|
 |
8c1676 |
From c45c43a82491f5c4487087cb424381e884559433 Mon Sep 17 00:00:00 2001
|
|
|
8c1676 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
8c1676 |
Date: Fri, 5 Aug 2016 12:28:03 -0400
|
|
|
8c1676 |
Subject: [PATCH] Use responder for non-preauth AS requests
|
|
|
8c1676 |
|
|
|
8c1676 |
If no AS reply key is computed during pre-authentication (typically
|
|
|
8c1676 |
because no pre-authentication was required by the KDC), ask for the
|
|
|
8c1676 |
password using the responder before calling gak_fct for the key, and
|
|
|
8c1676 |
supply any resulting responder items to gak_fct.
|
|
|
8c1676 |
|
|
|
8c1676 |
ticket: 8454
|
|
|
8c1676 |
target_version: 1.14-next
|
|
|
8c1676 |
target_version: 1.13-next
|
|
|
8c1676 |
tags: pullup
|
|
|
8c1676 |
---
|
|
|
8c1676 |
src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
|
|
|
8c1676 |
src/tests/t_general.py | 5 +++++
|
|
|
8c1676 |
2 files changed, 28 insertions(+), 1 deletion(-)
|
|
|
8c1676 |
|
|
|
8c1676 |
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
|
|
8c1676 |
index 24cd970..4290d0c 100644
|
|
|
8c1676 |
--- a/src/lib/krb5/krb/get_in_tkt.c
|
|
|
8c1676 |
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
|
|
8c1676 |
@@ -1391,6 +1391,8 @@ init_creds_step_reply(krb5_context context,
|
|
|
8c1676 |
krb5_keyblock encrypting_key;
|
|
|
8c1676 |
krb5_boolean fast_avail;
|
|
|
8c1676 |
krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt);
|
|
|
8c1676 |
+ krb5_responder_fn responder;
|
|
|
8c1676 |
+ void *responder_data;
|
|
|
8c1676 |
|
|
|
8c1676 |
encrypting_key.length = 0;
|
|
|
8c1676 |
encrypting_key.contents = NULL;
|
|
|
8c1676 |
@@ -1549,13 +1551,33 @@ init_creds_step_reply(krb5_context context,
|
|
|
8c1676 |
code = -1;
|
|
|
8c1676 |
|
|
|
8c1676 |
if (code != 0) {
|
|
|
8c1676 |
+ /* If a responder was provided and we are using a password, ask for the
|
|
|
8c1676 |
+ * password using the responder before falling back to the prompter. */
|
|
|
8c1676 |
+ k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data);
|
|
|
8c1676 |
+ if (responder != NULL && !ctx->as_key.length) {
|
|
|
8c1676 |
+ /* Indicate a need for the AS key by calling the gak_fct with a
|
|
|
8c1676 |
+ * NULL as_key. */
|
|
|
8c1676 |
+ code = ctx->gak_fct(context, ctx->request->client, ctx->etype,
|
|
|
8c1676 |
+ NULL, NULL, NULL, NULL, NULL, ctx->gak_data,
|
|
|
8c1676 |
+ ctx->rctx.items);
|
|
|
8c1676 |
+ if (code != 0)
|
|
|
8c1676 |
+ goto cleanup;
|
|
|
8c1676 |
+
|
|
|
8c1676 |
+ /* If that produced a responder question, invoke the responder. */
|
|
|
8c1676 |
+ if (!k5_response_items_empty(ctx->rctx.items)) {
|
|
|
8c1676 |
+ code = (*responder)(context, responder_data, &ctx->rctx);
|
|
|
8c1676 |
+ if (code != 0)
|
|
|
8c1676 |
+ goto cleanup;
|
|
|
8c1676 |
+ }
|
|
|
8c1676 |
+ }
|
|
|
8c1676 |
+
|
|
|
8c1676 |
/* if we haven't get gotten a key, get it now */
|
|
|
8c1676 |
TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams);
|
|
|
8c1676 |
code = (*ctx->gak_fct)(context, ctx->request->client,
|
|
|
8c1676 |
ctx->reply->enc_part.enctype,
|
|
|
8c1676 |
ctx->prompter, ctx->prompter_data,
|
|
|
8c1676 |
&ctx->salt, &ctx->s2kparams,
|
|
|
8c1676 |
- &ctx->as_key, ctx->gak_data, NULL);
|
|
|
8c1676 |
+ &ctx->as_key, ctx->gak_data, ctx->rctx.items);
|
|
|
8c1676 |
if (code != 0)
|
|
|
8c1676 |
goto cleanup;
|
|
|
8c1676 |
TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key);
|
|
|
8c1676 |
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
|
|
|
8c1676 |
index fbdeddf..6d523fe 100755
|
|
|
8c1676 |
--- a/src/tests/t_general.py
|
|
|
8c1676 |
+++ b/src/tests/t_general.py
|
|
|
8c1676 |
@@ -34,6 +34,11 @@ realm.stop()
|
|
|
8c1676 |
|
|
|
8c1676 |
realm = K5Realm(create_host=False)
|
|
|
8c1676 |
|
|
|
8c1676 |
+# Regression test for #8454 (responder callback isn't used when
|
|
|
8c1676 |
+# preauth is not required).
|
|
|
8c1676 |
+realm.run(['./responder', '-r', 'password=%s' % password('user'),
|
|
|
8c1676 |
+ realm.user_princ])
|
|
|
8c1676 |
+
|
|
|
8c1676 |
# Test that WRONG_REALM responses aren't treated as referrals unless
|
|
|
8c1676 |
# they contain a crealm field pointing to a different realm.
|
|
|
8c1676 |
# (Regression test for #8060.)
|
|
|
8c1676 |
--
|
|
|
8c1676 |
2.8.1
|
|
|
8c1676 |
|