(do_version4): check if preauth was required and bail-out if so since

there's no way that could be done in v4. Return NULL_KEY as an error to the client (which is non-obvious, but what can you do?) git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7790 ec53bebd-3082-4978-b11e-865c3cabbd6b
2000-01-12 09:27:50 +00:00
parent cccac073c6
commit 1ab86a66a5
1 changed files with 24 additions and 1 deletions
--- a/kdc/kerberos4.c
+++ b/kdc/kerberos4.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska H<>gskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@@ -125,6 +125,12 @@ get_des_key(hdb_entry *principal, Key **key)

 #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}

+/*
+ * Process the v4 request in `buf, len' (received from `addr'
+ * (with string `from').
+ * Return an error code and a reply in `reply'.
+ */
+
 krb5_error_code
 do_version4(unsigned char *buf,
 	    size_t len,
@@ -184,6 +190,23 @@ do_version4(unsigned char *buf,
 	    goto out1;
 	}

+	/*
+	 * There's no way to do pre-authentication in v4 and thus no
+	 * good error code to return if preauthentication is required.
+	 */
+
+	if (require_preauth
+	    || client->flags.require_preauth
+	    || server->flags.require_preauth) {
+	    kdc_log(0,
+		    "Pre-authentication required for v4-request: "
+		    "%s.%s@%s for %s.%s@%s", 
+		    name, inst, realm,
+		    sname, sinst, v4_realm);
+	    make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
+	    goto out1;
+	}
+
 	ret = get_des_key(client, &ckey);
 	if(ret){
 	    kdc_log(0, "%s", krb5_get_err_text(context, ret));