From 7439bb967c7c7d860bc69b6b4eaa290a7fe7f530 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 21 Jan 2017 13:20:38 -0500 Subject: [PATCH] Echo KDC cookies in preauth tryagain When trying again after a mechanism-specific error, we should send the KDC cookie for conformance with RFC 6113. ticket: 8539 (cherry picked from commit 25f12e90d98b677d0a72893b3c6eb859377aee68) [rharwood@redhat.com: backport around expected_trace] --- src/lib/krb5/krb/preauth2.c | 8 +++++++- src/tests/t_pkinit.py | 19 +++++++++---------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 9c5d6eaa9..cfe3dd5b0 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -923,7 +923,7 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, krb5_pa_data **mod_pa; krb5_clpreauth_modreq modreq; clpreauth_handle h; - int i; + int i, count; *padata_out = NULL; @@ -942,6 +942,12 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, ctx->err_reply, ctx->err_padata, ctx->prompter, ctx->prompter_data, &mod_pa); if (ret == 0 && mod_pa != NULL) { + for (count = 0; mod_pa[count] != NULL; count++); + ret = copy_cookie(context, ctx->err_padata, &mod_pa, &count); + if (ret) { + krb5_free_pa_data(context, mod_pa); + return ret; + } TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa); *padata_out = mod_pa; return 0; diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index 183977750..38424932b 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -175,20 +175,19 @@ realm.kinit(realm.user_princ, realm.klist(realm.user_princ) # Test a DH parameter renegotiation by temporarily setting a 4096-bit -# minimum on the KDC. -tracefile = os.path.join(realm.testdir, 'trace') +# minimum on the KDC. (Preauth type 16 is PKINIT PA_PK_AS_REQ; +# 133 is FAST PA-FX-COOKIE.) minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) realm.stop_kdc() realm.start_kdc(env=minbits_env) -realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X', - 'X509_user_identity=' + file_identity, realm.user_princ]) -with open(tracefile, 'r') as f: - trace = f.read() -if ('Key parameters not accepted' not in trace or - 'Preauth tryagain input types' not in trace or - 'trying again with KDC-provided parameters' not in trace): - fail('DH renegotiation steps not found in kinit trace log') +expected_trace = ('Key parameters not accepted', + 'Preauth tryagain input types', + 'trying again with KDC-provided parameters', + 'Followup preauth for next request: 16, 133') +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity], + expected_trace=expected_trace) realm.stop_kdc() realm.start_kdc()