rpms / krb5

Clone
Source Code
GIT

Blame Change-KDC-error-for-encrypted-timestamp-preauth.patch

embargo f10 f11 f12 f13 f14 f15 f16 f16-s4u f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main master-f15-1.9 master-f15-nss rawhide
  1.   895d0bdfea59408674c84f07a8ce9382e616e449
  2.   Change-KDC-error-for-encrypted-timestamp-preauth.patch
Blob History Raw
32ef372 
From 709ed799a4f266de9846adb3393ec9f59e6bdecd Mon Sep 17 00:00:00 2001
1dd613a 
From: Andreas Schneider <asn@samba.org>
1dd613a 
Date: Mon, 8 Aug 2016 18:03:55 +0200
32ef372 
Subject: [PATCH] Change KDC error for encrypted timestamp preauth
1dd613a
1dd613a 
When encrypted timestamp pre-authentication fails, respond with error
1dd613a 
code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for
1dd613a 
consistency with other Kerberos implementations.
1dd613a
1dd613a 
[ghudson@mit.edu: clarified commit message and comment]
1dd613a
1dd613a 
ticket: 8471 (new)
1dd613a 
(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af)
1dd613a 
---
1dd613a 
 src/kdc/kdc_preauth_encts.c | 16 ++++------------
1dd613a 
 1 file changed, 4 insertions(+), 12 deletions(-)
1dd613a
1dd613a 
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
1dd613a 
index 65f7c36..e80dc12 100644
1dd613a 
--- a/src/kdc/kdc_preauth_encts.c
1dd613a 
+++ b/src/kdc/kdc_preauth_encts.c
1dd613a 
@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
1dd613a 
     krb5_key_data *             client_key;
1dd613a 
     krb5_int32                  start;
1dd613a 
     krb5_timestamp              timenow;
1dd613a 
-    krb5_error_code             decrypt_err = 0;
1dd613a
1dd613a 
     scratch.data = (char *)pa->contents;
1dd613a 
     scratch.length = pa->length;
1dd613a 
@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
1dd613a 
         goto cleanup;
1dd613a
1dd613a 
     start = 0;
1dd613a 
-    decrypt_err = 0;
1dd613a 
     while (1) {
1dd613a 
         if ((retval = krb5_dbe_search_enctype(context, rock->client,
1dd613a 
                                               &start, enc_data->enctype,
1dd613a 
@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
1dd613a 
         krb5_free_keyblock_contents(context, &key);
1dd613a 
         if (retval == 0)
1dd613a 
             break;
1dd613a 
-        else
1dd613a 
-            decrypt_err = retval;
1dd613a 
     }
1dd613a
1dd613a 
     if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
1dd613a 
@@ -119,14 +115,10 @@ cleanup:
1dd613a 
     krb5_free_data_contents(context, &enc_ts_data);
1dd613a 
     if (pa_enc)
1dd613a 
         free(pa_enc);
1dd613a 
-    /*
1dd613a 
-     * If we get NO_MATCHING_KEY and decryption previously failed, and
1dd613a 
-     * we failed to find any other keys of the correct enctype after
1dd613a 
-     * that failed decryption, it probably means that the password was
1dd613a 
-     * incorrect.
1dd613a 
-     */
1dd613a 
-    if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
1dd613a 
-        retval = decrypt_err;
1dd613a 
+    /* If we get NO_MATCHING_KEY, it probably means that the password was
1dd613a 
+     * incorrect. */
1dd613a 
+    if (retval == KRB5_KDB_NO_MATCHING_KEY)
1dd613a 
+        retval = KRB5KDC_ERR_PREAUTH_FAILED;
1dd613a
1dd613a 
     (*respond)(arg, retval, NULL, NULL, NULL);
1dd613a 
 }
1dd613a 
--
1dd613a 
2.9.3
1dd613a
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.