypted timestamp must not be used with FAST, and requires a key. */ + if (armor_key != NULL || !cb->have_client_keys(context, rock)) + (*respond)(arg, ENOENT, NULL); + else + (*respond)(arg, 0, NULL); } static void |