From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 17 Feb 2013 17:44:45 +0000 (-0500)
Subject: Allow multi-hop SAM-2 exchanges
X-Git-Tag: krb5-1.12-alpha1~286
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f20a77e879d203cdcb1bdbf9dc8e604a5187c88f;p=thirdparty%2Fkrb5.git

Allow multi-hop SAM-2 exchanges

Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work).  This stopped working
when SAM-2 was converted to a built-in module.  Make it work again.

ticket: 7571 (new)
target_version: 1.11.1
tags: pullup
---

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 74a4f27beb..7252048cb9 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -570,6 +570,11 @@ already_tried(krb5_context context, krb5_preauthtype pa_type)
     size_t count;
     krb5_preauthtype *newptr;
 
+    /* Allow multi-hop SAM-2 exchanges using repeated preauth-required errors
+     * for historical compatibility. */
+    if (pa_type == KRB5_PADATA_SAM_CHALLENGE_2)
+        return FALSE;
+
     for (count = 0; pctx->tried != NULL && pctx->tried[count] != 0; count++) {
         if (pctx->tried[count] == pa_type)
             return TRUE;