Check for keys in encrypted timestamp/challenge

Encrypted timestamp and encrypted challenge cannot succeed if the client has no long-term key matching the request enctypes, so do not offer them in that case. ticket: 7630
author: Greg Hudson <ghudson@mit.edu> 2013-04-26 15:51:05 -0400
committer: Greg Hudson <ghudson@mit.edu> 2013-05-03 16:11:28 -0400
commit: 9593d1311fa5e6e841c429653ad35a63d17c2fdd (patch)
tree: 364a5e741b812bba48242e5245bb03c6d256f0f9 /src/kdc/kdc_preauth_encts.c
parent: e50482720a805ecd8c160e4a8f4a846e6327dca2 (diff)
download: krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.tar.gz
krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.tar.xz
krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index 83c6bf1a26..65f7c3629c 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -36,7 +36,11 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
 {
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
 
-    (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
+    /* Encrypted timestamp must not be used with FAST, and requires a key. */
+    if (armor_key != NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
 }
 
 static void
author	Greg Hudson <ghudson@mit.edu>	2013-04-26 15:51:05 -0400
committer	Greg Hudson <ghudson@mit.edu>	2013-05-03 16:11:28 -0400
commit	9593d1311fa5e6e841c429653ad35a63d17c2fdd (patch)
tree	364a5e741b812bba48242e5245bb03c6d256f0f9 /src/kdc/kdc_preauth_encts.c
parent	e50482720a805ecd8c160e4a8f4a846e6327dca2 (diff)
download	krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.tar.gz krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.tar.xz krb5-9593d1311fa5e6e841c429653ad35a63d17c2fdd.zip