krb5 commit: Simplify preauth fallback disabling
ghudson at mit.edu
ghudson at mit.edu
Fri Jun 13 16:04:54 EDT 2025
https://github.com/krb5/krb5/commit/df70aed645da58698466f5a8811a75873b85b5b2
commit df70aed645da58698466f5a8811a75873b85b5b2
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon May 12 16:21:05 2025 -0400
Simplify preauth fallback disabling
Remove the fallback_disabled field from krb5_init_creds_context, and
instead record the current preauth type as the only allowed preauth
type when a preauth module invokes the disable_fallback() method.
The previous method failed to prevent fallback when a KDC unexpectedly
responds with PREAUTH_REQUIRED partway through the preauth exchange.
Reported by Richard Silverman.
src/lib/krb5/krb/get_in_tkt.c | 3 ---
src/lib/krb5/krb/init_creds_ctx.h | 2 +-
src/lib/krb5/krb/preauth2.c | 7 ++++++-
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 4b2be41e7..00a5cceea 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1331,9 +1331,6 @@ init_creds_step_request(krb5_context context,
/* Don't continue after a keyboard interrupt. */
if (code == KRB5_LIBOS_PWDINTR)
goto cleanup;
- /* Don't continue if fallback is disabled. */
- if (code && ctx->fallback_disabled)
- goto cleanup;
if (code) {
/* See if we can try a different preauth mech before giving up. */
k5_save_ctx_error(context, code, &save);
diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h
index 17d55dd7c..710b77810 100644
--- a/src/lib/krb5/krb/init_creds_ctx.h
+++ b/src/lib/krb5/krb/init_creds_ctx.h
@@ -63,9 +63,9 @@ struct _krb5_init_creds_context {
krb5_enctype etype;
krb5_boolean info_pa_permitted;
krb5_boolean restarted;
- krb5_boolean fallback_disabled;
krb5_boolean encts_disabled;
struct krb5_responder_context_st rctx;
+ krb5_preauthtype current_preauth_type;
krb5_preauthtype selected_preauth_type;
krb5_preauthtype allowed_preauth_type;
k5_json_object cc_config_in;
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 32f35b761..b5ef6c616 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -552,7 +552,9 @@ set_cc_config(krb5_context context, krb5_clpreauth_rock rock,
static void
disable_fallback(krb5_context context, krb5_clpreauth_rock rock)
{
- ((krb5_init_creds_context)rock)->fallback_disabled = TRUE;
+ krb5_init_creds_context ctx = (krb5_init_creds_context)rock;
+
+ ctx->allowed_preauth_type = ctx->current_preauth_type;
}
static struct krb5_clpreauth_callbacks_st callbacks = {
@@ -676,6 +678,7 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
if (real && previously_failed(ctx, pa->pa_type))
continue;
mod_pa = NULL;
+ ctx->current_preauth_type = pa->pa_type;
ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks,
(krb5_clpreauth_rock)ctx, ctx->request,
ctx->inner_request_body,
@@ -908,6 +911,7 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx,
if (h == NULL)
return KRB5KRB_ERR_GENERIC;
mod_pa = NULL;
+ ctx->current_preauth_type = pa_type;
ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks,
(krb5_clpreauth_rock)ctx, ctx->request,
ctx->inner_request_body,
@@ -954,6 +958,7 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx,
h = find_module(context, ctx, pa->pa_type, &modreq);
if (h == NULL)
continue;
+ ctx->current_preauth_type = pa->pa_type;
ret = clpreauth_prep_questions(context, h, modreq, ctx->opt,
&callbacks, (krb5_clpreauth_rock)ctx,
ctx->request, ctx->inner_request_body,
More information about the cvs-krb5
mailing list