From 3d43471fa202846d68d32548d6cd027c25c97363 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 4 Jan 2010 17:00:23 +0000 Subject: [PATCH] Don't accept AS replies encrypted in enctypes other than the ones we asked for. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23577 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/get_in_tkt.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 87521c594..ab92ee115 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1730,6 +1730,19 @@ negotiation_requests_restart(krb5_context context, krb5_init_creds_context ctx, return 0; } +/* Ensure that the reply enctype was among the requested enctypes. */ +static krb5_error_code +check_reply_enctype(krb5_init_creds_context ctx) +{ + int i; + + for (i = 0; i < ctx->request->nktypes; i++) { + if (ctx->request->ktype[i] == ctx->reply->enc_part.enctype) + return 0; + } + return KRB5_CONFIG_ETYPE_NOSUPP; +} + static krb5_error_code init_creds_step_reply(krb5_context context, krb5_init_creds_context ctx, @@ -1820,6 +1833,11 @@ init_creds_step_reply(krb5_context context, /* We have a response. Process it. */ assert(ctx->reply != NULL); + /* Check for replies (likely forged) with unasked-for enctypes. */ + code = check_reply_enctype(ctx); + if (code != 0) + goto cleanup; + /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); code = krb5int_fast_process_response(context, ctx->fast_state, -- 2.26.2