krb5 commit [krb5-1.13]: Use responder for non-preauth AS requests
Tom Yu
tlyu at mit.edu
Fri Sep 9 14:48:18 EDT 2016
https://github.com/krb5/krb5/commit/af6f7168b1a13edfc8824e0d26741fec010e0657
commit af6f7168b1a13edfc8824e0d26741fec010e0657
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Aug 5 12:28:03 2016 -0400
Use responder for non-preauth AS requests
If no AS reply key is computed during pre-authentication (typically
because no pre-authentication was required by the KDC), ask for the
password using the responder before calling gak_fct for the key, and
supply any resulting responder items to gak_fct.
(cherry picked from commit 0639adc91ae9f66496171d14a232eae3c02bda0d)
ticket: 8454
version_fixed: 1.13.7
src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
src/tests/t_general.py | 5 +++++
2 files changed, 28 insertions(+), 1 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 4ec4e55..13ececc 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1412,6 +1412,8 @@ init_creds_step_reply(krb5_context context,
krb5_keyblock encrypting_key;
krb5_boolean fast_avail;
krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt);
+ krb5_responder_fn responder;
+ void *responder_data;
encrypting_key.length = 0;
encrypting_key.contents = NULL;
@@ -1563,13 +1565,33 @@ init_creds_step_reply(krb5_context context,
code = -1;
if (code != 0) {
+ /* If a responder was provided and we are using a password, ask for the
+ * password using the responder before falling back to the prompter. */
+ k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data);
+ if (responder != NULL && !ctx->as_key.length) {
+ /* Indicate a need for the AS key by calling the gak_fct with a
+ * NULL as_key. */
+ code = ctx->gak_fct(context, ctx->request->client, ctx->etype,
+ NULL, NULL, NULL, NULL, NULL, ctx->gak_data,
+ ctx->rctx.items);
+ if (code != 0)
+ goto cleanup;
+
+ /* If that produced a responder question, invoke the responder. */
+ if (!k5_response_items_empty(ctx->rctx.items)) {
+ code = (*responder)(context, responder_data, &ctx->rctx);
+ if (code != 0)
+ goto cleanup;
+ }
+ }
+
/* if we haven't get gotten a key, get it now */
TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams);
code = (*ctx->gak_fct)(context, ctx->request->client,
ctx->reply->enc_part.enctype,
ctx->prompter, ctx->prompter_data,
&ctx->salt, &ctx->s2kparams,
- &ctx->as_key, ctx->gak_data, NULL);
+ &ctx->as_key, ctx->gak_data, ctx->rctx.items);
if (code != 0)
goto cleanup;
TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key);
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
index 5349b05..e27e99f 100755
--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
@@ -33,6 +33,11 @@ realm.stop()
realm = K5Realm(create_host=False)
+# Regression test for #8454 (responder callback isn't used when
+# preauth is not required).
+realm.run(['./responder', '-r', 'password=%s' % password('user'),
+ realm.user_princ])
+
# Test that WRONG_REALM responses aren't treated as referrals unless
# they contain a crealm field pointing to a different realm.
# (Regression test for #8060.)
More information about the cvs-krb5
mailing list