Check for keys in encrypted timestamp/challenge

Encrypted timestamp and encrypted challenge cannot succeed if the client has no long-term key matching the request enctypes, so do not offer them in that case. ticket: 7630
krb5 · May 3, 2013 · 9593d13 · 9593d13
1 parent e504827
commit 9593d13
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
@@ -40,7 +40,12 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
          krb5_kdcpreauth_edata_respond_fn respond, void *arg)
 {
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
-    (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
+
+    /* Encrypted challenge only works with FAST, and requires a client key. */
+    if (armor_key == NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
 }
 
 static void

diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
@@ -36,7 +36,11 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
 {
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
 
-    (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
+    /* Encrypted timestamp must not be used with FAST, and requires a key. */
+    if (armor_key != NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
 }
 
 static void