diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-03-18 16:39:47 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-03-19 17:36:06 -0400 |
| commit | 4f99c75eb6b1a53d78b26648e39309261e37755c (patch) | |
| tree | 0ed675f95d6e80d36f00cce5f0ed0a6a46b56a60 | |
| parent | 90cbf4eb60d8ec3c083195ba4a050a31ea36be0b (diff) | |
| download | krb5-4f99c75eb6b1a53d78b26648e39309261e37755c.tar.gz krb5-4f99c75eb6b1a53d78b26648e39309261e37755c.tar.xz krb5-4f99c75eb6b1a53d78b26648e39309261e37755c.zip | |
Try compatible keys in rd_req_dec "any" path
When we go to decrypt a ticket using a keytab, we have two code paths.
In the first (traditional) one, we try to read an entry that exactly
matches the principal name, enctype, and kvno from the ticket, and then
attempt to decrypt the ticket using the entry's key. The keytab
routines helpfully return an entry so long as it's of a key type that's
compatible with the ticket being decrypted, fixing up the enctype in the
entry structure while doing so, allowing us to decrypt a DES-CBC-CRC
ticket with a DES-CBC-MD5 key.
In the second code path, we try the key of every entry which loosely
matches the principal name from the ticket and which exactly matches its
enctype, meaning that the ticket/keytab pair above won't work if the
principal name is one which suggests we shouldn't be matching entries
exactly.
This change modifies the "any" path to also try to decrypt the ticket
with compatible keys.
[ghudson@mit.edu: avoid stuffing too much logic in one conditional]
ticket: 7883 (new)
| -rw-r--r-- | src/lib/krb5/krb/rd_req_dec.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 4b952f5a9..fbd088d8a 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -167,6 +167,8 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req, krb5_error_code ret; krb5_keytab_entry ent; krb5_kt_cursor cursor; + krb5_boolean similar; + krb5_enctype req_etype = req->ticket->enc_part.enctype; #ifdef LEAN_CLIENT return KRB5KRB_AP_WRONG_PRINC; @@ -189,8 +191,12 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req, goto cleanup; while ((ret = krb5_kt_next_entry(context, keytab, &ent, &cursor)) == 0) { - if (ent.key.enctype == req->ticket->enc_part.enctype && + ret = krb5_c_enctype_compare(context, ent.key.enctype, req_etype, + &similar); + if (ret == 0 && similar && krb5_sname_match(context, server, ent.principal)) { + /* Coerce inexact matches to the request enctype. */ + ent.key.enctype = req_etype; ret = try_one_entry(context, req, &ent, keyblock_out); if (ret == 0) { TRACE_RD_REQ_DECRYPT_ANY(context, ent.principal, &ent.key); |