From 1ab86a66a533eea2483d86f93870b30e88c84d8e Mon Sep 17 00:00:00 2001 From: Assar Westerlund Date: Wed, 12 Jan 2000 09:27:50 +0000 Subject: [PATCH] (do_version4): check if preauth was required and bail-out if so since there's no way that could be done in v4. Return NULL_KEY as an error to the client (which is non-obvious, but what can you do?) git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7790 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/kerberos4.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/kdc/kerberos4.c b/kdc/kerberos4.c index bc68a1a8e..017837b32 100644 --- a/kdc/kerberos4.c +++ b/kdc/kerberos4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -125,6 +125,12 @@ get_des_key(hdb_entry *principal, Key **key) #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;} +/* + * Process the v4 request in `buf, len' (received from `addr' + * (with string `from'). + * Return an error code and a reply in `reply'. + */ + krb5_error_code do_version4(unsigned char *buf, size_t len, @@ -184,6 +190,23 @@ do_version4(unsigned char *buf, goto out1; } + /* + * There's no way to do pre-authentication in v4 and thus no + * good error code to return if preauthentication is required. + */ + + if (require_preauth + || client->flags.require_preauth + || server->flags.require_preauth) { + kdc_log(0, + "Pre-authentication required for v4-request: " + "%s.%s@%s for %s.%s@%s", + name, inst, realm, + sname, sinst, v4_realm); + make_err_reply(reply, KERB_ERR_NULL_KEY, NULL); + goto out1; + } + ret = get_des_key(client, &ckey); if(ret){ kdc_log(0, "%s", krb5_get_err_text(context, ret));