[krbdev.mit.edu #8537] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Feb 23 12:53:31 EST 2017
Preserve method data in get_in_tkt.c
To continue after preauth failures, we need a persistent field in
krb5_init_creds_context containing the METHOD-DATA from a
KDC_PREAUTH_REQUIRED or KDC_PREAUTH_FAILED error. If we overwrite
this field with the padata in a KDC_MORE_PREAUTH_DATA_REQUIRED error,
or conflate it with an optimistic padata list, we won't be able to
correctly continue after a preauth failure.
In krb5_init_creds_context, split the preauth_to_use field into
optimistic_padata, method_padata, and more_padata. Separately handle
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED in init_creds_step_request() and
init_creds_step_reply(), and separately handle optimistic preauth in
init_creds_step_request(). Do not call k5_preauth() if none of the
padata lists are set.
Also stop clearing ctx->err_reply when processing a
KDC_ERR_PREAUTH_REQUIRED response. Instead look for that error code
in init_creds_step_request(). Eliminate the preauth_required field of
krb5_init_creds_context as it can be inferred from whether we are
performing optimistic preauth.
https://github.com/krb5/krb5/commit/97a9b0c4ef3fc7b20e6ae592201bcb132d58bbe5
Author: Greg Hudson <ghudson at mit.edu>
Commit: 97a9b0c4ef3fc7b20e6ae592201bcb132d58bbe5
Branch: master
src/include/k5-trace.h | 11 ++++++
src/lib/krb5/krb/get_in_tkt.c | 71 +++++++++++++++++++++++++------------
src/lib/krb5/krb/init_creds_ctx.h | 5 ++-
3 files changed, 62 insertions(+), 25 deletions(-)
More information about the krb5-bugs
mailing list