1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
|
From c7047421487c0e616b881c0922937bc759114233 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Fri, 3 May 2013 15:44:44 -0400
Subject: [PATCH 1/3] Check for keys in encrypted timestamp/challenge
Encrypted timestamp and encrypted challenge cannot succeed if the
client has no long-term key matching the request enctypes, so do not
offer them in that case.
ticket: 7630
NPM - This is a backport from the upstream fix. See upstream commits:
https://github.com/krb5/krb5/commit/e50482720a805ecd8c160e4a8f4a846e6327dca2
https://github.com/krb5/krb5/commit/9593d1311fa5e6e841c429653ad35a63d17c2fdd
---
src/kdc/kdc_preauth_ec.c | 23 +++++++++++++++++++++--
src/kdc/kdc_preauth_encts.c | 22 ++++++++++++++++++++--
2 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index 9d7236c..db3ad07 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -39,8 +39,27 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
krb5_kdcpreauth_edata_respond_fn respond, void *arg)
{
- krb5_keyblock *armor_key = cb->fast_armor(context, rock);
- (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
+ krb5_boolean have_client_keys = FALSE;
+ krb5_keyblock *armor_key;
+ krb5_key_data *kd;
+ int i;
+
+ armor_key = cb->fast_armor(context, rock);
+
+ for (i = 0; i < rock->request->nktypes; i++) {
+ if (krb5_dbe_find_enctype(context, rock->client,
+ rock->request->ktype[i],
+ -1, 0, &kd) == 0) {
+ have_client_keys = TRUE;
+ break;
+ }
+ }
+
+ /* Encrypted challenge only works with FAST, and requires a client key. */
+ if (armor_key == NULL || !have_client_keys)
+ (*respond)(arg, ENOENT, NULL);
+ else
+ (*respond)(arg, 0, NULL);
}
static void
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index d708061..adde6e2 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -34,9 +34,27 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
krb5_kdcpreauth_edata_respond_fn respond, void *arg)
{
- krb5_keyblock *armor_key = cb->fast_armor(context, rock);
+ krb5_boolean have_client_keys = FALSE;
+ krb5_keyblock *armor_key;
+ krb5_key_data *kd;
+ int i;
+
+ armor_key = cb->fast_armor(context, rock);
+
+ for (i = 0; i < rock->request->nktypes; i++) {
+ if (krb5_dbe_find_enctype(context, rock->client,
+ rock->request->ktype[i],
+ -1, 0, &kd) == 0) {
+ have_client_keys = TRUE;
+ break;
+ }
+ }
- (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
+ /* Encrypted timestamp must not be used with FAST, and requires a key. */
+ if (armor_key != NULL || !have_client_keys)
+ (*respond)(arg, ENOENT, NULL);
+ else
+ (*respond)(arg, 0, NULL);
}
static void
--
1.8.2.1
From 4d19790527e2c9d52bb05abd6048a63a1a8c222c Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 29 Apr 2013 14:55:31 -0400
Subject: [PATCH 2/3] Don't send empty etype info from KDC
RFC 4120 prohibits empty ETYPE-INFO2 sequences (though not ETYPE-INFO
sequences), and our client errors out if it sees an empty sequence of
either.
ticket: 7630
---
src/kdc/kdc_preauth.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 42a37a8..5c3b615 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1404,6 +1404,11 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
seen_des++;
}
}
+
+ /* If the list is empty, don't send it at all. */
+ if (i == 0)
+ goto cleanup;
+
if (etype_info2)
retval = encode_krb5_etype_info2(entry, &scratch);
else
--
1.8.2.1
From a04cf2e89f4101eb6c2ec44ef1948976fe5fe9d3 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 2 May 2013 16:15:32 -0400
Subject: [PATCH 3/3] Make AS requests work with no client key
If we cannot find a client key while preparing an AS reply, give
preauth mechanisms a chance to replace the reply key before erroring
out.
ticket: 7630
---
src/kdc/do_as_req.c | 36 ++++++++++++++++++++----------------
src/kdc/kdc_preauth.c | 6 ++++++
2 files changed, 26 insertions(+), 16 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 79da300..cb91803 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -195,23 +195,18 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
useenctype, -1, 0, &client_key))
break;
}
- if (!(client_key)) {
- /* Cannot find an appropriate key */
- state->status = "CANT_FIND_CLIENT_KEY";
- errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
- goto egress;
- }
- state->rock.client_key = client_key;
- /* convert client.key_data into a real key */
- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
- client_key,
- &state->client_keyblock,
- NULL))) {
- state->status = "DECRYPT_CLIENT_KEY";
- goto egress;
+ if (client_key != NULL) {
+ /* Decrypt the client key data entry to get the real reply key. */
+ errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, client_key,
+ &state->client_keyblock, NULL);
+ if (errcode) {
+ state->status = "DECRYPT_CLIENT_KEY";
+ goto egress;
+ }
+ state->client_keyblock.enctype = useenctype;
+ state->rock.client_key = client_key;
}
- state->client_keyblock.enctype = useenctype;
/* Start assembling the response */
state->reply.msg_type = KRB5_AS_REP;
@@ -248,6 +243,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
goto egress;
}
+ /* If we didn't find a client long-term key and no preauth mechanism
+ * replaced the reply key, error out now. */
+ if (state->client_keyblock.enctype == ENCTYPE_NULL) {
+ state->status = "CANT_FIND_CLIENT_KEY";
+ errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+ goto egress;
+ }
+
errcode = handle_authdata(kdc_context,
state->c_flags,
state->client,
@@ -306,7 +309,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
&state->reply_encpart, 0,
as_encrypting_key,
&state->reply, &response);
- state->reply.enc_part.kvno = client_key->key_data_kvno;
+ if (client_key != NULL)
+ state->reply.enc_part.kvno = client_key->key_data_kvno;
if (errcode) {
state->status = "ENCODE_KDC_REP";
goto egress;
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 5c3b615..5d12346 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1473,6 +1473,9 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata,
krb5_etype_info_entry **entry = NULL;
krb5_data *scratch = NULL;
+ if (client_key == NULL)
+ return 0;
+
/*
* Skip PA-ETYPE-INFO completely if AS-REQ lists any "newer"
* enctypes.
@@ -1576,6 +1579,9 @@ return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
krb5_key_data * client_key = rock->client_key;
int i;
+ if (client_key == NULL)
+ return 0;
+
for (i = 0; i < request->nktypes; i++) {
if (enctype_requires_etype_info_2(request->ktype[i]))
return 0;
--
1.8.2.1
|
