From: Greg Hudson Date: Mon, 12 May 2025 20:21:05 +0000 (-0400) Subject: Simplify preauth fallback disabling X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1430%2Fhead;p=thirdparty%2Fkrb5.git Simplify preauth fallback disabling Remove the fallback_disabled field from krb5_init_creds_context, and instead record the current preauth type as the only allowed preauth type when a preauth module invokes the disable_fallback() method. The previous method failed to prevent fallback when a KDC unexpectedly responds with PREAUTH_REQUIRED partway through the preauth exchange. Reported by Richard Silverman. --- diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 4b2be41e75..00a5cceea5 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1331,9 +1331,6 @@ init_creds_step_request(krb5_context context, /* Don't continue after a keyboard interrupt. */ if (code == KRB5_LIBOS_PWDINTR) goto cleanup; - /* Don't continue if fallback is disabled. */ - if (code && ctx->fallback_disabled) - goto cleanup; if (code) { /* See if we can try a different preauth mech before giving up. */ k5_save_ctx_error(context, code, &save); diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h index 17d55dd7c4..710b77810b 100644 --- a/src/lib/krb5/krb/init_creds_ctx.h +++ b/src/lib/krb5/krb/init_creds_ctx.h @@ -63,9 +63,9 @@ struct _krb5_init_creds_context { krb5_enctype etype; krb5_boolean info_pa_permitted; krb5_boolean restarted; - krb5_boolean fallback_disabled; krb5_boolean encts_disabled; struct krb5_responder_context_st rctx; + krb5_preauthtype current_preauth_type; krb5_preauthtype selected_preauth_type; krb5_preauthtype allowed_preauth_type; k5_json_object cc_config_in; diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 32f35b7615..b5ef6c6165 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -552,7 +552,9 @@ set_cc_config(krb5_context context, krb5_clpreauth_rock rock, static void disable_fallback(krb5_context context, krb5_clpreauth_rock rock) { - ((krb5_init_creds_context)rock)->fallback_disabled = TRUE; + krb5_init_creds_context ctx = (krb5_init_creds_context)rock; + + ctx->allowed_preauth_type = ctx->current_preauth_type; } static struct krb5_clpreauth_callbacks_st callbacks = { @@ -676,6 +678,7 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, if (real && previously_failed(ctx, pa->pa_type)) continue; mod_pa = NULL; + ctx->current_preauth_type = pa->pa_type; ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks, (krb5_clpreauth_rock)ctx, ctx->request, ctx->inner_request_body, @@ -908,6 +911,7 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, if (h == NULL) return KRB5KRB_ERR_GENERIC; mod_pa = NULL; + ctx->current_preauth_type = pa_type; ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks, (krb5_clpreauth_rock)ctx, ctx->request, ctx->inner_request_body, @@ -954,6 +958,7 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx, h = find_module(context, ctx, pa->pa_type, &modreq); if (h == NULL) continue; + ctx->current_preauth_type = pa->pa_type; ret = clpreauth_prep_questions(context, h, modreq, ctx->opt, &callbacks, (krb5_clpreauth_rock)ctx, ctx->request, ctx->inner_request_body,