svn rev #25501: branches/krb5-1-10/src/ include/ lib/krb5/krb/

tlyu@MIT.EDU tlyu at MIT.EDU
Fri Dec 2 16:20:14 EST 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25501
Commit By: tlyu
Log Message:
ticket: 6430
version_fixed: 1.10
status: resolved

pull up r25469 from trunk

 ------------------------------------------------------------------------
 r25469 | ghudson | 2011-11-11 12:01:12 -0500 (Fri, 11 Nov 2011) | 14 lines

 ticket: 6430
 subject: Avoid looping when preauth can't be generated
 target_version: 1.10
 tags: pullup

 If we receive a PREAUTH_REQUIRED error and fail to generate any real
 preauthentication, error out immediately instead of continuing to
 generate non-preauthenticated requests until we hit the loop count.

 There is a lot of room to generate a more meaningful error about why
 we failed to generate preauth (although in many cases the answer may
 be too complicated to explain in an error message), but that requires
 more radical restructuring of the preauth framework.


Changed Files:
U   branches/krb5-1-10/src/include/k5-int.h
U   branches/krb5-1-10/src/lib/krb5/krb/get_in_tkt.c
U   branches/krb5-1-10/src/lib/krb5/krb/init_creds_ctx.h
U   branches/krb5-1-10/src/lib/krb5/krb/preauth2.c
Modified: branches/krb5-1-10/src/include/k5-int.h
===================================================================
--- branches/krb5-1-10/src/include/k5-int.h	2011-12-02 19:42:12 UTC (rev 25500)
+++ branches/krb5-1-10/src/include/k5-int.h	2011-12-02 21:20:13 UTC (rev 25501)
@@ -1098,7 +1098,7 @@
                 krb5_data *encoded_previous_request, krb5_pa_data **in_padata,
                 krb5_pa_data ***out_padata, krb5_prompter_fct prompter,
                 void *prompter_data, krb5_clpreauth_rock preauth_rock,
-                krb5_gic_opt_ext *opte);
+                krb5_gic_opt_ext *opte, krb5_boolean *got_real_out);
 
 krb5_error_code KRB5_CALLCONV
 krb5_do_preauth_tryagain(krb5_context context, krb5_kdc_req *request,

Modified: branches/krb5-1-10/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- branches/krb5-1-10/src/lib/krb5/krb/get_in_tkt.c	2011-12-02 19:42:12 UTC (rev 25500)
+++ branches/krb5-1-10/src/lib/krb5/krb/get_in_tkt.c	2011-12-02 21:20:13 UTC (rev 25501)
@@ -1102,6 +1102,7 @@
                         krb5_data *out)
 {
     krb5_error_code code;
+    krb5_boolean got_real;
 
     if (ctx->loopcount >= MAX_IN_TKT_LOOPS) {
         code = KRB5_GET_IN_TKT_LOOP;
@@ -1119,7 +1120,10 @@
                                ctx->prompter,
                                ctx->prompter_data,
                                &ctx->preauth_rock,
-                               ctx->opte);
+                               ctx->opte,
+                               &got_real);
+        if (code == 0 && !got_real && ctx->preauth_required)
+            code = KRB5_PREAUTH_FAILED;
         if (code != 0)
             goto cleanup;
     } else {
@@ -1257,7 +1261,7 @@
     int canon_flag = 0;
     krb5_keyblock *strengthen_key = NULL;
     krb5_keyblock encrypting_key;
-    krb5_boolean fast_avail;
+    krb5_boolean fast_avail, got_real;
 
     encrypting_key.length = 0;
     encrypting_key.contents = NULL;
@@ -1296,6 +1300,7 @@
             code = sort_krb5_padata_sequence(context,
                                              &ctx->request->client->realm,
                                              ctx->preauth_to_use);
+            ctx->preauth_required = TRUE;
 
         } else if (canon_flag && ctx->err_reply->error == KDC_ERR_WRONG_REALM) {
             if (ctx->err_reply->client == NULL ||
@@ -1364,7 +1369,8 @@
                            ctx->prompter,
                            ctx->prompter_data,
                            &ctx->preauth_rock,
-                           ctx->opte);
+                           ctx->opte,
+                           &got_real);
     if (code != 0)
         goto cleanup;
 

Modified: branches/krb5-1-10/src/lib/krb5/krb/init_creds_ctx.h
===================================================================
--- branches/krb5-1-10/src/lib/krb5/krb/init_creds_ctx.h	2011-12-02 19:42:12 UTC (rev 25500)
+++ branches/krb5-1-10/src/lib/krb5/krb/init_creds_ctx.h	2011-12-02 21:20:13 UTC (rev 25501)
@@ -33,6 +33,7 @@
     krb5_boolean enc_pa_rep_permitted;
     krb5_boolean have_restarted;
     krb5_boolean sent_nontrivial_preauth;
+    krb5_boolean preauth_required;
 };
 
 krb5_error_code

Modified: branches/krb5-1-10/src/lib/krb5/krb/preauth2.c
===================================================================
--- branches/krb5-1-10/src/lib/krb5/krb/preauth2.c	2011-12-02 19:42:12 UTC (rev 25500)
+++ branches/krb5-1-10/src/lib/krb5/krb/preauth2.c	2011-12-02 21:20:13 UTC (rev 25501)
@@ -1434,7 +1434,8 @@
                 krb5_data *encoded_previous_request,
                 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
                 krb5_prompter_fct prompter, void *prompter_data,
-                krb5_clpreauth_rock rock, krb5_gic_opt_ext *opte)
+                krb5_clpreauth_rock rock, krb5_gic_opt_ext *opte,
+                krb5_boolean *got_real_out)
 {
     unsigned int h;
     int i, j, out_pa_list_size;
@@ -1446,6 +1447,8 @@
     static const int paorder[] = { PA_INFO, PA_REAL };
     int realdone;
 
+    *got_real_out = FALSE;
+
     if (in_padata == NULL) {
         *out_padata = NULL;
         return(0);
@@ -1640,6 +1643,7 @@
     if (etype_info)
         krb5_free_etype_info(context, etype_info);
 
+    *got_real_out = realdone;
     return(0);
 cleanup:
     if (out_pa_list) {

More information about the cvs-krb5 mailing list