Allow multi-hop SAM-2 exchanges

Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work).  This stopped working
when SAM-2 was converted to a built-in module.  Make it work again.

ticket: 7571 (new)
target_version: 1.11.1
tags: pullup

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 74a4f27bebda909acfb538d6b0548df0b53496f0..7252048cb98ad43f59f0aa0d4b6c0d603bf00bd0 100644 (file)
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -570,6 +570,11 @@ already_tried(krb5_context context, krb5_preauthtype pa_type)
     size_t count;
     krb5_preauthtype *newptr;
 
+    /* Allow multi-hop SAM-2 exchanges using repeated preauth-required errors
+     * for historical compatibility. */
+    if (pa_type == KRB5_PADATA_SAM_CHALLENGE_2)
+        return FALSE;
+
     for (count = 0; pctx->tried != NULL && pctx->tried[count] != 0; count++) {
         if (pctx->tried[count] == pa_type)
             return TRUE;