oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

try to clean up ckey handling, esp when there is no ckey

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25098 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-04-06 02:50:39 +00:00
parent b8071a368c
commit 542528a7ce
1 changed files with 43 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
kdc/kerberos5.c
View File

@@ -260,7 +260,7 @@ _kdc_encode_reply(krb5_context context,
KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek, KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
krb5_enctype etype, krb5_enctype etype,
int skvno, const EncryptionKey *skey, int skvno, const EncryptionKey *skey,
int ckvno, const EncryptionKey *ckey, int ckvno, const EncryptionKey *reply_key,
const char **e_text, const char **e_text,
krb5_data *reply) krb5_data *reply)
{ {
@@ -321,7 +321,7 @@ _kdc_encode_reply(krb5_context context,
*e_text = "KDC internal error"; *e_text = "KDC internal error";
return KRB5KRB_ERR_GENERIC; return KRB5KRB_ERR_GENERIC;
} }
ret = krb5_crypto_init(context, ckey, 0, &crypto); ret = krb5_crypto_init(context, reply_key, 0, &crypto);
if (ret) { if (ret) {
free(buf); free(buf);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
@@ -1153,6 +1153,11 @@ _kdc_as_rep(krb5_context context,
&enc_data, &enc_data,
&ts_data); &ts_data);
krb5_crypto_destroy(context, crypto); krb5_crypto_destroy(context, crypto);
/*
* Since the user might have several keys with the same
* enctype but with diffrent salting, we need to try all
* the keys with the same enctype.
*/
if(ret){ if(ret){
krb5_error_code ret2; krb5_error_code ret2;
ret2 = krb5_enctype_to_string(context, ret2 = krb5_enctype_to_string(context,
@@ -1277,6 +1282,11 @@ _kdc_as_rep(krb5_context context,
pa->padata_value.data = NULL; pa->padata_value.data = NULL;
#endif #endif
/*
* If there is a client key, send ETYPE_INFO{,2}
*/
if (ckey) {
/* /*
* RFC4120 requires: * RFC4120 requires:
* - If the client only knows about old enctypes, then send * - If the client only knows about old enctypes, then send
@@ -1303,6 +1313,7 @@ _kdc_as_rep(krb5_context context,
free_METHOD_DATA(&method_data); free_METHOD_DATA(&method_data);
goto out; goto out;
} }
}
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret); ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
free_METHOD_DATA(&method_data); free_METHOD_DATA(&method_data);
@@ -1601,7 +1612,6 @@ _kdc_as_rep(krb5_context context,
rep.padata->len = 0; rep.padata->len = 0;
rep.padata->val = NULL; rep.padata->val = NULL;
reply_key = &ckey->key;
#if PKINIT #if PKINIT
if (pkp) { if (pkp) {
e_text = "Failed to build PK-INIT reply"; e_text = "Failed to build PK-INIT reply";
@@ -1614,16 +1624,26 @@ _kdc_as_rep(krb5_context context,
config, config,
pkp, pkp,
&et); &et);
if (ret)
goto out;
} else } else
#endif #endif
if (ckey) {
reply_key = &ckey->key;
ret = krb5_generate_random_keyblock(context, sessionetype, &et.key); ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
if (ret) if (ret)
goto out; goto out;
} else {
e_text = "Client have no reply key";
ret = KRB5KDC_ERR_CLIENT_NOTYET;
goto out;
}
ret = copy_EncryptionKey(&et.key, &ek.key); ret = copy_EncryptionKey(&et.key, &ek.key);
if (ret) if (ret)
goto out; goto out;
if (ckey)
set_salt_padata (rep.padata, ckey->salt); set_salt_padata (rep.padata, ckey->salt);
/* Add signing of alias referral */ /* Add signing of alias referral */