Don't accept AS replies encrypted in enctypes other than the ones we

asked for.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23577 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 87521c5948513855e5da56bdf0b264cb22297b54..ab92ee115308004a18c7075fcb918e0f796681ee 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1730,6 +1730,19 @@ negotiation_requests_restart(krb5_context context, krb5_init_creds_context ctx,
     return 0;
 }
 
+/* Ensure that the reply enctype was among the requested enctypes. */
+static krb5_error_code
+check_reply_enctype(krb5_init_creds_context ctx)
+{
+    int i;
+
+    for (i = 0; i < ctx->request->nktypes; i++) {
+        if (ctx->request->ktype[i] == ctx->reply->enc_part.enctype)
+            return 0;
+    }
+    return KRB5_CONFIG_ETYPE_NOSUPP;
+}
+
 static krb5_error_code
 init_creds_step_reply(krb5_context context,
                       krb5_init_creds_context ctx,
@@ -1820,6 +1833,11 @@ init_creds_step_reply(krb5_context context,
     /* We have a response. Process it. */
     assert(ctx->reply != NULL);
 
+    /* Check for replies (likely forged) with unasked-for enctypes. */
+    code = check_reply_enctype(ctx);
+    if (code != 0)
+        goto cleanup;
+
     /* process any preauth data in the as_reply */
     krb5_clear_preauth_context_use_counts(context);
     code = krb5int_fast_process_response(context, ctx->fast_state,