oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: set kvno to zero if reply key replaced

Browse Source 
If the pre-authentication mechanism replaced the reply key, then the kvno in
the KDC-REP should be zero, as the reply is not encrypted in the client's
(versioned) long-term key.

Closes: #899
This commit is contained in:
Luke Howard
2021-12-17 13:27:31 +11:00
parent 4a2e40a5b6
commit 5d92219788
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kdc/kerberos5.c
View File

@@ -2651,14 +2651,15 @@ _kdc_as_rep(astgs_request_t r)
} }
/* /*
* * Don't send kvno from client entry if the pre-authentication
* mechanism replaced the reply key.
*/ */
ret = _kdc_encode_reply(r->context, config, ret = _kdc_encode_reply(r->context, config,
r, req->req_body.nonce, r, req->req_body.nonce,
&rep, &r->et, &r->ek, setype, &rep, &r->et, &r->ek, setype,
r->server->entry.kvno, &skey->key, r->server->entry.kvno, &skey->key,
r->client->entry.kvno, r->replaced_reply_key ? 0 : r->client->entry.kvno,
0, &r->e_text, r->reply); 0, &r->e_text, r->reply);
if (ret) if (ret)
goto out; goto out;