krb5 commit: Fix error code on clpreauth module failure
Greg Hudson
ghudson at mit.edu
Tue Jul 19 14:36:36 EDT 2016
https://github.com/krb5/krb5/commit/560e11dabb63b141df29c54aaa2e120309a1e021
commit 560e11dabb63b141df29c54aaa2e120309a1e021
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Jul 19 10:52:06 2016 -0400
Fix error code on clpreauth module failure
Commit 632260bd1fccfb420f0827b59c85c329203eafc9 (ticket #7517) allows
better error reporting for some client pre-authentication failures.
However, it breaks an assumption in the S4U2Self code that such errors
can be recognized by the KRB5_PREAUTH_FAILED error code. Instead of
passing through the error code reported by the first real preauth
module, wrap that error and return KRB5_PREAUTH_FAILED.
ticket: 8457 (new)
target_version: 1.14-next
target_version: 1.13-next
src/lib/krb5/krb/preauth2.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 783bb31..ca26fb0 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -638,8 +638,12 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
if (must_preauth) {
/* No real preauth types succeeded and we needed to preauthenticate. */
- ret = (save.code != 0) ? k5_restore_ctx_error(context, &save) :
- KRB5_PREAUTH_FAILED;
+ if (save.code != 0) {
+ ret = k5_restore_ctx_error(context, &save);
+ k5_wrapmsg(context, ret, KRB5_PREAUTH_FAILED,
+ _("Pre-authentication failed"));
+ }
+ ret = KRB5_PREAUTH_FAILED;
}
cleanup:
More information about the cvs-krb5
mailing list