git.samba.org / asn / mit-krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 90cbf4e)
Try compatible keys in rd_req_dec "any" path
authorNalin Dahyabhai <nalin@dahyabhai.net>
Tue, 18 Mar 2014 20:39:47 +0000 (16:39 -0400)
committerGreg Hudson <ghudson@mit.edu>
Wed, 19 Mar 2014 21:36:06 +0000 (17:36 -0400)
When we go to decrypt a ticket using a keytab, we have two code paths.

In the first (traditional) one, we try to read an entry that exactly
matches the principal name, enctype, and kvno from the ticket, and then
attempt to decrypt the ticket using the entry's key.  The keytab
routines helpfully return an entry so long as it's of a key type that's
compatible with the ticket being decrypted, fixing up the enctype in the
entry structure while doing so, allowing us to decrypt a DES-CBC-CRC
ticket with a DES-CBC-MD5 key.

In the second code path, we try the key of every entry which loosely
matches the principal name from the ticket and which exactly matches its
enctype, meaning that the ticket/keytab pair above won't work if the
principal name is one which suggests we shouldn't be matching entries
exactly.

This change modifies the "any" path to also try to decrypt the ticket
with compatible keys.

[ghudson@mit.edu: avoid stuffing too much logic in one conditional]

ticket: 7883 (new)

src/lib/krb5/krb/rd_req_dec.c patch | blob | history

diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 4b952f5a98aa1a91880bcb807665313c00b0ceab..fbd088d8a255c08189fc148e4027030bd4d93976 100644 (file)
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -167,6 +167,8 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req,
     krb5_error_code ret;
     krb5_keytab_entry ent;
     krb5_kt_cursor cursor;
+    krb5_boolean similar;
+    krb5_enctype req_etype = req->ticket->enc_part.enctype;
 
 #ifdef LEAN_CLIENT
     return KRB5KRB_AP_WRONG_PRINC;
@@ -189,8 +191,12 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req,
         goto cleanup;
 
     while ((ret = krb5_kt_next_entry(context, keytab, &ent, &cursor)) == 0) {
-        if (ent.key.enctype == req->ticket->enc_part.enctype &&
+        ret = krb5_c_enctype_compare(context, ent.key.enctype, req_etype,
+                                     &similar);
+        if (ret == 0 && similar &&
             krb5_sname_match(context, server, ent.principal)) {
+            /* Coerce inexact matches to the request enctype. */
+            ent.key.enctype = req_etype;
             ret = try_one_entry(context, req, &ent, keyblock_out);
             if (ret == 0) {
                 TRACE_RD_REQ_DECRYPT_ANY(context, ent.principal, &ent.key);
guru meditation