diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-05-02 16:15:32 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-05-03 16:11:28 -0400 |
commit | ef58e3e6f899ce60ca97bdb0053f8b912249ed0c (patch) | |
tree | 74941259de9e0604fc072a5f0d9280a904525a38 | |
parent | ef700ee2cc1b33a06cd1e5c6c56ca7cfac8e67c5 (diff) | |
download | krb5-ef58e3e6f899ce60ca97bdb0053f8b912249ed0c.tar.gz krb5-ef58e3e6f899ce60ca97bdb0053f8b912249ed0c.tar.xz krb5-ef58e3e6f899ce60ca97bdb0053f8b912249ed0c.zip |
Make AS requests work with no client key
If we cannot find a client key while preparing an AS reply, give
preauth mechanisms a chance to replace the reply key before erroring
out.
ticket: 7630
-rw-r--r-- | src/kdc/do_as_req.c | 36 | ||||
-rw-r--r-- | src/kdc/kdc_preauth.c | 6 |
2 files changed, 26 insertions, 16 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 4f0fc2e630..def7075d7b 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -195,23 +195,18 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) useenctype, -1, 0, &client_key)) break; } - if (!(client_key)) { - /* Cannot find an appropriate key */ - state->status = "CANT_FIND_CLIENT_KEY"; - errcode = KRB5KDC_ERR_ETYPE_NOSUPP; - goto egress; - } - state->rock.client_key = client_key; - /* convert client.key_data into a real key */ - if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, - client_key, - &state->client_keyblock, - NULL))) { - state->status = "DECRYPT_CLIENT_KEY"; - goto egress; + if (client_key != NULL) { + /* Decrypt the client key data entry to get the real reply key. */ + errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, client_key, + &state->client_keyblock, NULL); + if (errcode) { + state->status = "DECRYPT_CLIENT_KEY"; + goto egress; + } + state->client_keyblock.enctype = useenctype; + state->rock.client_key = client_key; } - state->client_keyblock.enctype = useenctype; /* Start assembling the response */ state->reply.msg_type = KRB5_AS_REP; @@ -248,6 +243,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) goto egress; } + /* If we didn't find a client long-term key and no preauth mechanism + * replaced the reply key, error out now. */ + if (state->client_keyblock.enctype == ENCTYPE_NULL) { + state->status = "CANT_FIND_CLIENT_KEY"; + errcode = KRB5KDC_ERR_ETYPE_NOSUPP; + goto egress; + } + errcode = handle_authdata(kdc_context, state->c_flags, state->client, @@ -306,7 +309,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) &state->reply_encpart, 0, as_encrypting_key, &state->reply, &response); - state->reply.enc_part.kvno = client_key->key_data_kvno; + if (client_key != NULL) + state->reply.enc_part.kvno = client_key->key_data_kvno; if (errcode) { state->status = "ENCODE_KDC_REP"; goto egress; diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 9c04f709ca..c3543caaec 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1489,6 +1489,9 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, krb5_etype_info_entry **entry = NULL; krb5_data *scratch = NULL; + if (client_key == NULL) + return 0; + /* * Skip PA-ETYPE-INFO completely if AS-REQ lists any "newer" * enctypes. @@ -1592,6 +1595,9 @@ return_pw_salt(krb5_context context, krb5_pa_data *in_padata, krb5_key_data * client_key = rock->client_key; int i; + if (client_key == NULL) + return 0; + for (i = 0; i < request->nktypes; i++) { if (enctype_requires_etype_info_2(request->ktype[i])) return 0; |