[Heimdal-source-changes] [heimdal/heimdal] 76bee4: _kdc_find_etype: prefer default salt for preauth

GitHub noreply at github.com
Tis Juli 30 20:18:17 CEST 2013 

  Branch: refs/heads/heimdal-1-5-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 76bee4df58994d45852e2e8d5da7ec09bdc6f5d4
      https://github.com/heimdal/heimdal/commit/76bee4df58994d45852e2e8d5da7ec09bdc6f5d4
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2013-07-30 (Tue, 30 Jul 2013)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  _kdc_find_etype: prefer default salt for preauth

if the query is "preauth" and the caller is seeking a Key, search
try to find a Key that has the default salt but do not exclude keys
that have a non-default salt.

Move the assignment of 'ret' and 'enctype' before the preauth
default salt test.  If the only key of the given type is the non-default
salt key, it should be used.

If the caller is not seeking a Key, do not bother with the preauth
test at all since the Key itself doesn't matter and we are simply
seeking an enctype.

Change-Id: I7cd37c579c0bfdd88bccfbc9eb5e5f55cd1910cb


  Commit: d9b3691b0f993a4b80fddc7b2771209e3856c26a
      https://github.com/heimdal/heimdal/commit/d9b3691b0f993a4b80fddc7b2771209e3856c26a
  Author: Ragnar Sundblad <ragge at csc.kth.se>
  Date:   2013-07-30 (Tue, 30 Jul 2013)

  Changed paths:
    M kdc/krb5tgs.c

  Log Message:
  -----------
  tgs_make_reply: fix temp weak enctype exception

The default heimdal KDC chokes when trying to encrypt a ticket with a weak
server key that has a different type than the session key. The problem
happens in the krb5_crypto_init function called from the _kdc_encode_reply
function.

The existing work-around of the problem temporarily enabled the weak
enctype in case it was disabled but the principal was on the (hard-coded)
exception list.

Unfortunately the code used the keytype of the key encoded in the ticked
(the session key) instead of the keytype of the key used to encrypt the ticket
(the serverkey) thus enabling the incorrect encryption type if those two
are different, for instance des-cbc-md5 and des-cbc-crc.

Change-Id: Ia55dc344e3e5fc9ec1eb93c9e8ebb0a58c673d57


Compare: https://github.com/heimdal/heimdal/compare/33a3a172ad3c...d9b3691b0f99

More information about the Heimdal-source-changes mailing list