summaryrefslogtreecommitdiff
path: root/src/kdc/kdc_preauth_ec.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/kdc/kdc_preauth_ec.c')
-rw-r--r--src/kdc/kdc_preauth_ec.c41
1 files changed, 26 insertions, 15 deletions
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index feef3683141c..7e636b3f9fed 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -56,7 +56,6 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_kdcpreauth_verify_respond_fn respond, void *arg)
{
krb5_error_code retval = 0;
- krb5_timestamp now;
krb5_enc_data *enc = NULL;
krb5_data scratch, plain;
krb5_keyblock *armor_key = cb->fast_armor(context, rock);
@@ -66,6 +65,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_keyblock *kdc_challenge_key;
krb5_kdcpreauth_modreq modreq = NULL;
int i = 0;
+ char *ai = NULL, *realmstr = NULL;
+ krb5_data realm = request->server->realm;
plain.data = NULL;
@@ -84,6 +85,15 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
if (plain.data == NULL)
retval = ENOMEM;
}
+
+ /* Check for a configured FAST ec auth indicator. */
+ realmstr = k5memdup0(realm.data, realm.length, &retval);
+ if (realmstr != NULL)
+ retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
+ realmstr,
+ KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR,
+ NULL, &ai);
+
if (retval == 0)
retval = cb->client_keys(context, rock, &client_keys);
if (retval == 0) {
@@ -113,21 +123,20 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
if (retval == 0)
retval = decode_krb5_pa_enc_ts(&plain, &ts);
if (retval == 0)
- retval = krb5_timeofday(context, &now);
+ retval = krb5_check_clockskew(context, ts->patimestamp);
if (retval == 0) {
- if (labs(now-ts->patimestamp) < context->clockskew) {
- enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
- /*
- * If this fails, we won't generate a reply to the client. That
- * may cause the client to fail, but at this point the KDC has
- * considered this a success, so the return value is ignored.
- */
- if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
- &client_keys[i], "challengelongterm",
- &kdc_challenge_key) == 0)
- modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
- } else { /*skew*/
- retval = KRB5KRB_AP_ERR_SKEW;
+ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+ /*
+ * If this fails, we won't generate a reply to the client. That may
+ * cause the client to fail, but at this point the KDC has considered
+ * this a success, so the return value is ignored.
+ */
+ if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
+ &client_keys[i], "challengelongterm",
+ &kdc_challenge_key) == 0) {
+ modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
+ if (ai != NULL)
+ cb->add_auth_indicator(context, rock, ai);
}
}
cb->free_keys(context, rock, client_keys);
@@ -137,6 +146,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_free_enc_data(context, enc);
if (ts)
krb5_free_pa_enc_ts(context, ts);
+ free(realmstr);
+ free(ai);
(*respond)(arg, retval, modreq, NULL, NULL);
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-19 12:26:39 +0000