Check for keys in encrypted timestamp/challenge

author Greg Hudson <ghudson@mit.edu>

Fri, 26 Apr 2013 19:51:05 +0000 (15:51 -0400)

committer Greg Hudson <ghudson@mit.edu>

Fri, 3 May 2013 20:11:28 +0000 (16:11 -0400)
author Greg Hudson <ghudson@mit.edu>
Fri, 26 Apr 2013 19:51:05 +0000 (15:51 -0400)
committer Greg Hudson <ghudson@mit.edu>
Fri, 3 May 2013 20:11:28 +0000 (16:11 -0400)
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c

index 7acd99a242eca4df3de58a3bb54e965beeb386b6..720fefa43b90a550f3aac6cc96f2d6b042922596 100644 (file)
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -40,7 +40,12 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
           krb5_kdcpreauth_edata_respond_fn respond, void *arg)
  {
      krb5_keyblock *armor_key = cb->fast_armor(context, rock);
-    (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
+
+    /* Encrypted challenge only works with FAST, and requires a client key. */
+    if (armor_key == NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
  }
  
  static void
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c

index 83c6bf1a26d6d301afd532eb66920bb65774df68..65f7c3629ca74c58426c679b0113722534288d96 100644 (file)
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -36,7 +36,11 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
  {
      krb5_keyblock *armor_key = cb->fast_armor(context, rock);
  
-    (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
+    /* Encrypted timestamp must not be used with FAST, and requires a key. */
+    if (armor_key != NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
  }
  
  static void
author	Greg Hudson <ghudson@mit.edu>
	Fri, 26 Apr 2013 19:51:05 +0000 (15:51 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Fri, 3 May 2013 20:11:28 +0000 (16:11 -0400)
src/kdc/kdc_preauth_ec.c		patch \| blob \| blame \| history
src/kdc/kdc_preauth_encts.c		patch \| blob \| blame \| history