diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-04-26 15:51:05 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-05-03 16:11:28 -0400 |
commit | 9593d1311fa5e6e841c429653ad35a63d17c2fdd (patch) | |
tree | 364a5e741b812bba48242e5245bb03c6d256f0f9 /src/kdc/kdc_preauth_encts.c | |
parent | e50482720a805ecd8c160e4a8f4a846e6327dca2 (diff) | |
download | krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.tar.gz krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.tar.xz krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.zip |
Check for keys in encrypted timestamp/challenge
Encrypted timestamp and encrypted challenge cannot succeed if the
client has no long-term key matching the request enctypes, so do not
offer them in that case.
ticket: 7630
Diffstat (limited to 'src/kdc/kdc_preauth_encts.c')
-rw-r--r-- | src/kdc/kdc_preauth_encts.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c index 83c6bf1a26..65f7c3629c 100644 --- a/src/kdc/kdc_preauth_encts.c +++ b/src/kdc/kdc_preauth_encts.c @@ -36,7 +36,11 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request, { krb5_keyblock *armor_key = cb->fast_armor(context, rock); - (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL); + /* Encrypted timestamp must not be used with FAST, and requires a key. */ + if (armor_key != NULL || !cb->have_client_keys(context, rock)) + (*respond)(arg, ENOENT, NULL); + else + (*respond)(arg, 0, NULL); } static void |