|
 |
167778 |
From 7deb721e6eeb51be30c147240426c19a0c7beede Mon Sep 17 00:00:00 2001
|
|
|
167778 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
167778 |
Date: Sat, 21 Jan 2017 13:20:38 -0500
|
|
|
167778 |
Subject: [PATCH] Echo KDC cookies in preauth tryagain
|
|
|
167778 |
|
|
|
167778 |
When trying again after a mechanism-specific error, we should send the
|
|
|
167778 |
KDC cookie for conformance with RFC 6113.
|
|
|
167778 |
|
|
|
167778 |
ticket: 8539
|
|
|
167778 |
(cherry picked from commit 25f12e90d98b677d0a72893b3c6eb859377aee68)
|
|
|
167778 |
[rharwood@redhat.com: backport around expected_trace]
|
|
|
167778 |
---
|
|
|
167778 |
src/lib/krb5/krb/preauth2.c | 8 +++++++-
|
|
|
167778 |
src/tests/t_pkinit.py | 19 +++++++++----------
|
|
|
167778 |
2 files changed, 16 insertions(+), 11 deletions(-)
|
|
|
167778 |
|
|
|
167778 |
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
|
|
|
167778 |
index 9c5d6eaa9..cfe3dd5b0 100644
|
|
|
167778 |
--- a/src/lib/krb5/krb/preauth2.c
|
|
|
167778 |
+++ b/src/lib/krb5/krb/preauth2.c
|
|
|
167778 |
@@ -923,7 +923,7 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
krb5_pa_data **mod_pa;
|
|
|
167778 |
krb5_clpreauth_modreq modreq;
|
|
|
167778 |
clpreauth_handle h;
|
|
|
167778 |
- int i;
|
|
|
167778 |
+ int i, count;
|
|
|
167778 |
|
|
|
167778 |
*padata_out = NULL;
|
|
|
167778 |
|
|
|
167778 |
@@ -942,6 +942,12 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
ctx->err_reply, ctx->err_padata,
|
|
|
167778 |
ctx->prompter, ctx->prompter_data, &mod_pa);
|
|
|
167778 |
if (ret == 0 && mod_pa != NULL) {
|
|
|
167778 |
+ for (count = 0; mod_pa[count] != NULL; count++);
|
|
|
167778 |
+ ret = copy_cookie(context, ctx->err_padata, &mod_pa, &count);
|
|
|
167778 |
+ if (ret) {
|
|
|
167778 |
+ krb5_free_pa_data(context, mod_pa);
|
|
|
167778 |
+ return ret;
|
|
|
167778 |
+ }
|
|
|
167778 |
TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa);
|
|
|
167778 |
*padata_out = mod_pa;
|
|
|
167778 |
return 0;
|
|
|
167778 |
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
|
|
|
167778 |
index 183977750..38424932b 100755
|
|
|
167778 |
--- a/src/tests/t_pkinit.py
|
|
|
167778 |
+++ b/src/tests/t_pkinit.py
|
|
|
167778 |
@@ -175,20 +175,19 @@ realm.kinit(realm.user_princ,
|
|
|
167778 |
realm.klist(realm.user_princ)
|
|
|
167778 |
|
|
|
167778 |
# Test a DH parameter renegotiation by temporarily setting a 4096-bit
|
|
|
167778 |
-# minimum on the KDC.
|
|
|
167778 |
-tracefile = os.path.join(realm.testdir, 'trace')
|
|
|
167778 |
+# minimum on the KDC. (Preauth type 16 is PKINIT PA_PK_AS_REQ;
|
|
|
167778 |
+# 133 is FAST PA-FX-COOKIE.)
|
|
|
167778 |
minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
|
|
|
167778 |
minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
|
|
|
167778 |
realm.stop_kdc()
|
|
|
167778 |
realm.start_kdc(env=minbits_env)
|
|
|
167778 |
-realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X',
|
|
|
167778 |
- 'X509_user_identity=' + file_identity, realm.user_princ])
|
|
|
167778 |
-with open(tracefile, 'r') as f:
|
|
|
167778 |
- trace = f.read()
|
|
|
167778 |
-if ('Key parameters not accepted' not in trace or
|
|
|
167778 |
- 'Preauth tryagain input types' not in trace or
|
|
|
167778 |
- 'trying again with KDC-provided parameters' not in trace):
|
|
|
167778 |
- fail('DH renegotiation steps not found in kinit trace log')
|
|
|
167778 |
+expected_trace = ('Key parameters not accepted',
|
|
|
167778 |
+ 'Preauth tryagain input types',
|
|
|
167778 |
+ 'trying again with KDC-provided parameters',
|
|
|
167778 |
+ 'Followup preauth for next request: 16, 133')
|
|
|
167778 |
+realm.kinit(realm.user_princ,
|
|
|
167778 |
+ flags=['-X', 'X509_user_identity=%s' % file_identity],
|
|
|
167778 |
+ expected_trace=expected_trace)
|
|
|
167778 |
realm.stop_kdc()
|
|
|
167778 |
realm.start_kdc()
|
|
|
167778 |
|