git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Fri, 13 Jan 2017 20:35:48 +0000 (15:35 -0500)
committer	Greg Hudson <ghudson@mit.edu>
	Thu, 23 Feb 2017 17:33:16 +0000 (12:33 -0500)
commit	97a9b0c4ef3fc7b20e6ae592201bcb132d58bbe5
tree	55ae0ffbc05bc13692091153c7b729b49f5e4da2	tree
parent	750cd27317d8e8af506c3b9e412a3ccbeef299b0	commit \| diff

Preserve method data in get_in_tkt.c

To continue after preauth failures, we need a persistent field in
krb5_init_creds_context containing the METHOD-DATA from a
KDC_PREAUTH_REQUIRED or KDC_PREAUTH_FAILED error.  If we overwrite
this field with the padata in a KDC_MORE_PREAUTH_DATA_REQUIRED error,
or conflate it with an optimistic padata list, we won't be able to
correctly continue after a preauth failure.

In krb5_init_creds_context, split the preauth_to_use field into
optimistic_padata, method_padata, and more_padata.  Separately handle
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED in init_creds_step_request() and
init_creds_step_reply(), and separately handle optimistic preauth in
init_creds_step_request().  Do not call k5_preauth() if none of the
padata lists are set.

Also stop clearing ctx->err_reply when processing a
KDC_ERR_PREAUTH_REQUIRED response.  Instead look for that error code
in init_creds_step_request().  Eliminate the preauth_required field of
krb5_init_creds_context as it can be inferred from whether we are
performing optimistic preauth.

ticket: 8537

src/include/k5-trace.h		diff \| blob \| blame \| history
src/lib/krb5/krb/get_in_tkt.c		diff \| blob \| blame \| history
src/lib/krb5/krb/init_creds_ctx.h		diff \| blob \| blame \| history