From bfeb18163ba1364d37c9179bcf5e9c042c268a8b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 13 Jan 2017 10:14:36 -0500
Subject: [PATCH] Adjust processing of pa_type ccache config
Read the allowed preauth type from the input ccache in
restart_init_creds_loop(); there is no need to reread it each time we
produce a request. Move read_allowed_preauth_type() earlier in the
file to allow it to be called from restart_init_creds_loop() without a
prototype.
Clear the selected preauth type in restart_init_creds_loop(), not in
init_creds_step_request(). We want to make sure that it doesn't
survive a restart due to a realm referral or expiry, but we don't want
to forget about it when retrying after an error.
(cherry picked from commit 468c6eb7bb860f7ec0381086a22859f822b41c43)
---
src/lib/krb5/krb/get_in_tkt.c | 61 ++++++++++++++++++-----------------
1 file changed, 31 insertions(+), 30 deletions(-)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 52e07bb67..da12204ac 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -791,6 +791,31 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx)
return 0;
}
+static void
+read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx)
+{
+ krb5_error_code ret;
+ krb5_data config;
+ char *tmp, *p;
+ krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt);
+
+ ctx->allowed_preauth_type = KRB5_PADATA_NONE;
+ if (in_ccache == NULL)
+ return;
+ memset(&config, 0, sizeof(config));
+ if (krb5_cc_get_config(context, in_ccache, ctx->request->server,
+ KRB5_CC_CONF_PA_TYPE, &config) != 0)
+ return;
+ tmp = k5memdup0(config.data, config.length, &ret);
+ krb5_free_data_contents(context, &config);
+ if (tmp == NULL)
+ return;
+ ctx->allowed_preauth_type = strtol(tmp, &p, 10);
+ if (p == NULL || *p != '\0')
+ ctx->allowed_preauth_type = KRB5_PADATA_NONE;
+ free(tmp);
+}
+
/**
* Throw away any pre-authentication realm state and begin with a
* unauthenticated or optimistically authenticated request. If fast_upgrade is
@@ -807,6 +832,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
krb5_free_error(context, ctx->err_reply);
ctx->preauth_to_use = ctx->err_padata = NULL;
ctx->err_reply = NULL;
+ ctx->selected_preauth_type = KRB5_PADATA_NONE;
krb5int_fast_free_state(context, ctx->fast_state);
ctx->fast_state = NULL;
@@ -849,6 +875,11 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
&ctx->outer_request_body);
if (code != 0)
goto cleanup;
+
+ /* Read the allowed preauth type for this server principal from the input
+ * ccache, if the application supplied one. */
+ read_allowed_preauth_type(context, ctx);
+
cleanup:
return code;
}
@@ -1154,31 +1185,6 @@ init_creds_validate_reply(krb5_context context,
return 0;
}
-static void
-read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx)
-{
- krb5_error_code ret;
- krb5_data config;
- char *tmp, *p;
- krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt);
-
- ctx->allowed_preauth_type = KRB5_PADATA_NONE;
- if (in_ccache == NULL)
- return;
- memset(&config, 0, sizeof(config));
- if (krb5_cc_get_config(context, in_ccache, ctx->request->server,
- KRB5_CC_CONF_PA_TYPE, &config) != 0)
- return;
- tmp = k5memdup0(config.data, config.length, &ret);
- krb5_free_data_contents(context, &config);
- if (tmp == NULL)
- return;
- ctx->allowed_preauth_type = strtol(tmp, &p, 10);
- if (p == NULL || *p != '\0')
- ctx->allowed_preauth_type = KRB5_PADATA_NONE;
- free(tmp);
-}
-
static krb5_error_code
save_selected_preauth_type(krb5_context context, krb5_ccache ccache,
krb5_init_creds_context ctx)
@@ -1317,11 +1323,6 @@ init_creds_step_request(krb5_context context,
if (code)
goto cleanup;
- /* Read the allowed patype for this server principal from the in_ccache,
- * if the application supplied one. */
- read_allowed_preauth_type(context, ctx);
- ctx->selected_preauth_type = KRB5_PADATA_NONE;
-
/*
* Read cached preauth configuration data for this server principal from
* the in_ccache, if the application supplied one, and delete any that was