|
 |
d738b9 |
From bfeb18163ba1364d37c9179bcf5e9c042c268a8b Mon Sep 17 00:00:00 2001
|
|
|
d738b9 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
d738b9 |
Date: Fri, 13 Jan 2017 10:14:36 -0500
|
|
|
d738b9 |
Subject: [PATCH] Adjust processing of pa_type ccache config
|
|
|
d738b9 |
|
|
|
d738b9 |
Read the allowed preauth type from the input ccache in
|
|
|
d738b9 |
restart_init_creds_loop(); there is no need to reread it each time we
|
|
|
d738b9 |
produce a request. Move read_allowed_preauth_type() earlier in the
|
|
|
d738b9 |
file to allow it to be called from restart_init_creds_loop() without a
|
|
|
d738b9 |
prototype.
|
|
|
d738b9 |
|
|
|
d738b9 |
Clear the selected preauth type in restart_init_creds_loop(), not in
|
|
|
d738b9 |
init_creds_step_request(). We want to make sure that it doesn't
|
|
|
d738b9 |
survive a restart due to a realm referral or expiry, but we don't want
|
|
|
d738b9 |
to forget about it when retrying after an error.
|
|
|
d738b9 |
|
|
|
d738b9 |
(cherry picked from commit 468c6eb7bb860f7ec0381086a22859f822b41c43)
|
|
|
d738b9 |
---
|
|
|
d738b9 |
src/lib/krb5/krb/get_in_tkt.c | 61 ++++++++++++++++++-----------------
|
|
|
d738b9 |
1 file changed, 31 insertions(+), 30 deletions(-)
|
|
|
d738b9 |
|
|
|
d738b9 |
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
|
|
d738b9 |
index 52e07bb67..da12204ac 100644
|
|
|
d738b9 |
--- a/src/lib/krb5/krb/get_in_tkt.c
|
|
|
d738b9 |
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
|
|
d738b9 |
@@ -791,6 +791,31 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx)
|
|
|
d738b9 |
return 0;
|
|
|
d738b9 |
}
|
|
|
d738b9 |
|
|
|
d738b9 |
+static void
|
|
|
d738b9 |
+read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx)
|
|
|
d738b9 |
+{
|
|
|
d738b9 |
+ krb5_error_code ret;
|
|
|
d738b9 |
+ krb5_data config;
|
|
|
d738b9 |
+ char *tmp, *p;
|
|
|
d738b9 |
+ krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt);
|
|
|
d738b9 |
+
|
|
|
d738b9 |
+ ctx->allowed_preauth_type = KRB5_PADATA_NONE;
|
|
|
d738b9 |
+ if (in_ccache == NULL)
|
|
|
d738b9 |
+ return;
|
|
|
d738b9 |
+ memset(&config, 0, sizeof(config));
|
|
|
d738b9 |
+ if (krb5_cc_get_config(context, in_ccache, ctx->request->server,
|
|
|
d738b9 |
+ KRB5_CC_CONF_PA_TYPE, &config) != 0)
|
|
|
d738b9 |
+ return;
|
|
|
d738b9 |
+ tmp = k5memdup0(config.data, config.length, &ret;;
|
|
|
d738b9 |
+ krb5_free_data_contents(context, &config);
|
|
|
d738b9 |
+ if (tmp == NULL)
|
|
|
d738b9 |
+ return;
|
|
|
d738b9 |
+ ctx->allowed_preauth_type = strtol(tmp, &p, 10);
|
|
|
d738b9 |
+ if (p == NULL || *p != '\0')
|
|
|
d738b9 |
+ ctx->allowed_preauth_type = KRB5_PADATA_NONE;
|
|
|
d738b9 |
+ free(tmp);
|
|
|
d738b9 |
+}
|
|
|
d738b9 |
+
|
|
|
d738b9 |
/**
|
|
|
d738b9 |
* Throw away any pre-authentication realm state and begin with a
|
|
|
d738b9 |
* unauthenticated or optimistically authenticated request. If fast_upgrade is
|
|
|
d738b9 |
@@ -807,6 +832,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
|
|
d738b9 |
krb5_free_error(context, ctx->err_reply);
|
|
|
d738b9 |
ctx->preauth_to_use = ctx->err_padata = NULL;
|
|
|
d738b9 |
ctx->err_reply = NULL;
|
|
|
d738b9 |
+ ctx->selected_preauth_type = KRB5_PADATA_NONE;
|
|
|
d738b9 |
|
|
|
d738b9 |
krb5int_fast_free_state(context, ctx->fast_state);
|
|
|
d738b9 |
ctx->fast_state = NULL;
|
|
|
d738b9 |
@@ -849,6 +875,11 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
|
|
d738b9 |
&ctx->outer_request_body);
|
|
|
d738b9 |
if (code != 0)
|
|
|
d738b9 |
goto cleanup;
|
|
|
d738b9 |
+
|
|
|
d738b9 |
+ /* Read the allowed preauth type for this server principal from the input
|
|
|
d738b9 |
+ * ccache, if the application supplied one. */
|
|
|
d738b9 |
+ read_allowed_preauth_type(context, ctx);
|
|
|
d738b9 |
+
|
|
|
d738b9 |
cleanup:
|
|
|
d738b9 |
return code;
|
|
|
d738b9 |
}
|
|
|
d738b9 |
@@ -1154,31 +1185,6 @@ init_creds_validate_reply(krb5_context context,
|
|
|
d738b9 |
return 0;
|
|
|
d738b9 |
}
|
|
|
d738b9 |
|
|
|
d738b9 |
-static void
|
|
|
d738b9 |
-read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx)
|
|
|
d738b9 |
-{
|
|
|
d738b9 |
- krb5_error_code ret;
|
|
|
d738b9 |
- krb5_data config;
|
|
|
d738b9 |
- char *tmp, *p;
|
|
|
d738b9 |
- krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt);
|
|
|
d738b9 |
-
|
|
|
d738b9 |
- ctx->allowed_preauth_type = KRB5_PADATA_NONE;
|
|
|
d738b9 |
- if (in_ccache == NULL)
|
|
|
d738b9 |
- return;
|
|
|
d738b9 |
- memset(&config, 0, sizeof(config));
|
|
|
d738b9 |
- if (krb5_cc_get_config(context, in_ccache, ctx->request->server,
|
|
|
d738b9 |
- KRB5_CC_CONF_PA_TYPE, &config) != 0)
|
|
|
d738b9 |
- return;
|
|
|
d738b9 |
- tmp = k5memdup0(config.data, config.length, &ret;;
|
|
|
d738b9 |
- krb5_free_data_contents(context, &config);
|
|
|
d738b9 |
- if (tmp == NULL)
|
|
|
d738b9 |
- return;
|
|
|
d738b9 |
- ctx->allowed_preauth_type = strtol(tmp, &p, 10);
|
|
|
d738b9 |
- if (p == NULL || *p != '\0')
|
|
|
d738b9 |
- ctx->allowed_preauth_type = KRB5_PADATA_NONE;
|
|
|
d738b9 |
- free(tmp);
|
|
|
d738b9 |
-}
|
|
|
d738b9 |
-
|
|
|
d738b9 |
static krb5_error_code
|
|
|
d738b9 |
save_selected_preauth_type(krb5_context context, krb5_ccache ccache,
|
|
|
d738b9 |
krb5_init_creds_context ctx)
|
|
|
d738b9 |
@@ -1317,11 +1323,6 @@ init_creds_step_request(krb5_context context,
|
|
|
d738b9 |
if (code)
|
|
|
d738b9 |
goto cleanup;
|
|
|
d738b9 |
|
|
|
d738b9 |
- /* Read the allowed patype for this server principal from the in_ccache,
|
|
|
d738b9 |
- * if the application supplied one. */
|
|
|
d738b9 |
- read_allowed_preauth_type(context, ctx);
|
|
|
d738b9 |
- ctx->selected_preauth_type = KRB5_PADATA_NONE;
|
|
|
d738b9 |
-
|
|
|
d738b9 |
/*
|
|
|
d738b9 |
* Read cached preauth configuration data for this server principal from
|
|
|
d738b9 |
* the in_ccache, if the application supplied one, and delete any that was
|