From ca58609ecd6b2dfdf2337ed60730cbb4e62da722 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Mon, 7 Feb 2000 10:32:45 +0000 Subject: [PATCH] * gic_pwd.c (krb5_get_as_key_password): If the as_key enctype is already set to the correct type, do continue and ask for the password anyways. (Patch from Chas Williams, PR krb5-libs/730.) * preauth2.c (pa_sam): If no sam_flags were set, return KRB5_PREAUTH_BAD_TYPE, because we don't currently handle that case. * preauth2.c (pa_sam): Remove unused variable use_sam_key. (SAMDATA): Cast first result to int, which is what sprintf needs. (pa_salt): Delete unused variable ret. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12012 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/ChangeLog | 18 ++++++++++++++++-- src/lib/krb5/krb/gic_pwd.c | 19 +++++++++++-------- src/lib/krb5/krb/preauth2.c | 13 ++++++++----- 3 files changed, 35 insertions(+), 15 deletions(-) diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 90d41760b..19c8af799 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,4 +1,18 @@ -2000-02-06 Ken Raeburn +2000-02-07 Ken Raeburn + + * gic_pwd.c (krb5_get_as_key_password): If the as_key enctype is + already set to the correct type, do continue and ask for the + password anyways. (Patch from Chas Williams, PR krb5-libs/730.) + + * preauth2.c (pa_sam): If no sam_flags were set, return + KRB5_PREAUTH_BAD_TYPE, because we don't currently handle that + case. + +2000-02-06 Ken Raeburn + + * preauth2.c (pa_sam): Remove unused variable use_sam_key. + (SAMDATA): Cast first result to int, which is what sprintf needs. + (pa_salt): Delete unused variable ret. Patches from Frank Cusack: * kfree.c (krb5_free_predicted_sam_response_contents): Fix typo. @@ -8,7 +22,7 @@ * preauth.c (obtain_sam_padata): Update for field name change. * preauth2.c (pa_sam): Likewise. -2000-01-27 Ken Raeburn +2000-01-27 Ken Raeburn * init_ctx.c (get_profile_etype_list): Discard DESONLY changes from 1999-09-01, and revert call sites. diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 1706bce23..c2ee423cc 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -22,16 +22,19 @@ krb5_get_as_key_password(context, client, etype, prompter, prompter_data, password = (krb5_data *) gak_data; - /* if there's already a key of the correct etype, we're done. - if the etype is wrong, free the existing key, and make - a new one. */ + /* If there's already a key of the correct etype, we're done. + If the etype is wrong, free the existing key, and make + a new one. - if (as_key->length) { - if (as_key->enctype == etype) - return(0); + XXX This was the old behavior, and was wrong in hw preauth + cases. Is this new behavior -- always asking -- correct in all + cases? */ - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; + if (as_key->length) { + if (as_key->enctype != etype) { + krb5_free_keyblock_contents (context, as_key); + as_key->length = 0; + } } if (password->data[0] == '\0') { diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 94a22d396..a942601a1 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -61,7 +61,6 @@ krb5_error_code pa_salt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, krb5_gic_get_as_key_fct gak_fct, void *gak_data) { - krb5_error_code ret; krb5_data tmp; /* screw the abstraction. If there was a *reasonable* copy_data, @@ -196,9 +195,9 @@ char *sam_challenge_banner(sam_type) /* this macro expands to the int,ptr necessary for "%.*s" in an sprintf */ #define SAMDATA(kdata, str, maxsize) \ - (kdata.length)? \ - ((((kdata.length)<=(maxsize))?(kdata.length):(strlen(str)))): \ - strlen(str), \ + (int)((kdata.length)? \ + ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \ + strlen(str)), \ (kdata.length)? \ ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str) @@ -229,7 +228,6 @@ krb5_error_code pa_sam(krb5_context context, krb5_sam_response sam_response; /* these two get encrypted and stuffed in to sam_response */ krb5_enc_sam_response_enc enc_sam_response_enc; - krb5_keyblock * sam_use_key = 0; krb5_data * scratch; krb5_pa_data * pa; @@ -273,6 +271,7 @@ krb5_error_code pa_sam(krb5_context context, } enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce; + /* XXX What if more than one flag is set? */ if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { enc_sam_response_enc.sam_sad = response_data; } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) { @@ -327,6 +326,10 @@ krb5_error_code pa_sam(krb5_context context, } enc_sam_response_enc.sam_sad.length = 0; + } else { + /* Eventually, combine SAD with long-term key to get + encryption key. */ + return KRB5_PREAUTH_BAD_TYPE; } /* copy things from the challenge */ -- 2.26.2