From: Sam Hartman Date: Thu, 26 Mar 2009 05:37:45 +0000 (+0000) Subject: When FAST is enabled, do not use encrypted timestamp X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d550e61af2c1a14cf8dba53c894f8c11a8c742cc;p=thirdparty%2Fkrb5.git When FAST is enabled, do not use encrypted timestamp pre-authentication. FAST mandates encrypted challenge. Encrypted timestamp ends up using the raw client key in the AS reply. Also, if encrypted timestamp is enabled, it is preferred to any plugin. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22146 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 4d7648fafe..cf269753d1 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -133,6 +133,12 @@ static krb5_error_code verify_enc_timestamp krb5_data **e_data, krb5_authdata ***authz_data); +static krb5_error_code get_enc_ts + (krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *data); static krb5_error_code get_etype_info (krb5_context, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, @@ -279,7 +285,7 @@ static krb5_preauth_systems static_preauth_systems[] = { NULL, NULL, NULL, - 0, + get_enc_ts, verify_enc_timestamp, 0 }, @@ -1365,7 +1371,20 @@ request_contains_enctype (krb5_context context, const krb5_kdc_req *request, return 0; } - +static krb5_error_code get_enc_ts + (krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data_proc, + void *pa_system_context, + krb5_pa_data *data) +{ + struct kdc_request_state *state = request->kdc_state; + if (state->armor_key) + return ENOENT; + return 0; +} + + static krb5_error_code verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,