diff options
Diffstat (limited to 'Change-KDC-error-for-encrypted-timestamp-preauth.patch')
-rw-r--r-- | Change-KDC-error-for-encrypted-timestamp-preauth.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/Change-KDC-error-for-encrypted-timestamp-preauth.patch b/Change-KDC-error-for-encrypted-timestamp-preauth.patch new file mode 100644 index 0000000..a66d004 --- /dev/null +++ b/Change-KDC-error-for-encrypted-timestamp-preauth.patch @@ -0,0 +1,68 @@ +From ad1af1b23bd716fc3129de16e3fbf7edca0daa6b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Mon, 8 Aug 2016 18:03:55 +0200 +Subject: [PATCH 18/19] Change KDC error for encrypted timestamp preauth + +When encrypted timestamp pre-authentication fails, respond with error +code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for +consistency with other Kerberos implementations. + +[ghudson@mit.edu: clarified commit message and comment] + +ticket: 8471 (new) +(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af) +--- + src/kdc/kdc_preauth_encts.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c +index 65f7c36..e80dc12 100644 +--- a/src/kdc/kdc_preauth_encts.c ++++ b/src/kdc/kdc_preauth_encts.c +@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_key_data * client_key; + krb5_int32 start; + krb5_timestamp timenow; +- krb5_error_code decrypt_err = 0; + + scratch.data = (char *)pa->contents; + scratch.length = pa->length; +@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + goto cleanup; + + start = 0; +- decrypt_err = 0; + while (1) { + if ((retval = krb5_dbe_search_enctype(context, rock->client, + &start, enc_data->enctype, +@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_free_keyblock_contents(context, &key); + if (retval == 0) + break; +- else +- decrypt_err = retval; + } + + if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) +@@ -119,14 +115,10 @@ cleanup: + krb5_free_data_contents(context, &enc_ts_data); + if (pa_enc) + free(pa_enc); +- /* +- * If we get NO_MATCHING_KEY and decryption previously failed, and +- * we failed to find any other keys of the correct enctype after +- * that failed decryption, it probably means that the password was +- * incorrect. +- */ +- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) +- retval = decrypt_err; ++ /* If we get NO_MATCHING_KEY, it probably means that the password was ++ * incorrect. */ ++ if (retval == KRB5_KDB_NO_MATCHING_KEY) ++ retval = KRB5KDC_ERR_PREAUTH_FAILED; + + (*respond)(arg, retval, NULL, NULL, NULL); + } +-- +2.9.3 + |