krb5/Remove-support-for-no-flags-SAM-2-preauth.patch
2019-06-03 17:25:49 -04:00

74 lines
3.0 KiB
Diff

From 9e71fcd5db98fb7ace02e8684486cc7f092d82ad Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 17 Apr 2019 17:07:46 -0400
Subject: [PATCH] Remove support for no-flags SAM-2 preauth
When neither the send-encrypted-sad nor the use-sad-as-key flag is set
in the SAM-2 challenge, the protocol calls for the AS key to be
combined with the string-to-key of the SAD using a key combination
method which has only been implemented for DES and 3DES enctypes.
Rather than extending key combination, remove support for this case.
[ghudson@mit.edu: rewrote commit message, added comment]
ticket: 8812 (new)
(cherry picked from commit c30e0af224ef3716513744fd86aec3eeea90abf9)
---
src/lib/krb5/krb/preauth_sam2.c | 40 +++++++++------------------------
1 file changed, 11 insertions(+), 29 deletions(-)
diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c
index c7484c47e..fda86bee2 100644
--- a/src/lib/krb5/krb/preauth_sam2.c
+++ b/src/lib/krb5/krb/preauth_sam2.c
@@ -211,38 +211,20 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
/* Get encryption key to be used for checksum and sam_response */
if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) {
/* Retain as_key from above gak_fct call. */
-
- if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
- /* as_key = combine_key (as_key, string_to_key(SAD)) */
- krb5_keyblock tmp_kb;
-
- retval = krb5_c_string_to_key(context, sc2b->sam_etype,
- &response_data, salt, &tmp_kb);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
-
- /* This should be a call to the crypto library some day */
- /* key types should already match the sam_etype */
- retval = krb5int_c_combine_keys(context, &ctx->as_key, &tmp_kb,
- &ctx->as_key);
-
- if (retval) {
- krb5_free_sam_challenge_2(context, sc2);
- krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) free(defsalt.data);
- return(retval);
- }
- krb5_free_keyblock_contents(context, &tmp_kb);
- }
-
if (defsalt.length)
free(defsalt.data);
+ if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) {
+ /*
+ * If no flags are set, the protocol calls for us to combine the
+ * initial reply key with the SAD, using a method which is only
+ * specified for DES and 3DES enctypes. We no longer support this
+ * case.
+ */
+ krb5_free_sam_challenge_2(context, sc2);
+ krb5_free_sam_challenge_2_body(context, sc2b);
+ return(KRB5_SAM_UNSUPPORTED);
+ }
} else {
/* as_key = string_to_key(SAD) */