_kdc_set_e_text(r, "Failed to build PK-INIT reply");
goto out;
}
+ r->reply_kvno = 0;
#if 0
ret = _kdc_add_initial_verified_cas(r->context, r->config,
pkp, &r->et);
return ret;
}
+ if (r->client->entry.flags.locked_out) {
+ ret = KRB5KDC_ERR_CLIENT_REVOKED;
+ kdc_log(r->context, r->config, 0,
+ "Client (%s) is locked out", r->client_name);
+ return ret;
+ }
+
+
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&enc_data,
if (ret)
goto out;
+ r->reply_kvno = 0;
+
/*
* Success
*/
size_t len;
Key *pa_key;
char *str;
-
+
+ if (r->client->entry.flags.locked_out) {
+ ret = KRB5KDC_ERR_CLIENT_REVOKED;
+ kdc_log(r->context, r->config, 0,
+ "Client (%s) is locked out", r->client_name);
+ return ret;
+ }
+
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&enc_data,
if (ret)
return ret;
+ if (pa_key->mkvno != NULL) {
+ r->reply_kvno = *pa_key->mkvno;
+ } else {
+ r->reply_kvno = r->client->entry.kvno;
+ }
+
ret = krb5_enctype_to_string(r->context, pa_key->key.keytype, &str);
if (ret)
str = NULL;
/* check client */
if (client->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Client is locked out");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_CLIENT_REVOKED;
}
if (client->flags.invalid) {
generate_pac(astgs_request_t r, Key *skey)
{
krb5_error_code ret;
+ const krb5_keyblock *pk_reply_key = NULL;
krb5_pac p = NULL;
krb5_data data;
- ret = _kdc_pac_generate(r->context, r->client, &p);
+ switch (r->validated_pa_type) {
+ case KRB5_PADATA_PK_AS_REQ:
+ case KRB5_PADATA_PK_AS_REQ_WIN:
+ pk_reply_key = &r->reply_key;
+ break;
+ }
+
+ ret = _kdc_pac_generate(r->context, r->client,
+ pk_reply_key, &p);
if (ret) {
_kdc_r_log(r, 4, "PAC generation failed for -- %s",
r->cname);
pat[n].name, r->cname);
found_pa = 1;
r->et.flags.pre_authent = 1;
+ r->validated_pa_type = pat[n].type;
}
}
}
ret = krb5_copy_keyblock_contents(r->context, &ckey->key, &r->reply_key);
if (ret)
goto out;
+
+ r->reply_kvno = 0;
}
if (r->clientdb->hdb_auth_status) {
r->armor_crypto, req->req_body.nonce,
&rep, &r->et, &r->ek, setype,
r->server->entry.kvno, &skey->key,
- r->client->entry.kvno,
+ r->reply_kvno,
&r->reply_key, 0, &r->e_text, r->reply);
if (ret)
goto out;