make sure the client creates a subkey; also make the server check that
it actually got a subkey, and if not use the session key
This commit is contained in:
parent
ae69ed2b35
commit
a9b4e358d7
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: kerberos5.c,v 1.8 2001/09/17 12:34:43 assar Exp $ */
|
||||
/* $NetBSD: kerberos5.c,v 1.9 2002/09/20 14:45:29 joda Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1991, 1993
|
||||
|
@ -193,6 +193,8 @@ kerberos5_send(Authenticator *ap)
|
|||
else
|
||||
ap_opts = 0;
|
||||
|
||||
ap_opts |= AP_OPTS_USE_SUBKEY;
|
||||
|
||||
ret = krb5_auth_con_init(telnet_context, &auth_context);
|
||||
if (ret) {
|
||||
if (auth_debug_mode) {
|
||||
|
@ -343,6 +345,28 @@ kerberos5_is(Authenticator * ap, unsigned char *data, int cnt)
|
|||
krb5_get_err_text(telnet_context, ret));
|
||||
return;
|
||||
}
|
||||
if (key_block == NULL) {
|
||||
ret = krb5_auth_con_getkey(context,
|
||||
auth_context,
|
||||
&key_block);
|
||||
}
|
||||
if (ret) {
|
||||
Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
|
||||
auth_finished(ap, AUTH_REJECT);
|
||||
if (auth_debug_mode)
|
||||
printf("Kerberos V5: "
|
||||
"krb5_auth_con_getkey failed (%s)\r\n",
|
||||
krb5_get_err_text(context, ret));
|
||||
return;
|
||||
}
|
||||
if (key_block == NULL) {
|
||||
Data(ap, KRB_REJECT, "no subkey received", -1);
|
||||
auth_finished(ap, AUTH_REJECT);
|
||||
if (auth_debug_mode)
|
||||
printf("Kerberos V5: "
|
||||
"krb5_auth_con_getremotesubkey returned NULL key\r\n");
|
||||
return;
|
||||
}
|
||||
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
|
||||
ret = krb5_mk_rep(telnet_context,
|
||||
auth_context, &outbuf);
|
||||
|
|
Loading…
Reference in New Issue