|
|
32ef372 |
From 709ed799a4f266de9846adb3393ec9f59e6bdecd Mon Sep 17 00:00:00 2001
|
|
|
1dd613a |
From: Andreas Schneider <asn@samba.org>
|
|
|
1dd613a |
Date: Mon, 8 Aug 2016 18:03:55 +0200
|
|
|
32ef372 |
Subject: [PATCH] Change KDC error for encrypted timestamp preauth
|
|
|
1dd613a |
|
|
|
1dd613a |
When encrypted timestamp pre-authentication fails, respond with error
|
|
|
1dd613a |
code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for
|
|
|
1dd613a |
consistency with other Kerberos implementations.
|
|
|
1dd613a |
|
|
|
1dd613a |
[ghudson@mit.edu: clarified commit message and comment]
|
|
|
1dd613a |
|
|
|
1dd613a |
ticket: 8471 (new)
|
|
|
1dd613a |
(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af)
|
|
|
1dd613a |
---
|
|
|
1dd613a |
src/kdc/kdc_preauth_encts.c | 16 ++++------------
|
|
|
1dd613a |
1 file changed, 4 insertions(+), 12 deletions(-)
|
|
|
1dd613a |
|
|
|
1dd613a |
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
|
|
|
1dd613a |
index 65f7c36..e80dc12 100644
|
|
|
1dd613a |
--- a/src/kdc/kdc_preauth_encts.c
|
|
|
1dd613a |
+++ b/src/kdc/kdc_preauth_encts.c
|
|
|
1dd613a |
@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
|
|
1dd613a |
krb5_key_data * client_key;
|
|
|
1dd613a |
krb5_int32 start;
|
|
|
1dd613a |
krb5_timestamp timenow;
|
|
|
1dd613a |
- krb5_error_code decrypt_err = 0;
|
|
|
1dd613a |
|
|
|
1dd613a |
scratch.data = (char *)pa->contents;
|
|
|
1dd613a |
scratch.length = pa->length;
|
|
|
1dd613a |
@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
|
|
1dd613a |
goto cleanup;
|
|
|
1dd613a |
|
|
|
1dd613a |
start = 0;
|
|
|
1dd613a |
- decrypt_err = 0;
|
|
|
1dd613a |
while (1) {
|
|
|
1dd613a |
if ((retval = krb5_dbe_search_enctype(context, rock->client,
|
|
|
1dd613a |
&start, enc_data->enctype,
|
|
|
1dd613a |
@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
|
|
1dd613a |
krb5_free_keyblock_contents(context, &key);
|
|
|
1dd613a |
if (retval == 0)
|
|
|
1dd613a |
break;
|
|
|
1dd613a |
- else
|
|
|
1dd613a |
- decrypt_err = retval;
|
|
|
1dd613a |
}
|
|
|
1dd613a |
|
|
|
1dd613a |
if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
|
|
|
1dd613a |
@@ -119,14 +115,10 @@ cleanup:
|
|
|
1dd613a |
krb5_free_data_contents(context, &enc_ts_data);
|
|
|
1dd613a |
if (pa_enc)
|
|
|
1dd613a |
free(pa_enc);
|
|
|
1dd613a |
- /*
|
|
|
1dd613a |
- * If we get NO_MATCHING_KEY and decryption previously failed, and
|
|
|
1dd613a |
- * we failed to find any other keys of the correct enctype after
|
|
|
1dd613a |
- * that failed decryption, it probably means that the password was
|
|
|
1dd613a |
- * incorrect.
|
|
|
1dd613a |
- */
|
|
|
1dd613a |
- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
|
|
|
1dd613a |
- retval = decrypt_err;
|
|
|
1dd613a |
+ /* If we get NO_MATCHING_KEY, it probably means that the password was
|
|
|
1dd613a |
+ * incorrect. */
|
|
|
1dd613a |
+ if (retval == KRB5_KDB_NO_MATCHING_KEY)
|
|
|
1dd613a |
+ retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
|
|
1dd613a |
|
|
|
1dd613a |
(*respond)(arg, retval, NULL, NULL, NULL);
|
|
|
1dd613a |
}
|
|
|
1dd613a |
--
|
|
|
1dd613a |
2.9.3
|
|
|
1dd613a |
|