oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

lib/krb5: use check_fast() in _krb5_fast_unwrap_error()

Browse Source 
At least Windows KDCs return KRB5KRB_AP_ERR_SKEW without edata in
response to TGS-REQ.

This ensures the callers see the KRB5KRB_AP_ERR_SKEW error and not
KRB5_KDCREP_MODIFIED "FAST fast response is missing FX-FAST".

For the response to an amored AS-REQ, we'll now return
KRB5KRB_AP_ERR_MODIFIED instead of KRB5_KDCREP_MODIFIED,
but if there's an attack the exact error code doesn't matter.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Ralph Boehme
2024-07-04 14:59:54 +02:00
committed by Jeffrey Altman
parent 2f7a9d9530
commit c2e68593a5
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/krb5/fast.c
View File

@@ -694,10 +694,14 @@ _krb5_fast_unwrap_error(krb5_context context,
idx = 0; idx = 0;
pa = krb5_find_padata(md->val, md->len, KRB5_PADATA_FX_FAST, &idx); pa = krb5_find_padata(md->val, md->len, KRB5_PADATA_FX_FAST, &idx);
if (pa == NULL) { if (pa == NULL) {
ret = KRB5_KDCREP_MODIFIED; /*
krb5_set_error_message(context, ret, * Typically _krb5_fast_wrap_req() has set KRB5_FAST_EXPECTED, which
N_("FAST fast response is missing FX-FAST", "")); * means check_fast() will complain and return KRB5KRB_AP_ERR_MODIFIED.
goto out; *
* But for TGS-REP init_tgs_req() clears KRB5_FAST_EXPECTED and we'll
* ignore a missing KRB5_PADATA_FX_FAST.
*/
return check_fast(context, state);
} }
ret = unwrap_fast_rep(context, state, pa, &fastrep); ret = unwrap_fast_rep(context, state, pa, &fastrep);