svn rev #22890: trunk/src/lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Oct 13 15:43:18 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22890
Commit By: ghudson
Log Message:
ticket: 6573
subject: Fix preauth looping in krb5_get_init_creds
tags: pullup
target_version: 1.7.1
In 1.7, krb5_get_init_creds will continue attempting the same built-in
preauth mechanism (e.g. encrypted timestamp) until the loop counter
maxes out. Until the preauth framework can remember not to retry
built-in mechanisms, only continue with preauth after a PREAUTH_FAILED
error resulting from optimistic preauth.
Changed Files:
U trunk/src/lib/krb5/krb/get_in_tkt.c
Modified: trunk/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-10-13 19:38:42 UTC (rev 22889)
+++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-10-13 19:43:17 UTC (rev 22890)
@@ -1055,6 +1055,21 @@
return ret;
}
+/* Decide whether to continue trying AS-REQ preauthentication. */
+static krb5_boolean
+should_continue_preauth(krb5_ui_4 error, int loopcount)
+{
+ /*
+ * Continue on PREAUTH_FAILED only on the first iteration, which
+ * would imply that we did optimistic preauth unsuccessfully. We
+ * could continue on later iterations if the preauth framework
+ * reliably remembered what mechanisms had been tried, but
+ * currently it does not do so for built-in mechanisms.
+ */
+ return (error == KDC_ERR_PREAUTH_REQUIRED ||
+ (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0));
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds(krb5_context context,
krb5_creds *creds,
@@ -1412,8 +1427,7 @@
&out_padata, &retry);
if (ret !=0)
goto cleanup;
- if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED)
-&& retry) {
+ if (should_continue_preauth(err_reply->error, loopcount) && retry) {
/* reset the list of preauth types to try */
if (preauth_to_use) {
krb5_free_pa_data(context, preauth_to_use);
More information about the cvs-krb5
mailing list