From f4f89ac8e0f8583b7a2a3413fee5526a5b137d5b Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Sat, 27 Jul 2013 03:21:12 -0500 Subject: [PATCH] Fix bug with use strongest session key feature --- kdc/kerberos5.c | 32 ++++++++++++++++++++++---------- lib/krb5/krb5.conf.5 | 2 +- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 46bc9e476..58eb9c43f 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -131,8 +131,11 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, krb5_error_code ret; krb5_salt def_salt; krb5_enctype enctype = ETYPE_NULL; + krb5_enctype clientbest = (krb5_enctype)ETYPE_NULL; + const krb5_enctype *p; Key *key; - int i; + int i, k; + int client_offered_1des = 0; /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */ ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt); @@ -142,9 +145,6 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, ret = KRB5KDC_ERR_ETYPE_NOSUPP; if (use_strongest_session_key) { - const krb5_enctype *p; - krb5_enctype clientbest = (krb5_enctype)ETYPE_NULL; - int j; /* * Pick the strongest key that the KDC, target service, and @@ -166,10 +166,14 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, continue; /* check that the client supports it too */ - for (j = 0; j < len && enctype == (krb5_enctype)ETYPE_NULL; j++) { - if (p[i] != etypes[j]) + for (k = 0; k < len && enctype == (krb5_enctype)ETYPE_NULL; k++) { + if (krb5_enctype_valid(context, etypes[k]) != 0 && + !_kdc_is_weak_exception(princ->entry.principal, etypes[k])) + continue; + if (etypes[k] == ETYPE_DES_CBC_CRC) + client_offered_1des = 1; + if (p[i] != etypes[k]) continue; - /* save best of union of { client, crypto system } */ if (clientbest == (krb5_enctype)ETYPE_NULL) clientbest = p[i]; /* check target princ support */ @@ -182,10 +186,18 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, } } if (clientbest != (krb5_enctype)ETYPE_NULL && - enctype == (krb5_enctype)ETYPE_NULL) + enctype == (krb5_enctype)ETYPE_NULL) { + ret = 0; enctype = clientbest; - else if (enctype == (krb5_enctype)ETYPE_NULL) - ret = KRB5KDC_ERR_ETYPE_NOSUPP; + } else if (enctype == (krb5_enctype)ETYPE_NULL) { + if (client_offered_1des && + _kdc_is_weak_exception(princ->entry.principal, ETYPE_DES_CBC_CRC)) { + ret = 0; + enctype = ETYPE_DES_CBC_CRC; + } else { + ret = KRB5KDC_ERR_ETYPE_NOSUPP; + } + } if (ret == 0 && ret_enctype != NULL) *ret_enctype = enctype; if (ret == 0 && ret_key != NULL) diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 35bca422b..a0d2983cd 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -548,7 +548,7 @@ to FALSE. If TRUE then the KDC picks, for the ticket encrypted part's key, the first supported enctype from the target service principal's hdb entry's current keyset. Else the KDC picks the first supported enctype from the -target service principal's hdb entry's current keyset. Defaults to FALSE. +target service principal's hdb entry's current keyset. Defaults to TRUE. .It Li check-ticket-addresses = Va BOOL Verify the addresses in the tickets used in tgs requests. .\" XXX -- 2.11.4.GIT